(929) 590-5818 [email protected]
en
en

Security Testing of a Whistleblowing Platform

Client:
Fraudline — a company specializing in ethical governance, corporate responsibility, and security solutions
Industry:
RegTech (Regulatory Technology)
Focus:
Protection of confidential information within a whistleblowing platform
Main challenge:
Conducting a security testing of the web platform and reviewing secure development practices as part of an annual audit
Market:
International segment
Services provided:
Gray-box pentest, audit of secure coding, review of business logic
Key Takeaways
  • Verified secure handling of sensitive reports and PII
  • Covered edge cases via manual testing of business logic
  • Identified 6 technical vulnerabilities: 5 low-risk and 1 informational
  • Used a custom Burp Suite extension for session handling
  • Prepared a technical report with recommendations and scheduled a retest
    • 6
    vulnerabilities identified
    2
    weeks — duration of the testing
    Burp Suite
    customized to fit project specifics
    Security Testing of a Whistleblowing Platform
    May 16, 2025
    Is a pentest necessary if the system runs smoothly? Absolutely. A scheduled security testing for Fraudline revealed vulnerabilities in business logic and protection settings. Since the client regularly tests the platform, potential risks were identified in advance.

    Fraudline is a mid-sized international company delivering solutions for ethical governance, compliance, and corporate security. Its products support whistleblowing processes in line with EU requirements.

    Operating in regulated industries, the company adheres to standards such as GDPR, ISO 27001, ISO 37001, and EU Directive 2019/1937, making web platform security a top priority.

    Objectives and challenges
    Fraudline approached Datami to conduct a scheduled automated pentest of their web application. The primary goal was to assess the security level of the platform, which processes confidential whistleblowing reports, and to identify vulnerabilities that could pose risks to regulatory compliance or reputation.
    • Conduct an automated gray-box pentest of the web application
    • Review the approach to secure code development
    • Deliver a detailed report with security improvement recommendations
    icon
    Penetration testing
    Gray-box testing with admin and user accounts
    icon
    Secure code audit
    Review of policies, processes, and automated code checks
    icon
    Reporting and recommendations
    Report on identified issues and remediation recommendations
    Datami methodology: Security testing for Fraudline
    Our approach

    For Fraudline, we conducted an automated gray-box penetration test. We used OWASP ZAP and Nessus, and to bypass non-standard authentication via HTTP headers, we developed and applied a custom Burp Suite extension.

    Following the automated testing, the Datami team had additional time available — so we went beyond the contractual scope and provided extra value to the client. We performed manual analysis of business logic, focusing on areas such as password changes and file uploads.

    Gray-box
    Gray-box
    Testing was conducted with admin and user roles, without access to the source code.
     
    Key project stages and solutions

    During the project, Datami performed automated security testing of the web platform and engineered a custom approach to handle non-standard client-side session management. In parallel, we conducted a review of secure development practices.

    Additionally, after completing the automated scan, we performed manual business logic testing, focusing on password change functionality and file upload mechanisms.

    • Preparation
      Analysis of initial data and access levels (user/admin), selection of testing tools, planning of test scenarios, creation of a custom extension for session handling in Burp Suite
    • Security testing
      Automated pentest, analysis of secure development and function logic (password change form, file uploads)
       
    • Analysis and reporting
      Structured report listing 6 vulnerabilities (low and informational severity), risk descriptions, and practical remediation recommendations
    Cybersecurity starts with action
    How we can help you?

    Every cybersecurity case study we solve involves deep analysis, tailored solutions, and measurable results.
    Datami has already helped over 600 companies strengthen their digital defenses — and we can do the same for your business.
    Ready to take action?

    Let’s start with a free consultation!
    Results and recommendations
    Fewer critical risks — more confidence
    Results and recommendations

    During the security testing of the Fraudline web platform, the Datami team identified 6 technical issues (5 low-severity vulnerabilities and 1 informational), primarily related to authorization logic and file upload functionality.

    Based on the findings, we compiled a detailed report and provided Fraudline with actionable recommendations to enhance digital security:

    1. Improve the password change mechanism (require current password input)
    2. Implement file type filtering for uploads
    3. Adjust the Content Security Policy
    4. Strengthen privileged role controls

    Once the recommendations are implemented, a reduction in data leakage risk is expected. A retest is planned to confirm the effectiveness of the improvements.

    Our certificates
    Key project outcomes

    As a result of the collaboration with Datami, Fraudline received a structured security report and a clear improvement plan.

    The project goals were achieved on time — within 2 weeks, including additional work such as manual business logic analysis.

    This case demonstrates that companies focused on ethical compliance and information security require regular security testing to maintain compliance with industry standards.

    Direction
    Before the project
    After implementation
    Security status
    Limited secure development review, logic-related risks
    6 vulnerabilities identified, recommendations provided
    Critical vulnerabilities
    Not detected before testing
    None found, but logic gaps in mechanisms were resolved
    Account compromise
    Risk for privileged roles
    Risk minimized through function restrictions
    Security compliance
    Partial alignment with expectations
    Increased transparency and functional security
    Timeline
    Estimated: 2 weeks
    Completed in 2 weeks (including additional manual logic analysis)
    More success stories with Datami
    Browse other project case studies
    DDoS Protection and 24/7 Cyber Monitoring

    DDoS Protection and 24/7 Cyber Monitoring

    • Implemented the DataGuard solution based on Cloudflare to protect the website
    • Established reliable protection against DDoS attacks and bot traffic
    Services:
    Implementation of DataGuard and Cloudflare, 24/7 monitoring
    Aug 8, 2025
    Website Protection from DDoS Attacks

    Website Protection from DDoS Attacks

    • Implemented the DataGuard solution for website protection
    • DDoS protection deployed within 3 days
    Services:
    Website protection with DataGuard (Cloudflare), continuous monitoring, Cloudflare infrastructure management
    Aug 8, 2025
    Protection of E-commerce Websites From DDoS via DataGuard

    Protection of E-commerce Websites From DDoS via DataGuard

    • Implemented DataGuard to protect from DDoS attacks
    • Enabled rapid incident response
    Services:
    24/7 cybersecurity monitoring, integration with Cloudflare
     
    Aug 7, 2025
    Back to all cases
    Security image
    Ready to assess your project's security?
    Contact Datami — we’ll help you identify risks, strengthen your cybersecurity, and confidently pass certification.
    Datami articles
    Fraudulent Applications in the Firefox Browser Datami Newsroom
    Datami Newsroom

    Fraudulent Applications in the Firefox Browser

    More than 40 fraudulent programs have been identified in the Mozilla Firefox browser. These extensions mimic legitimate wallet tools from popular platforms. The large-scale campaign has been ongoing since April 2025.

    Aug 22, 2025 3 min
    Large-Scale Fraudulent Operations on Android Datami Newsroom
    Datami Newsroom

    Large-Scale Fraudulent Operations on Android

    According to recent data, applications were discovered that loaded out-of-context ads onto users’ screens. The applications have already been removed by Google from the Play Store. The peak activity exceeded 1.2 billion requests per day.

    Aug 22, 2025 3 min
    Cybersecurity in Space: How NASA’s “Pink Book” Was Created Datami Newsroom
    Datami Newsroom

    Cybersecurity in Space: How NASA’s “Pink Book” Was Created

    In the space industry, there is a document called the “Pink Book” known to everyone who works in security. It is NASA’s internal cybersecurity standard created by the legendary Rich Owen. Its principles still shape the rules of the game in cybersecurity.

    Aug 20, 2025 1 min
    Show all articles
    Order a free consultation
    By submitting this form, I confirm that I have read and agree to the Privacy policy
    We value your privacy
    We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies. Cookie policy