2024 Capris Security Assessment

Scope: Client-Side Infrastructure Security Review & Remediation

Summary: I was engaged by a client to independently validate and expand upon a vulnerability assessment report previously conducted by a third-party contractor. The report focused on seven interconnected web applications, each with unique objectives and security profiles critical to the client’s infrastructure.

Tasks:

• Review the original vulnerability assessment report
• Validate findings and assess accuracy
• Conduct a deeper, independent security audit
• Identify overlooked vulnerabilities
• Develop and execute a comprehensive remediation plan
• Coordinate with the original assessment team for final verification

Actions:

While the third-party report covered surface-level issues, it missed a dozen+ critical vulnerabilities—primarily due to a lack of familiarity with the underlying CMS technologies (primarily WordPress) and custom application logic. For example:

• No enumeration or assessment of vulnerable WordPress plugins
• No review of insecure custom logic and business workflows
• Lack of testing around access control and input sanitization

Additionally, I worked directly with the businesses internal teams over a mutli week engagement performing actions like:

• Manually validated each finding from the original report and expanded coverage with my own black-box and white-box testing
• Conducted a CMS-aware audit, discovering misconfigurations, outdated components, and plugin vulnerabilities
• Reverse-engineered custom application flows to uncover logic flaws and insecure implementations
• Created a prioritized remediation gameplan, balancing business risk and development effort
• Remediated vulnerabilities directly by patching code, hardening server configurations, and removing insecure plugins
• Worked with the original assessment vendor to verify that all issues had been mitigated to their satisfaction

Results:

All sites were successfully hardened, patched, and revalidated, improving the client’s security posture significantly. This engagement emphasized my ability to critically evaluate third-party assessments, identify gaps, and provide end-to-end remediation and coordination with multiple stakeholders The 3rd party security auditing team confirmed and validated the remediation and controls I implemented, concluding the engagement.