A healthcare SaaS company preparing for ISO 27001 certification needed a thorough security audit of their platform, which processes sensitive patient data for over 200 clinics. Bitvea performed white-box penetration testing with full source code access, uncovering 23 vulnerabilities: 3 critical, 7 high severity, and 13 medium. One critical finding was an authentication bypass that could have exposed patient records. All issues were remediated before the certification audit, and the company passed on the first attempt. The entire engagement, from initial scoping to the final remediation report, took 3 weeks.
Healthcare SaaSThe client builds and operates a cloud-based platform used by over 200 clinics across Central Europe for appointment scheduling, patient records management, and billing. The platform handles personally identifiable information (PII) and protected health information (PHI) for hundreds of thousands of patients. The company had grown quickly over three years, prioritizing feature development and market expansion. Security reviews were limited to automated scanning tools and occasional manual code reviews by the development team. With ISO 27001 certification now required by several enterprise clients and an upcoming audit scheduled in six weeks, the company needed an independent, comprehensive security assessment. Their internal team did not have dedicated security engineers, and they wanted someone who could test the application at the source code level, not just run external scans.
The company had relied on automated vulnerability scanners and basic security headers for three years. These tools caught surface-level issues but missed deeper application logic flaws. The development team had implemented authentication and authorization across the platform, but the rapid pace of feature releases meant security reviews were inconsistent. Some API endpoints had been added without proper access control checks. Session management had evolved through multiple iterations without a unified approach, leaving edge cases where tokens could be reused or session boundaries were not enforced correctly. The company suspected there might be gaps but did not have the expertise to find them systematically. With patient data at stake and a certification audit approaching, they could not afford to guess.
Bitvea performed a white-box penetration test with full access to the source code, infrastructure configuration, and deployment pipelines. The engagement covered the web application, REST API, authentication and authorization flows, session management, data storage, and third-party integrations. Testing combined automated tooling with manual analysis of authentication logic, access control patterns, and data flow between services. Every finding was documented with a severity rating, proof of concept, affected components, and specific remediation guidance. Bitvea worked alongside the development team during the remediation phase to verify each fix.
Full access to the codebase allowed Bitvea to trace data flows from user input to database queries, identifying vulnerabilities that external scanning would never catch. The analysis covered authentication logic, authorization checks on every API endpoint, input validation patterns, and cryptographic implementations. Source-level access cut testing time significantly compared to black-box approaches.
Bitvea tested every authentication flow: login, password reset, session creation, token refresh, and multi-device handling. The critical finding was an authentication bypass in the password reset flow that allowed an attacker to gain access to any account by manipulating a token parameter. This would have exposed patient records across all 200+ clinics using the platform.
Every REST API endpoint was tested for proper authorization enforcement. Bitvea discovered seven endpoints where a logged-in user of one clinic could access data belonging to another clinic by modifying resource identifiers in the request. These broken access control issues were classified as high severity and required immediate attention before the certification audit.
For each vulnerability, Bitvea provided a detailed write-up with the exact code location, a working proof of concept, and step-by-step remediation guidance. After the development team applied fixes, Bitvea re-tested every finding to confirm the vulnerability was properly resolved. The final report served as documented evidence for the ISO 27001 auditor.
The engagement began with a two-day scoping session where Bitvea reviewed the application architecture, identified high-risk areas, and agreed on testing boundaries with the client. Active testing ran for eight business days, split between automated scanning, manual source code analysis, and hands-on exploitation of discovered vulnerabilities. Bitvea delivered a preliminary findings report on day six so the development team could begin fixing critical issues immediately. The remaining testing days covered lower-priority areas and edge cases. After the development team completed remediation, Bitvea spent three days re-testing every finding and produced the final report with verified fix status for each vulnerability. The report was formatted to meet ISO 27001 evidence requirements and was submitted directly to the auditor.
Timeline: 3 weeks from scoping to final report
White-box testing with source code access found vulnerabilities that three years of automated scanning had missed entirely. The authentication bypass, the most critical finding, was invisible to external scanners because it required understanding the application's internal token handling logic.
The seven broken access control issues on API endpoints were all introduced during feature releases that added new functionality without updating authorization checks. A pattern of security review on every pull request would have caught these incrementally.
Delivering a preliminary report on day six gave the development team a head start on critical fixes. By the time the full report was ready, the three critical vulnerabilities were already resolved, saving a full week in the overall timeline.
Having a penetration test report formatted specifically for ISO 27001 evidence requirements streamlined the certification audit. The auditor cited the thoroughness of the security testing as a factor in the first-attempt pass.
“We knew we had security gaps, but we did not realize how serious some of them were. The authentication bypass was a wake-up call. Bitvea found it on day three, explained exactly how it worked, and helped us fix it that same week. The final report was detailed enough that our ISO auditor accepted it without additional questions. We now run a penetration test with Bitvea every six months as part of our security baseline.”
Find vulnerabilities before attackers do.
Learn more