How We Improved Application Security for a Consulting Firm

A consulting firm engaged Redscale to assess the security of its customer-facing web portal and supporting infrastructure as part of its ISO compliance preparation. The goal was to identify vulnerabilities, validate existing security controls, and strengthen the platform against modern cyber threats.

Industry

Professional Services

Organisation Size

Mid-sized

Location

Melbourne, Australia

Environment

Web Application

Service Provided

Penetration Testing

The Challenge

The client operated a React-based web portal hosted on Apache within an Amazon EC2 environment. As part of its ISO 27001 security obligations, the organisation needed assurance that its application and infrastructure were resilient against common web application and API attacks.

Key concerns included:

  • Authentication and access control weaknesses
  • API exposure risks
  • Misconfigured web server security controls
  • Sensitive data exposure
  • Weak transport-layer protections
  • Business logic vulnerabilities

The client required a practical security review aligned with industry-recognised standards

Objectives

The engagement focused on:

  • Identifying security vulnerabilities across the web application and APIs
  • Assessing security against OWASP Top 10 and OWASP API Security Top 10
  • Validating authentication and authorization controls
  • Testing input validation and session security
  • Reviewing server configurations and transport security
  • Providing remediation guidance to support ISO 27001 compliance evidence

Scope of Assessment

Web Application Security

Assessment of the client’s customer portal, including front-end interactions and backend integrations.

API Security Testing

Review of API authentication, object-level authorization, business workflow logic, and endpoint protections.

Authentication & Access Control

Testing of role-based access controls, session management, and privilege enforcement across user roles.

Input Validation & Injection Testing

Testing for vulnerabilities such as cross-site scripting (XSS), SQL injection, command injection, and insecure direct object references (IDOR).

Infrastructure & Server Configuration

Review of Apache hardening, TLS/SSL configuration, security headers, and EC2 hosting security.

Sensitive Data Exposure

Assessment of encryption, cookie security, transport security, and information disclosure risks.

Our Approach

Redscale followed a structured penetration testing methodology based on:

  • OWASP Web Security Testing Guide (WSTG)
  • OWASP API Security Top 10
  • NIST SP 800-115

Key Findings

The assessment identified several security weaknesses, including:

  • Insufficient access control enforcement
  • API authorization gaps
  • Missing or weak security headers
  • Input validation weaknesses
  • Session security improvements
  • TLS configuration hardening opportunities
  • Potential information disclosure through verbose error handling

Each finding was prioritised based on business risk and exploitability.

Outcomes

Following the assessment, the client gained:

  • Improved visibility into application security risks
  • Clear remediation priorities for ISO audit preparation
  • Strengthened API security posture
  • Better access control governance
  • Enhanced transport-layer protections
  • Reduced risk of data exposure and unauthorized access

Deliverables

The client received:

  • Executive summary report
  • Detailed technical findings report
  • Risk-based vulnerability prioritisation
  • Evidence-based remediation recommendations
  • Optional remediation validation testing
  • Stakeholder debrief session

Business Impact

By addressing the identified vulnerabilities, the client improved its ability to:

01

Strengthen customer data protection

02

Reduce application-layer attack risks

03

Improve compliance readiness for ISO 27001

04

Enhance customer trust and platform security

05

Reduce the likelihood of security incidents and data breaches

"The penetration testing engagement gave us clear visibility into our web application and API security posture. Redscale's findings and remediation guidance helped us prioritise improvements, strengthen our security controls, and better prepare for our ISO 27001 compliance requirements."

Want Similar Results? Book a Security Consultation