Financial Industry / Penetration Testing Case Study
When small organizations partner with large firms, they are often subject to cybersecurity requirements and requests put forth by their partners. This was the case for one small business who found themselves needing to fulfill such requests in order to maintain their partnerships.
The Challenge
The client, a third-party administrator, maintains partnerships with large financial services firms. Security is naturally top of mind for these firms, especially when it comes to working with third-party companies. The firms began requesting that the client conduct simple network scans. This was followed by requiring application penetration tests and, eventually, an annual SOC audit. Although resistant at first, the client understood the implications of not fulfilling these requirements.
One of the controls of a SOC audit is penetration testing. The client found themselves in a unique situation. They used third-party vendor applications and a proprietary software they built themselves that all needed to be included in the penetration tests.
They set out in search of the best solution for them that was also affordable. After all, they are a 20-person company with a niche business. Regardless of their size though, these requirements were critical in maintaining the partnerships and continued business.
The client reached out to their technology partner, EBQ, who introduced them to IGI. The client conducted reference checks prior to engagement and heard favorable reviews from previous IGI clients. They opted to move forward with IGI’s OWASP penetration testing services.
The Solution
IGI’s OWASP penetration testing aims to identify and evaluate security risks (i.e., business and software development logic flaws) within applications. Using both static and dynamic testing methodologies, the IGI team leverages the OWASP Top Ten, a list compiled by the Open Web Application Security Project (OWASP) of the most critical web application security risks, as a guide. These risks include cross-site scripting (XSS), broken access control, and insufficient logging and monitoring, to name a few.
IGI conducted the penetration tests on the client’s proprietary application, as well as the third-party applications they were using. After testing was completed, the client received a thorough report from IGI that included recommendations on any security issues that were discovered during the penetration tests. The client mentioned that the findings were not egregious and were relatively simple fixes, but that there were security holes that needed to be plugged.
The Result
As the client’s software developers worked through the security recommendations put forth in the report, the client took additional steps to improve their overall security posture. For instance, while they had implemented cybersecurity policies and procedures in practice, they did not have them in written form. Through this process, they were able to craft written versions of their policies and procedures, which also helped them with their SOC audit.
The client added cybersecurity awareness training for their employees, as well. Although cybersecurity is not their core business, the client found it important to educate their employees on various security topics: “It’s amazing how much you run into when you see how you can be breached, where your exposure is.” The client added, “We’ve developed a healthy understanding of what could happen and how it would affect business if we didn’t do it the way we should.”
When asked about their experience working with IGI, the client said that the team was incredibly patient, despite roadblocks they encountered along the way. If the client had questions, IGI’s team was there to provide clarification and guidance to help the client get through any issues that arose. “IGI was able to understand the client’s needs,” added Kenley Ganem from EBQ. “The support from IGI was over the top.”
Most importantly, the process has given the client a deeper and clearer understanding of their cybersecurity, which has enabled them to have better conversations with their own clients.
“We are much better than we were,” the client explained. “Our network is extremely hardened compared to what it used to be.”
The client will continue leveraging IGI’s services, as the OWASP penetration testing will need to be conducted annually.
*The identity of the client has been redacted to ensure their privacy and keep them secure.