We executed gray‑box tests across web, API, and mobile aligned to OWASP ASVS/MASVS and designed abuse‑cases for business‑logic risk. A CI DAST gate caught regressions early and ensured fixes stayed fixed.
Client. Fintech SaaS provider, Tokyo
Context
Rapid feature delivery and third‑party integrations increased attack surface. Internal testing focused on functional QA; little existed for authZ edge cases and rate‑limit behaviors.
Challenge
- Fast release cadence with limited internal security testing
- Risk of business‑logic flaws beyond standard OWASP issues
- Need for repeatable, bilingual reporting for exec and engineering
Approach and rationale
We combined manual gray‑box testing for logic paths and token flows with scripted checks and a CI gate. The goal: find criticals pre‑release and institutionalize prevention via pipelines and playbooks. We paired findings with actionable fixes and a playbook that mapped classes of issues to secure patterns. Secure defaults (rate limits, uniform error handling, and authorization checks) moved from “guidance” to “pipeline policy.”
Implementation
- Gray‑box pentests for web/API/mobile mapped to OWASP ASVS/MASVS
- Abuse‑case design for authZ escalation, IDOR, rate‑limit bypass, SSRF, and session anomalies
- CI pipeline DAST gate with risk thresholds; bilingual reports and ticket templates
- Secure coding workshops and backlog grooming to address root causes
Implementation details
- Test users seeded with least‑privilege variants; token replay/reuse tests
- API fuzzing for object ID exposure; scope enforcement; error leakage
- Threat modeling lightweights per epic; authZ matrix verified during test planning
- DAST gates tuned to ignore noise yet block high‑impact paths; retest SLAs agreed with product
- Secrets handling in CI: short‑lived tokens, masked logs, and scoped credentials for scanners
- Third‑party SDKs: exercised OAuth and webhook flows; validated signature checks and replay protections
- Mobile: certificate pinning/SSL enforcement checks; local storage review
- Release gate breaks on critical/high; retest path and change‑management hooks
Outcomes
- Zero critical/high findings across three consecutive releases
- −31% remediation lead time; −45% recurrence after fixes
- Improved signal to dev teams via structured tickets and bilingual repro steps
- Security hygiene uplift: shared authZ patterns, rate‑limit profiles, and error‑handling guidelines adopted across teams
Risk management and governance
- Security champions model with office hours for product teams
- Quarterly reviews of gate thresholds and false‑positive handling
- Findings mapped to policy and tracked to closure with ownership
Timeline
12‑week cycle with retest; training and playbook refresh followed each cycle
Technology
Burp Suite, custom scripts, Git‑integrated DAST, SAST advisories
Next steps
Phase 2 extends SAST coverage, adds runtime protections (RASP/WAF tuning), and expands training for new squads. Security posture reviews will align with the release cadence to sustain zero‑critical outcomes. Related services: IT Security, Network Penetration Testing. See our blog for security posts. We will also surface security KPIs (time to remediate, retest pass rate) on shared dashboards so squads keep focus between releases.
This closes the loop between findings and delivery cadence, keeping risk visible without slowing releases.