Disclaimer: The case studies below are inspired by real-life situations, but for confidentiality sake, the cases presented are fictitious and do not correspond to any of our customers.
To help you better understand the objectives and impact of penetration testing, we present here a number of case studies. This will give you a more complete picture than a simple list of services.
This company specializes in industrial production. It supplies other companies with materials and equipment. It is an SME with 340 employees spread over 3 websites: the head office with the main plant and 2 other plants located in other regions of Quebec.
The biggest risk is the deployment of ransomware. A production line stoppage would have a devastating impact financially, and the resulting production delays could also cause serious problems with customers.
What's more, working for major international groups, it is increasingly challenged on its security measures, and needs to prove to its customers that it is adopting good cybersecurity practices.
This company has invested in security tools:
From a more operational point of view, they use the Microsoft 365 suite and have migrated their data to the cloud (Sharepoint). They have a few industry-specific solutions that they are obliged to keep on their local servers.
This company has never carried out penetration testing. We carried out a penetration test on their internal network, since this is their main risk. Apart from Wordpress, they have no websites or web applications.
To keep costs down, we proposed an “assumed breach” scenario. This means that we assume that an employee has been compromised, and ask the company to provide us with credentials.
This company has had problems with a person in accounting who has already been tricked by phishing campaigns several times. So we're going to test 3 types of employee: accounting, reception (the least access in the company) and production (a lot at stake in securing access).
We were able to compromise the domain in 4 different ways. Yes, they received alerts from their EDR for some of our attempts, but we weren't blocked and were able to bypass Sentinel One (all EDRs can be bypassed). The domain was compromised by :
On presentation of the report, we brainstormed with our customer to help him implement his action plan. Some critical vulnerabilities could be corrected very quickly by modifying configurations. The company had an update management plan, but we had to review its application.
A major issue, however, was the impossibility of updating certain equipment in the factory, as the machine in question could not run on more recent versions. Changing the machines in the factory was obviously not a realistic short-term solution, so we asked them to better segment their network and completely isolate the machines in question.
In addition to the test results, our customer had 4 hours with us. The first 2 hours were used to help him further prepare his action plan, and we trained him on some free tools we use, which are very useful for his own security management (Bloodhound and Purple Knight).
In addition to the test, we offered to scan their 4 external IPs exposed on the Internet for one year.
This company has developed an application to help healthcare professionals. It has just launched its MVP to test its market and validate that they are on the right track to best meet the needs of their target clientele.
Although the company is still in its early stages, it needs to carry out a penetration test of its application in order to move forward with its development. Indeed, the MSSS requires it to obtain TGV certification, and its private-sector customers also have cybersecurity requirements to consider their application. The data stored in the application is medical, and therefore highly sensitive.
What's more, to further its development, this company is looking for investors who also have expectations in this area.
Their product is a SaaS application. For the moment, there's only a web version, but a mobile application will follow to facilitate its use by users who aren't always in front of a computer. It all works with a REST API.
In order to segment the sensitive data of its various customers, the application is built in multi-tenant mode. For the time being, each organization has two roles: the tenant administrator and its users.
As the application was created very recently, using recent languages, it is unlikely to contain common flaws such as XSS or SQL injection. These tests will of course be carried out, but we propose to focus on the API and business logic.
The biggest issues we're looking at are the possibility of one user accessing another organization's data. We'll be paying particular attention to access management and the possibility of escalating our privileges.
We found that the application did not check permissions correctly before granting access to certain objects. Here, this allowed us to access another organization's tenant. What's more, some checks were carried out on the client side, allowing us to bypass them.
Following the presentation of the report and some discussions with the customer, these vulnerabilities were corrected. This enabled the client to reassure its customers and initiate the process of obtaining TGV certification.
We have signed an annual agreement so that we can test new functions as and when they become available, enabling them to continue reassuring their customers while limiting costs and risks, since tests are carried out in parallel with development and not after they have been pushed into production.
This company develops SaaS applications tailored to the needs of its customers. Once the finished product has been delivered to customers, it also takes care of maintenance and the development of new functionalities as the application's lifecycle progresses.
Its customers are beginning to challenge it more and more on application security development. Its team is trained in the subject and familiar with the OWASP top 10, but this is not always enough to win a contract or reassure its customers.
Some RFPs now require penetration testing to be included in the project.
Each application delivered is different, since they meet the needs of different companies. That said, the company generally chooses to use recent languages (e.g.: backend in GO and frontend in Javascript).
To keep their code as clean as possible, they rely heavily on existing libraries. They pay particular attention to APIs, since this is where the greatest potential for error lies.
The company is eager to increase its cybersecurity skills. When required by the customer, a full penetration test with report will be provided to ensure compliance.
For other projects, a more continuous approach has been chosen: without carrying out penetration tests of the whole application, iterative tests are carried out as applications are developed, so that vulnerabilities can be quickly corrected and not reproduced in other projects.
Integrating regular testing into the project has increased the value of their service offering in the eyes of their customers. This reassures them, and makes it easier for them to sell their applications to their own customers.
What's more, by working together, our two teams were able to enhance each other's skills and gain in efficiency. Indeed, the company's developers were able to learn and produce more secure code from the outset, while at Yack we have a better understanding of their way of working and their challenges, so our recommendations are always more precise and adapted.