Grey Box Penetration Test (ethical hacker)
1. Introduction
Finstory is a US-based (Delaware Inc.) Fintech startup. We operate a platform that stores and processes sensitive financial data for our customers. We are currently in the process of achieving SOC2 Type 1 certification and are using TrustCloud as our GRC/ISMS platform.
We are looking for a qualified Ethical Hacker or Security Firm to conduct a Grey Box Penetration Test to validate our security posture and provide documented evidence for our upcoming audit.
2. Project Objective
The goal is to identify vulnerabilities within our application and infrastructure that could lead to unauthorized access to customer financial data. We require a comprehensive report that satisfies SOC2 "Vulnerability Management" and "Penetration Testing" control requirements.
3. Scope of Work
Target: [Insert URL/Environment, e.g., Web Application & API Endpoints].
Methodology: Grey Box. We will provide architectural overviews and standard user credentials (low-level access) to simulate an "authenticated attacker" scenario.
Key Focus Areas:
Broken Access Control (Bole/BOPA): Ensure users cannot access other customers' financial data.
Injection Attacks: SQLi, XSS, and Command Injection.
Authentication & Session Management: MFA bypass attempts and session hijacking.
API Security: Assessment of REST/GraphQL endpoints.
Cloud Infrastructure: Basic review of the underlying environment (e.g., AWS/Azure/GCP) for misconfigurations.
4. Deliverables
Executive Summary: High-level overview for management and auditors.
Detailed Technical Report: Including steps to reproduce, risk ratings (CVSS), and clear remediation advice.
Attestation Letter: A formal summary letter that we can share with our SOC2 auditors and enterprise prospects.
Re-test (Optional but Preferred): A brief validation scan once we have patched the "Critical" or "High" findings.
5. Requirements for the Consultant
Experience with Fintech/Financial Services data security.
Familiarity with SOC2 compliance requirements.
Relevant certifications (e.g., OSCP, OSWE, CREST, or CISSP).
Ability to work under a strict Non-Disclosure Agreement (NDA).
Apply tot his job
Apply To this Job
Finstory is a US-based (Delaware Inc.) Fintech startup. We operate a platform that stores and processes sensitive financial data for our customers. We are currently in the process of achieving SOC2 Type 1 certification and are using TrustCloud as our GRC/ISMS platform.
We are looking for a qualified Ethical Hacker or Security Firm to conduct a Grey Box Penetration Test to validate our security posture and provide documented evidence for our upcoming audit.
2. Project Objective
The goal is to identify vulnerabilities within our application and infrastructure that could lead to unauthorized access to customer financial data. We require a comprehensive report that satisfies SOC2 "Vulnerability Management" and "Penetration Testing" control requirements.
3. Scope of Work
Target: [Insert URL/Environment, e.g., Web Application & API Endpoints].
Methodology: Grey Box. We will provide architectural overviews and standard user credentials (low-level access) to simulate an "authenticated attacker" scenario.
Key Focus Areas:
Broken Access Control (Bole/BOPA): Ensure users cannot access other customers' financial data.
Injection Attacks: SQLi, XSS, and Command Injection.
Authentication & Session Management: MFA bypass attempts and session hijacking.
API Security: Assessment of REST/GraphQL endpoints.
Cloud Infrastructure: Basic review of the underlying environment (e.g., AWS/Azure/GCP) for misconfigurations.
4. Deliverables
Executive Summary: High-level overview for management and auditors.
Detailed Technical Report: Including steps to reproduce, risk ratings (CVSS), and clear remediation advice.
Attestation Letter: A formal summary letter that we can share with our SOC2 auditors and enterprise prospects.
Re-test (Optional but Preferred): A brief validation scan once we have patched the "Critical" or "High" findings.
5. Requirements for the Consultant
Experience with Fintech/Financial Services data security.
Familiarity with SOC2 compliance requirements.
Relevant certifications (e.g., OSCP, OSWE, CREST, or CISSP).
Ability to work under a strict Non-Disclosure Agreement (NDA).
Apply tot his job
Apply To this Job