These are some of Appsecco's case studies from 2017 to demonstrate the breadth of work we typically undertake and the results we achieve. They range from helping organisations to recover from attacks to penetration testing and application vulnerability assessments to changing the way clients look at their security posture overall and in industries ranging from financial services to manufacturing and software development to luxury goods. Don't hesitate to contact us if you would like to discuss any of them in more detail or to learn more about how Appsecco can help you on your security journey. Appsecco is a specialist application and cloud security company with physical presence in London, Bangalore and Boston, providing industry leading advice that is firmly grounded in commercial reality.

1. Some of our work from 2017
Case studies

2. Full organisational compromise
A world-renowned engineering company, wanted to test the security
of one of their facilities that they use in defence contracts
We carried out a black box penetration test that uncovered a zero-
day vulnerability in one of their systems. It allowed us to fully
compromise their facility including taking recordings from their CCTV
Our work enabled the client to get their vendor to issue a patch for
the system and we were credited with a CVE for our discovery
Case study – heavy engineering

3. 3rd party trading platform security audit
A North American investment bank, required a security audit of a 3rd
party trading platform they use with their clients
Our security audit identified a number of significant security issues
and access the data of other financial firms using the platform
through flawed multi-tenant architecture design
Our findings were passed to the platform provider for them to update
their security accordingly
Case study – financial services

4. Sensitive internal data online
A leading UK private equity fund preparing an investment for sale
sought to avoid any surprises during the sale process
Their asset was a large B2B media distribution platform and our testing
identified a plain text file, on a public web-server, that contained
confidential system admin log-in details
By deleting the file we had found, they became instantly more secure,
and ensured they avoided any awkward diligence questions
Case study – software as a service

5. Customer data exposed
A leading player in the insurance industry, wanted to understand if
their security was as effective as they had been told
We rapidly established that they had a test website, containing real
customer data, that they were completely unaware was online
Our insight allowed them to quickly remove the customer data and to
secure unauthorised access to the test website for the future
Case study – financial services

6. Complete server compromise
A major European retailer was launching a new ecommerce site and
wanted it thoroughly tested for security before going live
We carried out a full application vulnerability assessment and
discovered that, whilst the ecommerce application itself was secure,
we were able to fully compromise the system via the site’s blog
We worked with the client and their developers to properly harden the
entire system and ensure the site launched on time
Case study – ecommerce

7. Changing testing methodology
A well-known UK travel brand contacted us as they wanted to move
from simple, automated security testing, to conducting detailed
application vulnerability assessments
Our first assessment uncovered multiple, previously undiscovered
flaws, and we were able to achieve full system compromise through
the use of weak credentials by a senior member of staff at the client
Moving away from automated testing gave the client much greater
insight into the gaps in the security of their systems and their team
Case study – travel and tourism

8. Desktop application testing
A leading international educational technology company wanted to
confirm how secure their desktop application was, together with
assessing the security of a 3rd party DRM solution
We completely negated the protection of the 3rd party DRM solution
and our testing revealed a significant number of architectural issues
in how data was transmitted to and from the desktop application
The client was able to use our work to strengthen the security of
their application and negotiate a substantial discount for the DRM
Case study – software development

9. Combined services
A leading professional services membership organisation wanted to
test their own security and offer training and support to their members
We created a plan to test the multiple applications and portals they
operated, and jointly design a Continuous Professional Development
(CPD) module on cyber security for their members
Working with the client we were able to help them become more
secure and their members to understand cyber security better
Case study – membership organisation

10. Sanity Check+
Ahead of a full security review a leading international luxury goods
brand wanted to understand if they had any urgent issues
Our Sanity Check+ rapidly identified an overlooked critical security
flaw that left their ecommerce presence wide open to attack
The fix took less than 15 minutes to implement
Case study – luxury goods

11. Website breach recovery
A leading men's grooming brand contacted us after they had been
unable to resolve a recurring security breach affecting sales
We started work within 12 hours of the initial contact and were able to
identify the way they had been compromised, all affected files and
assets and give them details of similar websites with the same issue
Our findings allowed their internal technology team to resolve the issue
and secure the site within 72 hours from initially contacting us
Case study – ecommerce

12. Organisational breach recovery
A large international garment manufacturer contacted us after they
had fallen victim to man-in-the-middle invoice fraud
We conducted a full analysis of their finance and senior team’s IT
hardware and email system, and found that the source of the fraud
was through a poorly configured domain and email server
We worked with their IT team to remove the cause of the breach and
then secure, and harden their systems to stop it reoccurring
Case study – manufacturing

13. Legacy systems testing
A small UK-based industrial manufacturer had identified significant
security issues with their legacy ecommerce platform and wanted to
understand how at risk they were
We carried out a complete vulnerability assessment of their two
ecommerce sites and advised on the best options for mitigating
issues against risk, as fixes were not likely to be possible
The client used the findings within our report to better secure
themselves whilst a new ecommerce presence was being developed
Case study – light engineering

14. Marketing website pre-launch testing
An award winning advertising company had been asked by their
financial services client to verify the site they built was secure
We carried out a full vulnerability assessment and penetration test
and were able to compromise the site through weak credentials, but
with the rest of the application having only minor issues
The client’s development team were able to work directly from our
testing report to fix all the issues and give their client the assurance
they required to launch the new website
Case study – marketing and communications

15. To learn more about the work we do and how we can
help you be more secure, contact us:
contact@appsecco.com www.appsecco.com +44 20 3137 0558
LONDON | BANGALORE | DOHA | BOSTON

16. About Appsecco
Pragmatic, holistic, business-focused approach
Specialist Application Security company
Highly experienced and diverse team
Def Con
speakers
Assigned
multiple CVEs
Certified
hackers
OWASP chapter
leads