On the ball or unaware

Issue 1 2025 Information Security, Security Services & Risk Management

Whether an organisation is operating at a high level of information security maturity or has dangerous vulnerabilities that could put an entire business at risk, advanced, strategic penetration testing (or pentesting) can uncover its true state of IT security. This is according to Peter Chan, Operations Manager at South African cyber security provider BlueVision ITM.


Peter Chan, Operations Manager.

Chan says, “No matter how mature an organisation’s cybersecurity and risk frameworks are, pentesting is important to validate them. Pentesting is far more in-depth than vulnerability scanning, and it should not be a checkbox exercise. It should be tailored to meet specific needs, with pre- and post-testing engagement to help companies remediate critical vulnerabilities and develop a roadmap to improve their resilience over time.”

He highlights two case studies at the extreme ends of the maturity spectrum, illustrating the importance of pentesting and what it can reveal.

Client financial data at risk through third-party vulnerability

A small financial brokerage with limited in-house IT or information security resources engaged BlueVision to assess its vulnerabilities. The brokerage had an external-facing website and used a third-party ERP and CRM system. Previous general vulnerability assessments had found no vulnerabilities in the business’s environment.

However, during a BlueVision pentest, testers found they were able to cause errors on the ERP and CRM applications.

Chan says, “One of those errors had a very high verbosity level, and actually revealed usernames, passwords, and the location of the backend server. Exploiting a logic problem turned up this crucial vulnerability.”

This vulnerability had not been exploited, but presented a serious security and compliance risk. The brokerage could have risked reputational damage, financial damage and fines, and malicious actors could have used this exposed information to target individual users or clients in that space with very specific phishing campaigns.

“Once we identify a true positive as part of our methodology, we notify the customer immediately of the most critical findings,” he says. “We do not cause panic, we just help customers understand the severity of the vulnerability, and remediate it. In this case, the customers were surprised to learn that a glaring error like this existed. We drafted a response for them, and they took it up with the third-party application developers to remediate the risk immediately. With other findings of lower severity, we helped them prioritise and remediate these risks.”

On the flip side, Chan notes that the customer’s website was sound and secure, “It passed all the tests that we threw at it. This illustrates the fact that one supplier’s standard is not necessarily applicable throughout all your supplier links. Organisations must identify weak links, both in-house and in third party suppliers, and they must ensure that the standards meet the organisation’s requirements.”

As a result of the findings, the brokerage now engages BlueVision to conduct regular pentests to support security, risk management and compliance.

Security and risk teams pass with flying colours

Another BlueVision customer, a major IT distributor, uses pentesting to validate its internal processes. Chan says this customer has a high level of security and risk maturity.

“They have their own in-house security, a risk office, incident response plans, and best practices across the security stack. Even though they are mature, they require penetration testing by an independent party to verify that everything they have in place is working to their expectations.

“In this case, we did the pentest unannounced to their security team. To make it more authentic, we usually have a cloud-hosted environment with an international IP address, which we spin up and destroy after the exercise. Midway through the 5-day test and shortly after we had completed the reconnaissance phase, we got a call from them asking if we were the ones behind the activity. They were about to escalate the case to Interpol.”

The client’s IT and security teams had detected the pentesting activity moving from suspicious to malicious, and escalated the matter throughout the company’s security and risk stack – all the way to governance and management – all while preparing their incident response.

“They went a step further – instead of just blocking it, they also did the investigations necessary to trace where it was coming from and built up sufficient evidence to go to Interpol for a cease-and-desist request. This is impressive.”

An unannounced pentest is a good way to test your security team’s response. In this case, the test triggered everything from tech to governance. Each level of security was actioned on, which was a big win for them. The customer works with BlueVision on an ongoing basis to test its processes and support cyber-resilience.

Custom pentesting for enhanced resilience

Chan says these two cases showcase the importance of pentesting for organisations of all sizes. “Your level of security is based on your weakest link, and pentesting can reveal what that is.”

“BlueVision tailors the penetration test process, as well as the pre-engagement and post-engagement to align with our customers’ needs,” he says. “We plan the set of actions to test the most critical systems, and ensure that if vulnerabilities of a certain criticality emerge, they are addressed immediately. We then strategise on a roadmap activities going forward via the lessons learned during the exercise itself. Whether the customer is a product development house, or is rolling out a service roadmap, we can assist with that.”

While BlueVision offers ad hoc pentesting, Chan recommends a longer term, retainer engagement to ensure resilience.


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Managed security solutions for organisations of all sizes
Information Security
Cyberattackers have become significantly more sophisticated and determined, targeting businesses of all sizes. PwC’s Global Digital Trust Insights Survey 2025 Africa and South Africa highlights the urgent need for organisations to implement robust cyber risk mitigation strategies.

Read more...
Multiple IoT devices targeted
Information Security Residential Estate (Industry)
Mirai remains one of the top threats to IoT in 2025 due to widespread exploitation of weak login credentials and unpatched vulnerabilities, enabling large-scale botnets for DDoS attacks, data theft and other malicious activities.

Read more...
SABRIC Annual Crime Statistics 2024
News & Events Security Services & Risk Management Residential Estate (Industry)
SABRIC has released its Annual Crime Statistics for 2024, reflecting a significant decline in financial crime losses, but also warning of the growing threat posed by artificial intelligence (AI) in fraud schemes.

Read more...
Local-first data security is South Africa's new digital fortress
Infrastructure Information Security
With many global conversations taking place about data security and privacy, a distinct and powerful message is emerging from South Africa: the critical importance of a 'local first' approach to data security.

Read more...
Sophos launches advisory services to deliver proactive cybersecurity resilience
Information Security News & Events
Sophos has launched a suite of penetration testing and application security services, designed to identify gaps in organisations’ security programs, which is informed by Sophos X-Ops Threat Intelligence and delivered by world-class experts.

Read more...
SA’s private security industry receives multi-million USD investment
News & Events Security Services & Risk Management
South Africa's private security sector has attracted significant international attention, with the world’s largest tactical flashlight manufacturer, Nextorch, announcing a major investment in its local operations, Nextorch Africa.

Read more...
Kaspersky highlights biometric and signature risks
Information Security News & Events
AI has elevated phishing into a highly personalised threat. Large language models enable attackers to craft convincing emails, messages and websites that mimic legitimate sources, eliminating grammatical errors that once exposed scams.

Read more...
Software security is a team sport
Information Security Infrastructure
Building and maintaining secure software is not a one-team effort; it requires the collective strength and collaboration of security, engineering, and operations teams.

Read more...
From the editor's desk: Can it be October already?
Technews Publishing News & Events
Welcome to the final SMART Handbook of the year. In this issue, we focus on residential estate security, from the fence to the gate and beyond. We also review our Durban SMART Estate Security Conference, ...

Read more...
Private fire services becoming the norm?
Technews Publishing SMART Security Solutions Editor's Choice
As the infrastructure and service delivery in many of South Africa’s major cities decline, with a few, limited exceptions, more of the work that should be done by the state has fallen to private companies.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.