logo
Let's Talk

Email:infosec@ascella.in

ascella infosec iso-27001-certifiedascella infosec iso-9001ascella infosec SOC 2 Certified

Let's Talk

VAPT & Compliance for Fintech Startup

thumbs

Client

A growing fintech startup in Bengaluru managing digital lending operations and sensitive KYC data.

The Challenge

As the client prepared for an upcoming funding round, they faced heightened scrutiny from potential investors on their security posture and regulatory compliance. Handling sensitive personal and financial data meant they needed to demonstrate robust security controls, a clean audit trail, and alignment with industry standards like ISO 27001.

Our Engagement

Ascella Infosec was engaged to conduct a comprehensive security assessment and support compliance readiness.

Scope of Work

Vulnerability Assessment & Penetration Testing (VAPT)

-> Black-box and grey-box testing for their public-facing APIs and mobile application (Android and iOS).
-> Cloud infrastructure VAPT focused on their AWS-hosted environment (EC2, S3, IAM, security groups).

Compliance Assistance

-> Gap analysis for ISO 27001 readiness.
-> Advisory on aligning their policies and processes with security best practices.

Key Findings & Solutions

Identified 14 vulnerabilities across APIs, app, and cloud, including a critical Insecure Direct Object Reference (IDOR) that could allow unauthorized access to user loan data.

Deployed an API Gateway with strict authentication and rate-limiting to secure API endpoints.

Guided hardening of AWS configuration:
-> Tightened IAM roles and policies
-> Enforced encryption on S3 buckets
-> Restricted security group exposure

Delivered ISO 27001 readiness recommendations covering access control, incident management, and vendor security.

The Impact

95% of vulnerabilities were resolved within 10 days, including all high and critical severity issues.
The startup successfully cleared security due diligence for its funding round, with positive feedback from investor auditors.
The company strengthened its overall security posture, reducing attack surface and improving resilience against data breaches.

Lessons & Recommendations

-> Early focus on VAPT can help avoid last-minute delays in funding or partnerships.
-> Combining VAPT with compliance guidance provides both technical and procedural security uplift.
-> Cloud-native fintechs must regularly review security group rules, IAM permissions, and API exposure to mitigate evolving threats.