At a Glance
- Industry: Insurance
- Engagement type: Static Application Security Testing + Manual Code Review
- Tech stack: Java (Spring Boot) backend, Python (Django) services, React frontend, PostgreSQL + Oracle DB, 200K+ lines of code across 3 applications
- Outcome: All critical and high-severity findings remediated and re-tested with no critical issues remaining at close.
- Delivered by: ISO/IEC 27001:2022 certified consultants with OSCP, OSEP, CISA, CISM credentials.
Compliance Frameworks Satisfied
Client Overview
Industry: Insurance
Product: Policy management, claims processing and customer self-service portals
Tech stack: Java (Spring Boot) backend, Python (Django) services, React frontend, PostgreSQL + Oracle DB, 200K+ lines of code across 3 applications
The client is a mid-size Indian insurance company with in-house developed applications handling Aadhaar numbers, PAN details, policy documents and claim settlements. An IRDAI regulatory audit required documented secure-code-review evidence.
Challenge
Three factors drove the urgency of this engagement:
- IRDAI audit requirement. Upcoming IRDAI cybersecurity examination required secure code review evidence with documented remediation
- Mixed language codebase. Java Spring Boot, Python Django and React across three applications with no consistent security review history
- No structured SAST. The development team followed functional requirements closely but security had never been a primary focus during development
Our Approach
Codesecure delivered a structured engagement combining automated coverage with deep manual testing focused on the specific risk areas for this client.
Scope of Testing
The engagement covered the following primary areas:
- Automated SAST scanning using industry-standard tools across the entire codebase
- Manual code review focusing on authentication, authorization, session management and input validation logic
- Dependency scanning for known CVEs in third-party libraries (Maven, pip, npm packages)
- Secrets detection for hardcoded API keys, database credentials, encryption keys and tokens
- Business logic review of claims processing workflows for approval bypass and privilege escalation
- Cryptographic implementation review covering encryption algorithms, key management and hashing
- Detailed findings report with code-level remediation guidance and severity classification
// Tooling Used
Reporting & Walkthrough
Executive summary delivered alongside a technical report containing reproducible PoC steps, CVSS v3.1 severity scoring and developer-actionable remediation guidance. Live walkthrough with the client team covered every critical finding with reproduction and recommended fix path.
Need a Similar Engagement?
Our ISO/IEC 27001:2022 certified consultants deliver fixed-price, named-consultant engagements with executive-ready outcomes. Free 30-minute scoping call, instant response, no delay.
Book a Free Scoping CallResults
Critical Findings
- Hardcoded database credentials in a configuration file committed to the Git repository, exposing production DB access
- SQL injection in the claims search functionality allowing arbitrary database queries by authenticated users
- Broken access control allowing agents to view policies and claim settlements outside their assigned region
- Use of MD5 for password hashing without salting, making rainbow-table attacks trivial
High & Medium Severity
XSS in claim notes display, insecure deserialization in policy export, weak cryptographic random for session tokens, verbose SQL error messages disclosing schema, missing rate limit on authentication endpoint, legacy SHA-1 signing for internal services, hardcoded encryption keys in 3 modules.
Before vs. After
Before Engagement
- Hardcoded DB credentials in Git
- SQL injection in claims search
- Cross-region data access for agents
- MD5 password hashing without salt
- No formal code review process
- IRDAI evidence absent
After Remediation
- All credentials in HashiCorp Vault
- Parameterized queries across codebase
- Server-side authorization on every endpoint
- Argon2id password hashing
- Quarterly SAST + manual review schedule
- Clean IRDAI examination report
"We had MD5 in production in 2025. We knew it was bad in theory. Seeing the rainbow-table attack live with our actual data brought urgency. The remediation took 6 weeks and we shipped it before the IRDAI audit window."
Anonymous, CTO, mid-size Indian insurance company
Key Lessons
What Other Teams Can Take Away
- Hardcoded secrets are everywhere. Even teams with SAST tooling find secrets in configs, comments, test files and CI scripts. Scan exhaustively.
- SAST without manual review misses business logic. Authentication bypasses, authorization gaps and workflow flaws require human review.
- Legacy crypto persists. MD5, SHA-1, DES and ECB-mode encryption still appear in production codebases. Audit cryptographic usage specifically.
- Dependency vulnerabilities compound. A typical 200K LOC Java app has 200-400 transitive dependencies. Continuous SCA scanning is mandatory.
Conclusion
Source code review is essential for organizations handling regulated data. By identifying vulnerabilities at the code level before deployment, the client addressed security gaps proactively rather than reactively. The 29 findings included issues that would have been impossible to detect via runtime testing alone, the hardcoded credentials, the MD5 hashing, the cross-region authorization gap.
For Indian insurance, banking, healthcare and fintech with regulated data obligations, code review complements VAPT and is increasingly required by IRDAI, RBI and ISO 27001 Annex A.8.28 (secure coding). Codesecure delivers SAST + manual review across Java, Python, .NET, PHP, Node.js and Go with developer-actionable findings.
Want Outcomes Like These?
Codesecure is an ISO/IEC 27001:2022 certified cybersecurity firm. We deliver fixed-price engagements with named consultants and executive-ready outcomes across India, UAE, Saudi Arabia, Australia, Singapore and Maldives.
Get a Free Consultation Explore Our Services
