HOLISTIC UPGRADE OF THE SECURITY POSTURE FOR A TECHNOLOGY FAST 500 FINTECH INSTITUTION

CASE STUDY

PENETRATION TESTING FOR FINANCIAL SUCCESS

US-based leading provider of tech-enabled credit products & services for underbanked consumers upgrades its security posture with the help of security penetration testing

A ROBOTIC PROCESS AUTOMATION CASE STUDY

US-based leading provider of tech-enabled credit products & services for underbanked consumers upgrades its security posture with the help of security penetration testing

Problem Statement

The client is the leading provider of tech-enabled credit products and services for underbanked consumers. Their Chicago based team of technologists developed a next-generation approach to lending, and they were working to envision a world where every individual has opportunities to achieve financial success without being held back by a three-digit credit score.

The client soon realized that in order to become a financial tool for everyone, they must be secure. It is with this ‘security first’ ambition in mind they turned to Zuci to discover security gaps in their suite of loan and credit services.

HOW ZUCI SYSTEMS HELPED

HOW ZUCI SYSTEMS HELPED

  • Thorough implementation of the following industry-standard penetration testing methods at both web and API levels
    • OWASP: Open Web Application Security Project (OWASP) Testing Guide
    • OWASP: OWASP API Security Top 10 – 2019
    • PTES: The Penetration Testing Execution Standard (PTES)
  • Identified all security vulnerably using relevant risk rang mechanism
  • Ranked each vulnerability based on the severity, loss potential, and likelihood of exploitation
  • Recommended solutions for issues which are prone to creating immediate consequences

SOLUTION

SOLUTION

  • Thorough implementation of the following industry-standard penetration testing methods at both web and API levels
    • OWASP: Open Web Application Security Project (OWASP) Testing Guide
    • OWASP: OWASP API Security Top 10 – 2019
    • PTES: The Penetration Testing Execution Standard (PTES)
  • Identified all security vulnerably using relevant risk rang mechanism
  • Ranked each vulnerability based on the severity, loss potential, and likelihood of exploitation
  • Recommended solutions for issues which are prone to creating immediate consequences

BUSINESS OUTCOME

  • Improved application’s overall security posture using the security best practices
  • Migrated each vulnerability with relevant CVE identifiers mapping (Common Vulnerabilities and Exposures)
Vulnerabilities Risk Level Ease of Exploit CVE
Insecure Direct Object Reference (IDOR) to view User Information Critical Trivial CWE-639
Unrestricted access to Spring Boot Actuator Endpoints High Moderate CVE-200
Log Poisoning via HTTP header injection Medium Trivial CWE-113
Password reset token leakage via referrer Medium Trivial
Missing ‘X-Frame Options’ Header (Clickjacking) Medium Trivial CVE-2016-9168

BUSINESS OUTCOME

  • Improved application’s overall security posture using the security best practices
  • Migrated each vulnerability with relevant CVE identifiers mapping (Common Vulnerabilities and Exposures)
Vulnerabilities Risk Level Ease of Exploit CVE
Insecure Direct Object Reference (IDOR) to view User Information Critical Trivial CWE-639
Unrestricted access to Spring Boot Actuator Endpoints High Moderate CVE-200
Log Poisoning via HTTP header injection Medium Trivial CWE-113
Password reset token leakage via referrer Medium Trivial
Missing ‘X-Frame Options’ Header (Clickjacking) Medium Trivial CVE-2016-9168

WITH SECURITY PENTEST, ADDRESS ALL THE SECURITY GAPS IN YOUR
APPLICATION AND IMPROVE YOUR SECURITY POSTURE HOLISTICALLY.