On the ball or unaware

Issue 1 2025 Information Security, Security Services & Risk Management

Whether an organisation is operating at a high level of information security maturity or has dangerous vulnerabilities that could put an entire business at risk, advanced, strategic penetration testing (or pentesting) can uncover its true state of IT security. This is according to Peter Chan, Operations Manager at South African cyber security provider BlueVision ITM.


Peter Chan, Operations Manager.

Chan says, “No matter how mature an organisation’s cybersecurity and risk frameworks are, pentesting is important to validate them. Pentesting is far more in-depth than vulnerability scanning, and it should not be a checkbox exercise. It should be tailored to meet specific needs, with pre- and post-testing engagement to help companies remediate critical vulnerabilities and develop a roadmap to improve their resilience over time.”

He highlights two case studies at the extreme ends of the maturity spectrum, illustrating the importance of pentesting and what it can reveal.

Client financial data at risk through third-party vulnerability

A small financial brokerage with limited in-house IT or information security resources engaged BlueVision to assess its vulnerabilities. The brokerage had an external-facing website and used a third-party ERP and CRM system. Previous general vulnerability assessments had found no vulnerabilities in the business’s environment.

However, during a BlueVision pentest, testers found they were able to cause errors on the ERP and CRM applications.

Chan says, “One of those errors had a very high verbosity level, and actually revealed usernames, passwords, and the location of the backend server. Exploiting a logic problem turned up this crucial vulnerability.”

This vulnerability had not been exploited, but presented a serious security and compliance risk. The brokerage could have risked reputational damage, financial damage and fines, and malicious actors could have used this exposed information to target individual users or clients in that space with very specific phishing campaigns.

“Once we identify a true positive as part of our methodology, we notify the customer immediately of the most critical findings,” he says. “We do not cause panic, we just help customers understand the severity of the vulnerability, and remediate it. In this case, the customers were surprised to learn that a glaring error like this existed. We drafted a response for them, and they took it up with the third-party application developers to remediate the risk immediately. With other findings of lower severity, we helped them prioritise and remediate these risks.”

On the flip side, Chan notes that the customer’s website was sound and secure, “It passed all the tests that we threw at it. This illustrates the fact that one supplier’s standard is not necessarily applicable throughout all your supplier links. Organisations must identify weak links, both in-house and in third party suppliers, and they must ensure that the standards meet the organisation’s requirements.”

As a result of the findings, the brokerage now engages BlueVision to conduct regular pentests to support security, risk management and compliance.

Security and risk teams pass with flying colours

Another BlueVision customer, a major IT distributor, uses pentesting to validate its internal processes. Chan says this customer has a high level of security and risk maturity.

“They have their own in-house security, a risk office, incident response plans, and best practices across the security stack. Even though they are mature, they require penetration testing by an independent party to verify that everything they have in place is working to their expectations.

“In this case, we did the pentest unannounced to their security team. To make it more authentic, we usually have a cloud-hosted environment with an international IP address, which we spin up and destroy after the exercise. Midway through the 5-day test and shortly after we had completed the reconnaissance phase, we got a call from them asking if we were the ones behind the activity. They were about to escalate the case to Interpol.”

The client’s IT and security teams had detected the pentesting activity moving from suspicious to malicious, and escalated the matter throughout the company’s security and risk stack – all the way to governance and management – all while preparing their incident response.

“They went a step further – instead of just blocking it, they also did the investigations necessary to trace where it was coming from and built up sufficient evidence to go to Interpol for a cease-and-desist request. This is impressive.”

An unannounced pentest is a good way to test your security team’s response. In this case, the test triggered everything from tech to governance. Each level of security was actioned on, which was a big win for them. The customer works with BlueVision on an ongoing basis to test its processes and support cyber-resilience.

Custom pentesting for enhanced resilience

Chan says these two cases showcase the importance of pentesting for organisations of all sizes. “Your level of security is based on your weakest link, and pentesting can reveal what that is.”

“BlueVision tailors the penetration test process, as well as the pre-engagement and post-engagement to align with our customers’ needs,” he says. “We plan the set of actions to test the most critical systems, and ensure that if vulnerabilities of a certain criticality emerge, they are addressed immediately. We then strategise on a roadmap activities going forward via the lessons learned during the exercise itself. Whether the customer is a product development house, or is rolling out a service roadmap, we can assist with that.”

While BlueVision offers ad hoc pentesting, Chan recommends a longer term, retainer engagement to ensure resilience.


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
The rise of AI-powered cybercrime and defence
Information Security News & Events AI & Data Analytics
Check Point Software Technologies launched its inaugural AI Security Report, offering an in-depth exploration of how cybercriminals are weaponising artificial intelligence (AI), alongside strategic insights defenders need to stay ahead.

Read more...
The deepfake crisis is here and now
Information Security Training & Education
Deepfakes are a growing cybersecurity threat that blur the line between reality and fiction. These AI-generated synthetic media have evolved from technological curiosities to sophisticated weapons of digital deception, costing companies upwards of $600 000 each.

Read more...
From the editor's desk: We’ve only just begun
Technews Publishing News & Events
The surveillance market has expanded far beyond the analogue days of just recording and/or monitoring screens. The capabilities of surveillance technology today extend to black screen monitoring with ...

Read more...
The future of the surveillance channel
Duxbury Networking Technews Publishing Elvey Security Technologies SMART Security Solutions Surveillance
The video surveillance market has evolved from camera-based specifications to integrated solutions that solve customers’ problems. Moreover, the growth of AI and cloud has changed the channel even more, with more to come.

Read more...
AI means proactive surveillance
DeepAlert Technews Publishing SMART Security Solutions AI & Data Analytics Surveillance
SMART Security Solutionsasked DeepAlert for some insight into how AI is transforming video surveillance, even to the extent of it being taught to protect the privacy of those in the cameras’ view.

Read more...
The state of the VMS market
Arteco Global Africa Milestone Systems Cathexis Technologies Technews Publishing Surveillance
SMART Security Solutions asked three platform vendors in South Africa, one that is developed and maintained in the country with an international market, for their views on the state of the VMS market and where it is headed.

Read more...
Dahua Summit 2025
Dahua Technology South Africa Technews Publishing SMART Security Solutions Products & Solutions
Dahua Technology South Africa held its annual summit in Johannesburg in early April. The summit focused on highlighting the company’s range of new products and solutions and recognising its regional partners.

Read more...
SAFPS issues SAPS impersonation scam warning
News & Events Security Services & Risk Management
The Southern African Fraud Prevention Service (SAFPS) is warning the public against a scam in which scammers pose as members of the South African Police Service (SAPS) and trick and intimidate individuals into handing over personal and financial information.

Read more...
What does Agentic AI mean for cybersecurity?
Information Security AI & Data Analytics
AI agents will change how we work by scheduling meetings on our behalf and even managing supply chain items. However, without adequate protection, they become soft targets for criminals.

Read more...