These are some of Appsecco's case studies from 2019 that showcase the breadth of work we undertake, the wide range of clients we work with on a daily basis and the results we achieve with them. They range from working with a multi-billion dollar company to secure their AWS infrastructure, to helping a leading player in the airline loyalty sector improve the security of their flagship product, to ensuring a Caribbean bank's security was strong enough to get them un-blacklisted by major end-point security programs. Don't hesitate to contact us if you would like to discuss how any of the work we've delivered can help you on your security journey or to learn more about how Appsecco can help you in your cloud and application security goals in general. Appsecco is a specialist application and cloud security company with physical presence in London, Bangalore and Boston, providing industry leading advice that is firmly grounded in commercial reality.

1. Appsecco Case Studies 2020
Some of our work from 2019

2. AWS IAM audit and assessment
A multi billion-dollar content and consumer technology company contacted
us to to verify the security of their core AWS cloud deployment
We conducted a full AWS IAM audit and found multiple weaknesses in the
infrastructure that could potentially be exploited, leaving them
dangerously exposed
We worked with the client’s technology team to help them take corrective
action to harden their AWS environment and to put in place suitable
controls to help ensure their future security
Case study – public cloud security testing

3. Thick client security testing
One of the world’s leading multimedia tool creators asked us to identify
how their software had been pirated and suggest mitigations to avoid
future licensing bypasses
We reverse engineered the pirated software to identify how the license
bypass worked, along with carrying out a thick client vulnerability
assessment
Our report and support, including providing code snippets, enabled them
to change their product architecture to make reverse engineering and
piracy difficult in the future and to improve their security overall
Case study – software development

4. External black box penetration testing
A large international engineering company, contacted us to conduct a black
box penetration test on their external facing network
During our testing we discovered two zero day vulnerabilities in commonly
used third party software that allowed us to eavesdrop on all their
communications along with multiple other weaknesses that exposed their
data and internal systems to external attackers
Our findings enabled the client to become more secure by fixing the issues
found, along with us reporting the zero days to the third-party vendor in
question
Case study – engineering

5. Vulnerability assessment of containers
A market leading technical training platform contacted us to assess the
internal security of one of their containerised production environments
We were able to compromise the entire Kubernetes cluster of the target
network through a service we discovered that had no authentication
Our testing enabled us to provide a detailed report on multiple attack
pathways and access to restricted areas of the cluster, as a result of
misconfigurations, which the client’s team were able to follow, validate and
fix, making them much more secure
Case study – DevOps security

6. Mobile app security testing
A large European car rental company required security testing of their
entire digital portfolio, including mobile apps for both iOS and Android
We identified multiple security weaknesses, particularly around storing
sensitive information and hard coded secrets and discovered that the
embedded browser in the Android version had debugging enabled allowing
it to be controlled from outside the phone
Our report and subsequent discussions with the client allowed them to
prioritise fixes and release updated and secure versions of their apps to the
general public
Case study – travel

7. Web application vulnerability assessment
A market-leading data analytics company in the heavy engineering sector
required security assurance for a compliance process they were completing
Our testing revealed a wide range of security issues from authentication
and authorisation issues to privilege elevation to broken role based API
access
Our detailed report highlighted suggested fixes (or workarounds when
there were no direct fixes available) enabling the client to quickly address
issues from a compliance perspective and create a newer version of the
application for general release
Case study – data analytics

8. Website blocked due to reported malware
A Caribbean retail bank contacted us to help them recover from a breach
that had left their customer website being flagged as serving malware,
which their IT suppliers were unable to resolve
We carried out a complete assessment of the affected site and discovered
that whilst it was ‘clean’ this fact had not been picked up by all anti-
malware databases
We worked with the client and their IT supplier to contact and update the
relevant databases and advised them on how to ensure the issue wouldn’t
reoccur
Case study – retail banking

9. External vulnerability testing of AWS infra’
One of India's leading online fashion retailers asked us to scan their
external AWS infrastructure from an attackers perspective
Multiple weaknesses were uncovered including the use of outdated
software, misconfigurations that could allow source code to be
downloaded, SQL Injection and the ability to conduct Man in The Middle
attacks
Our report, containing instructions on how to reproduce the steps along
with screenshots and complete remediation guidance helped the client to
quickly fix the issues found and become much more secure as result
Case study – ecommerce

10. Application security assessment
A leading developer of loyalty management applications required a grey
box vulnerability assessment of their product before it was rolled out to a
major airline client
Our testing revealed vulnerabilities that allowed user accounts to be taken
over, privilege escalations and that sensitive customer data was being
leaked to unauthenticated users
We worked with the client’s team to help them fix the issues discovered
and deliver a secure application to their end client
Case study – loyalty and benefits

11. App & SDK vulnerability assessment
A fast growing company in customer service and AI sector asked us to test
their mobile SDK via their internal Android and iOS apps used to do this
We uncovered multiple weaknesses arising from weak configurations and
poor programming practices including; an instance of Stored XSS via the SDK
that affected administrative users, arbitrary file uploads, insecure direct
object references and weakly encrypted databases on the mobile file system
Our findings enabled the client to become more secure, creating a hardened
version of their SDK which they make available to millions of users
Case study – AI and online customer support

12. Web application vulnerability assessment
One of India's leading players in the digital learning space required a
security test on an internal application used by their sales team
Our testing revealed multiple authentication and authorisation flaws in
their APIs and in the implementation of Amazon Cognito. Additional
privilege escalation issues based on insecure configuration were also
discovered
Our report and consequent meetings with their development team allowed
all issues discovered to be fixed and a production-ready app to be rolled
out to their Sales team just in time for their sales peak season
Case study – sales automation

13. Product security testing
One of the worlds leading video conferencing companies wanted to test
the security of their Windows desktop application
We revealed an attack chain that could allow a user with limited privileges
to gain admin capabilities, steal session information from logs and gain
access to the user's web account
Implementing the fixes we suggested enabled the client to release an
updated, more secure version, of their product to their users
Case study – telecoms and video conferencing

14. Web application penetration testing
A leading vendor in the entertainment sector was promoting a large music
event and wanted us to test the security of the site that would be launched
to sell tickets and introduce the music festival
Our testing uncovered multiple security weaknesses that could potentially
be used to conduct phishing attacks and steal email addresses
Our report along with our detailed mitigation documentation allowed the
client to fix the issues in time for the launch of the event and ensure that
all user data passing through the site was secure
Case study – music and entertainment

15. To learn more about the work we do and how we can
help you be more secure, contact us:
contact@appsecco.com www.appsecco.com +44 20 3137 0558
LONDON | BANGALORE | BOSTON

16. About Appsecco
Pragmatic, holistic, business-focused approach
Specialist Cloud and Application Security company
Highly experienced and diverse team
Black Hat trainers
Def Con speakers
Assigned
multiple CVEs
Certified
hackers
OWASP chapter
leads
Cloud
experts