Industry
Professional Services
Organisation Size
Mid-sized
Location
Melbourne, Australia
Environment
Web Application
Service Provided
Penetration Testing
The Challenge
The client operated a React-based web portal hosted on Apache within an Amazon EC2 environment. As part of its ISO 27001 security obligations, the organisation needed assurance that its application and infrastructure were resilient against common web application and API attacks.
Key concerns included:
- Authentication and access control weaknesses
- API exposure risks
- Misconfigured web server security controls
- Sensitive data exposure
- Weak transport-layer protections
- Business logic vulnerabilities
The client required a practical security review aligned with industry-recognised standards
Objectives
The engagement focused on:
- Identifying security vulnerabilities across the web application and APIs
- Assessing security against OWASP Top 10 and OWASP API Security Top 10
- Validating authentication and authorization controls
- Testing input validation and session security
- Reviewing server configurations and transport security
- Providing remediation guidance to support ISO 27001 compliance evidence
Scope of Assessment
Web Application Security
API Security Testing
Authentication & Access Control
Input Validation & Injection Testing
Infrastructure & Server Configuration
Sensitive Data Exposure
Our Approach
Redscale followed a structured penetration testing methodology based on:
- OWASP Web Security Testing Guide (WSTG)
- OWASP API Security Top 10
- NIST SP 800-115
Key Findings
The assessment identified several security weaknesses, including:
- Insufficient access control enforcement
- API authorization gaps
- Missing or weak security headers
- Input validation weaknesses
- Session security improvements
- TLS configuration hardening opportunities
- Potential information disclosure through verbose error handling
Each finding was prioritised based on business risk and exploitability.
Outcomes
Following the assessment, the client gained:
- Improved visibility into application security risks
- Clear remediation priorities for ISO audit preparation
- Strengthened API security posture
- Better access control governance
- Enhanced transport-layer protections
- Reduced risk of data exposure and unauthorized access
Deliverables
The client received:
- Executive summary report
- Detailed technical findings report
- Risk-based vulnerability prioritisation
- Evidence-based remediation recommendations
- Optional remediation validation testing
- Stakeholder debrief session
Business Impact
By addressing the identified vulnerabilities, the client improved its ability to:
Strengthen customer data protection
Reduce application-layer attack risks
Improve compliance readiness for ISO 27001
Enhance customer trust and platform security
Reduce the likelihood of security incidents and data breaches
"The penetration testing engagement gave us clear visibility into our web application and API security posture. Redscale's findings and remediation guidance helped us prioritise improvements, strengthen our security controls, and better prepare for our ISO 27001 compliance requirements."
Technical Lead, Consulting Services Firm
