At a Glance
- Industry: B2B SaaS, multi-tenant cloud platform
- Engagement type: Web Application Penetration Test (OWASP + business logic)
- Scope: 1 production application, ~80 authenticated endpoints, 3 user roles, SAML SSO
- Outcome: 23 vulnerabilities identified; all 11 critical/high remediated and re-tested with clean retest letter
- Delivered by: ISO/IEC 27001:2022 certified consultants with OSCP, OSEP, CISA, CISM credentials
Compliance Frameworks Satisfied
Client Overview
Industry: Cloud Computing and B2B SaaS
Product: Multi-tenant SaaS platform serving 500+ enterprise customers across India, the UAE, Singapore, and the US
Tech stack: React frontend, Node.js + Python microservices on AWS (EKS, RDS PostgreSQL, S3), SAML SSO via Okta, REST + GraphQL APIs with JWT-based session management.
The client is an established Indian B2B SaaS provider with a flagship platform used by enterprise procurement, HR and finance teams. Their customer base includes 12 Fortune India 500 companies and several US-listed enterprises. Annual recurring revenue exceeds INR 80 crore.
Challenge
The client operated a multi-tenant SaaS platform with sensitive business data and authentication flows that needed rigorous testing. Three factors made this engagement urgent:
- Stale pentest evidence. Their last penetration test was 18 months old, no longer acceptable to enterprise customers in renewal cycles
- Major new features. SAML SSO integration, an API marketplace, and role-based access controls had shipped to production without independent security review
- SOC 2 Type 2 audit deadline. Their auditors required a current pentest report with critical/high findings closed before the observation period began
Internal security was a 2-person team unable to scale to the depth required. They needed an external partner who could deliver SOC-2-ready evidence quickly, work under NDA with sensitive customer data exposure, and produce findings actionable enough for engineering to fix before audit.
Our Approach
Codesecure delivered a structured 2-week engagement combining automated coverage with deep manual testing focused on SaaS-specific risk areas.
Pre-Engagement
Free 30-minute scoping call followed by a signed NDA, fixed-price proposal within 24 hours and read-only test account provisioning. Threat modeling against OWASP Web + API Top 10, with SaaS-specific scenarios (cross-tenant data exposure, billing manipulation, admin role escalation) prioritized.
Active Testing
Eight business days of testing covering the following surface:
- OWASP Top 10 coverage of every authenticated and unauthenticated endpoint
- Multi-tenant isolation testing across customer boundaries (IDOR, tenant ID manipulation, data leakage between accounts)
- SAML SSO integration security review including assertion tampering, replay attacks, signature wrapping
- Role-based access control testing with horizontal and vertical privilege escalation attempts
- API security testing aligned with OWASP API Top 10 across REST and GraphQL endpoints
- Business logic testing: subscription manipulation, billing flow abuse, admin action bypass
- Session management and JWT/OAuth token security review including secret rotation
// Tooling Used
Reporting & Walkthrough
Executive summary delivered alongside a technical report containing reproducible PoC steps, CVSS v3.1 severity scoring and developer-actionable remediation guidance with code-level fixes. Live walkthrough with the client's engineering team covered every critical finding with reproduction and recommended fix path.
Need a Similar Engagement?
Our ISO/IEC 27001:2022 certified consultants deliver fixed-price, named-consultant SaaS application VAPT with executive-ready outcomes. Free 30-minute scoping call, instant response, no delay.
Book a Free Scoping CallResults
We identified 23 vulnerabilities: 3 critical, 8 high, and 12 medium severity.
Critical Findings
- Cross-tenant data exposure via predictable resource IDs: Authenticated users could enumerate document IDs across tenant boundaries and retrieve other customers' procurement attachments through API endpoints lacking server-side authorization checks
- SSO assertion replay enabling session hijacking: SAML signature validation accepted assertions with weak signature wrapping, allowing an authenticated attacker to impersonate other users in the same tenant
- Privilege escalation through SCIM endpoint: The user-management SCIM API allowed standard users to modify their own role to admin via an undocumented PATCH operation
High & Medium Findings
Categories included broken object-level authorization in 4 API endpoints, GraphQL introspection enabled in production (information disclosure), missing rate limits on password reset (account takeover via brute force), insecure JWT handling, weak session timeout policy, and several XSS vectors in administrator dashboards.
Before vs. After
Before Engagement
- 3 critical, 8 high, 12 medium vulnerabilities open
- SOC 2 Type 2 observation period blocked
- Cross-tenant data exposure (confirmed exploitable)
- SAML SSO accepted weakly-signed assertions
- SCIM API allowed unauthorized role changes
- No documented developer remediation playbook
After Remediation (30 days)
- All 11 critical/high findings remediated and revalidated
- SOC 2 Type 2 observation period started on schedule
- Tenant isolation enforced server-side with audit logging
- SAML signature validation hardened to standard
- SCIM PATCH operations require admin role + audit trail
- Engineering team trained on OWASP-mapped fix playbooks
The engineering team remediated all 11 critical and high findings within 30 days. Codesecure conducted a free revalidation engagement and confirmed successful fixes, providing the SOC 2 Type 2 auditor with a clean retest letter as evidence. The 12 medium findings were addressed in the subsequent quarter on the client's normal release cadence.
"Codesecure delivered what other auditors had quoted at three times the cost and twice the timeline. The technical depth on multi-tenant SaaS risks was the difference. We unblocked our SOC 2 audit and our 2025 enterprise pipeline."
Anonymous , Head of Security, B2B SaaS, ~600 employees
Key Lessons
What Other SaaS Teams Can Take Away
- Multi-tenant isolation is its own discipline. Generic web pentests routinely miss cross-tenant exposure because testers do not provision multiple test accounts. Always require tenant-isolation testing as an explicit scope item.
- SAML SSO is not "set and forget." Signature validation libraries have a long history of subtle bypasses. Test SAML integration after every IdP migration or library update.
- SCIM endpoints are commonly overlooked. User-management APIs are powerful and frequently have broken object-level authorization. Test SCIM specifically, not just the main application.
- Plan pentest timing around audit cycles. The SOC 2 Type 2 observation period cannot begin until critical findings are closed. Schedule pentests 60-90 days before observation start.
Conclusion
Multi-tenant SaaS platforms have unique security surface that generic pentests routinely miss. By combining OWASP Top 10 coverage with multi-tenant-specific testing, SAML SSO scrutiny and business logic review, the client demonstrated security maturity to their enterprise customers and unlocked their SOC 2 Type 2 audit on schedule.
For Indian B2B SaaS companies preparing for SOC 2, ISO 27001 or enterprise customer audits, an application VAPT engagement is no longer optional, it is the evidence buyers demand. Codesecure's fixed-price web application VAPT typically completes in 1-2 weeks with a free retest letter included.
Ready to schedule yours? Free 30-minute scoping call, fixed-price proposal in 24 hours, instant response, no delay.
Want Outcomes Like These?
Codesecure is an ISO/IEC 27001:2022 certified cybersecurity firm. We deliver fixed-price engagements with named consultants and executive-ready outcomes across India, UAE, Saudi Arabia, Australia, Singapore and Maldives.
Get a Free Consultation Explore Our Services
