The Situation
The company was preparing to launch an enterprise tier of their product targeting Fortune 500 procurement departments. Their enterprise sales process required a completed security questionnaire and evidence of third-party penetration testing. Beyond compliance, the CTO was concerned that their rapid growth had outpaced their security architecture — the product had scaled from 500 to 50,000 users in 18 months.
Scope of Engagement
The penetration test covered the full attack surface of the enterprise tier:
- Web application — authenticated and unauthenticated testing of the main application
- REST API — complete API surface including undocumented endpoints
- Authentication and authorization — SSO integration, permission model, tenant isolation
- Infrastructure — AWS environment configuration review
- Mobile application — iOS and Android client applications
Critical and High-Severity Findings
The engagement identified 23 vulnerabilities requiring remediation, including 4 critical and 8 high-severity findings:
- CRITICAL: Insecure Direct Object Reference (IDOR) in the API allowed any authenticated user to access data from any tenant — complete tenant isolation failure
- CRITICAL: Server-Side Request Forgery (SSRF) in the file import feature allowed attackers to query internal AWS metadata service and extract IAM credentials
- CRITICAL: SQL injection in an internal reporting API endpoint (discovered via undocumented route enumeration)
- CRITICAL: Authentication bypass in the password reset flow — predictable token generation enabled account takeover without user interaction
- HIGH: Cross-Site Scripting (XSS) in user-controlled fields rendered in administrative views
- HIGH: Excessive permissions in IAM roles — EC2 instances had IAM roles with S3 full access across all buckets
- HIGH: API rate limiting absent on authentication endpoints — brute force attacks unimpeded
- HIGH: Sensitive data (PII) included in error messages returned to unauthenticated requests
Remediation Approach
The severity and nature of the tenant isolation failure required immediate response. We worked with the engineering team in real time to develop and validate patches for the four critical findings before the report was finalized. All 23 findings were remediated within the 30-day remediation window, and a retest confirmed 100% resolution rate.
Enterprise Launch Outcome
The company submitted the penetration test report as part of their enterprise security package. The retest attestation letter confirming 100% remediation differentiated them from competitors who could only provide test results without remediation validation. The enterprise tier launched on schedule, and the first three Fortune 500 accounts signed within 60 days. The security team has since standardized on annual penetration testing with quarterly API security reviews.