Web App Penetration Test for Edutech Startup

by Olga Kovalenko 08.03.2025 5 min
​​Client: NDA Edutech Startup
Industry: Education & Business Administration
Company Size: 11 to 50 Employees
Services Used: Penetration Testing, Application Security Training, Security Remediation Support

Save this case study in PDF

Download PDF
Let’s talk!

Reach out to discuss your needs and see how Iterasec can help.

Contact us

Client

Edutech startup specializes in personal development and corporate culture transformation. Since its inception in 2009, they have been empowering individuals and organizations through a variety of educational modules and tools focused on self-leadership. Catering to businesses of all sizes, NGOs, and public sector organizations, they deliver training events and workshops that foster personal growth and professional development. With a dedicated team of 11-50 employees, this startup has established itself as a pivotal player in the education and business administration sectors.

Background

As the startup expanded its reach, the company developed a specialized corporate training and education platform used by numerous large companies and enterprises. Recognizing the platform's critical role in delivering their services, the company understood the importance of ensuring its security. Protecting sensitive client data and maintaining the integrity of their platform were paramount, especially given the high-profile nature of their clientele.

The Challenge

This startup approached Iterasec with the goal of evaluating the current state of security of their corporate training and education platform. The key objectives were:
Security Assessment: Perform a thorough penetration test to identify any severe vulnerabilities that could be exploited by malicious actors.
Data Protection: Ensure the safeguarding of sensitive data to maintain client trust and comply with regulatory requirements.
Operational Continuity: Prevent potential disruptions such as denial-of-service attacks that could impact the delivery of their services.

The Solution

Iterasec deployed a specialized team to address company' needs, consisting of a Senior Penetration Tester, a Security Engineer, and a Delivery Manager. The approach included:

Comprehensive Penetration Testing

  • Vulnerability Identification:

    Systematically probing the application to uncover security weaknesses, including both common and obscure vulnerabilities.

  • Risk Analysis:

    Assessing the potential impact of each identified vulnerability on the confidentiality, integrity, and availability of the platform.

  • Exploitation Attempts:

    Simulating attack scenarios to understand how vulnerabilities could be leveraged in real-world situations.

Detailed Reporting and Recommendations

  • Findings Summary:

    An executive overview highlighting the critical and high-severity vulnerabilities discovered.

  • Technical Details:

    In-depth explanations of each vulnerability, including how they were found and the potential risks associated.

  • Remediation Guidance:

    Clear, actionable recommendations for addressing each security issue.

Collaborative Remediation Support

  • Fix Security Issues:

    Assist in patching vulnerabilities to ensure they were effectively resolved.

  • Validate Fixes:

    Perform follow-up testing to confirm that the applied fixes addressed the vulnerabilities without introducing new issues.

  • Knowledge Sharing:

    Provide insights and best practices to prevent similar vulnerabilities in future developments.

Complimentary Security Training

  • Secure Coding Practices:

    Techniques to write code that is resilient against common security threats.

  • Threat Modeling:

    Understanding potential attack vectors and how to anticipate them during the development process.

  • Ongoing Security Maintenance:

    Strategies for integrating security considerations into regular workflows.

The Outcome

The collaboration between Iterasec and the Edutech startup yielded significant benefits:
1 Critical-Severity Vulnerability: A compromise of the company's SMTP server, which could have allowed attackers to intercept or manipulate email communications.
2 High-Severity Vulnerabilities: Multiple instances of broken access control, enabling unauthorized access to sensitive data.
Additional Vulnerabilities: Including denial-of-service (DoS) risks and several GraphQL-related security issues.
Enhanced Security Posture: By addressing these vulnerabilities, the company significantly reduced the risk of data breaches and service disruptions.
Improved Platform Integrity: The timely patching of all identified issues led to the release of a more secure version of the platform. This not only protected existing clients but also enhanced the platform's appeal to prospective customers concerned about security.
Empowered Development Team: Through hands-on support and training, the development team gained valuable security expertise. This empowerment enables them to proactively address security considerations in future projects, fostering a culture of security awareness within the organization.
Strengthened Client Trust: By demonstrating a commitment to security, the company reinforced trust with their clients. This commitment is particularly crucial when dealing with personal development and corporate culture, areas where confidentiality and integrity are vital.

Conclusion

The partnership between Iterasec and the Edutech Startup highlights the importance of proactive cybersecurity measures in today's digital landscape. Our tailored approach identified and mitigated critical vulnerabilities and contributed to the company's long-term security posture through knowledge transfer and ongoing support. The company continues to provide exceptional services to their clients, confident in the robustness of their technology and the trustworthiness of their operations.