Logistics Software Company


Background

This client had recently been acquired, and the parent company, as part of their routine procedures, required a security review of their web applications and network infrastructure.

There had been some previous unusual activity and the client suspected that they may have been breached. There was also an API that queried a third-party system to confirm if the customers they were working with were certified to use the client’s service.

The client had been using a local security company, recommended by the IT company that had installed their business systems, who were unable to identify the suspected breach. They ran various scans but did not uncover any critical issues. They simply followed basic use cases and did not deep dive where necessary. There was no manual testing and no way of identifying business logic issues.

The client offers a software product, so their customers always ask have they been security tested. After every major release, rigorous testing and an overall Penetration Test of their web applications and network infrastructure should have taken place. This was done, but not at the depth that could uncover some of the most critical findings.

What did we do?

We carried out a Penetration Test and reported back within 4 weeks.

Result

Our report identified several critical findings, the most serious being ‘Local File Inclusion’, which could allow domain takeover.

Each finding had a detailed explanation of the vulnerability and proof that we were able to exploit them. We provided a security design that is now used as their reference architecture. All remedial work was re-tested and the recommendations were implemented company-wide. They now know where the breach came from, can protect against future similar issues and have a far more secure system.

We also delivered several technical sessions that have improved the overall security posture of the company. The client is now significantly more confident in their web applications and is continuing to carry out regular testing with Cyber Citadel.

Read more about Penetration Testing.