About the Client
A privately held real estate investment and financial services firm focused on acquiring, developing, and building relationships with housing, leaders, and organizations. The organization works with several businesses and enterprises, offering services such as mutual funds, sales, leasing, property management, construction management, development, and loan servicing. The organization has empowered more than 2,200 investors through proprietary systems and membership platforms and impacted over 800,000 lives.
Hybrid work environments, increased cloud adaptability, malware exploits, and innovative phishing attacks have brought new challenges. The organization has extensive business divisions with more than $4 billion worth of assets under management. The need to uphold its business reputation as one of the ‘Fastest growing company’ required the organization to test its product suite’s resilience as early as the development stage.
The organization’s execution system strived to help small and mid-sized entrepreneurs scale their businesses in an organized and measurable manner. In addition to helping its customers grow by 10X and delivering the ‘WOW’ experience to them, the firm looked for visibility on its security weaknesses and sought guidance to address them.
With over 40% of cyberattacks targeted at SMBs, the real estate investment and financial services firm sought a robust framework to rigorously access its network infrastructure while maintaining the uptime of all critical services and patching up the vulnerabilities before they were interrupted by external threats. Additionally, the organization needed a solution that ensured the web portal was safe for customer transactions and uploading personal information.
The organization invested in Vulnerability Assessment and Penetration Testing (VAPT) to understand and resolve its system vulnerabilities. The organization already had a risk management program in place wherein the security team would focus on identifying the current level of risk.
The organization partnered with Trigent to augment its QA capabilities and find a solution that meets the expected growth and security of the organization. Trigent’s QA experts recommended a full-scope VAPT strategy. The team developed an optimized QA testing strategy for automated and manual hacker perspective assessment, using open-source tools and manual methods to penetrate e-reader software and identify security breach gaps. Furthermore, Trigent’s team performed Dynamic Application Security Testing (DAST) of web pages and categories based on several compliance standards such as Open Web Application Security Project (OWASP) top 10 and SysAdmin, Audit, Network, and Security (SANS) top 25.
Greybox Penetration Testing, wherein tests were designed to keep the attackers’ techniques used in the bug bounty programs to manipulate parameter values and tamper operational data.
As a Domain-Based Testing, the team performed verification and validation of privilege escalations and unauthorized access to premium accounts using session logs and IDs.
Injection Attacks Testing included the injection of technology-based scripts and files in URLs and search fields.
The robust, persona-based VAPT not only helped the organization to meet regulatory and compliance requirements but also enabled it: