Global Pharma — External & Web App Pentest (Anonymized)
Industry: Pharmaceuticals (Global)
Scope: External network, 3 internet-facing web apps
Duration: 3 weeks
Methods
- Recon + attack surface mapping
- Auth & session testing
- Injection & deserialization checks
- S3-style storage policy review
- Critical: IDOR enabled cross-account data access
- High: JWT alg=none downgrade in legacy microservice
- Medium: TLS misconfig (weak ciphers, missing HSTS)
- External critical reduced: 4 → 0 (14 days)
- Mean time to patch: 7 days
- Added CSP w/ nonces; blocked reflected XSS class
Key Findings
Outcomes (Metrics)
Testimonial
> “Found issues our scanners missed, with fixes we could ship in a sprint.” — CISO, Global Pharma