We ordered the first external penetration test for our main web application. The result: 3 critical, 7 high, 12 medium, and 20 low findings. It was sobering, but enormously valuable.
Critical Findings¶
SQL injection in a legacy module (manually concatenated SQL query). Session fixation — the session ID was not regenerated after login. Path traversal — a download endpoint allowed access to arbitrary files on the server. All three were fixed within 48 hours.
High Findings¶
XSS in three forms. Missing CSRF protection on the admin interface. Weak password policy (min 6 characters, no complexity requirements). Information disclosure on error pages (stack traces). HTTPS with weak cipher suites.
Remediation¶
A sprint dedicated to security fixes. Code review of all database queries (looking for string concatenation). Output encoding audit. CSRF tokens. Password policy update. Custom error pages. SSL configuration hardening.
Lessons Learned¶
Security by obscurity doesn’t work. Internal code review is not enough — an external perspective is irreplaceable. Security is not a one-time event — we plan annual retests. Every developer went through OWASP training.
Recommendation¶
Order a penetration test. It will be painful, but you’ll learn more than from any training. And fix the findings — a report without action is worthless.
Need help with implementation?
Our experts can help with design, implementation, and operations. From architecture to production.
Contact us