Large Online Travel Platform: Quarterly VAPT Programme that Caught a Critical Auth Bypass Pre-Launch
One-off penetration tests age quickly on platforms that ship weekly. This engagement shows how a large online travel platform converted annual point-in-time testing into a standing quarterly VAPT programme — and how that cadence caught a critical authentication bypass in a new booking flow before launch, when it cost a sprint to fix instead of an incident.
Client Overview
The client is a large online travel platform serving customers across India, selling flights, hotels, and holiday packages through web and mobile channels with a high-velocity release cycle. The drivers were CERT-In security directions applicable to its infrastructure, payment-partner testing expectations, and internal risk appetite after industry breaches. Scope covered customer-facing web and mobile apps, booking and payment APIs, and each quarter’s newly shipped features.
- Industry: E-Commerce / Online Travel (large platform)
- Region: India
- Regulatory driver: CERT-In directions, payment-partner testing mandates
- Timeline: Standing quarterly cycles; each cycle ~3 weeks test-to-closure
- CyberSigma team: Programme lead, rotating web/API/mobile testers, remediation coordinator
Challenge
Annual testing left nine-plus months of untested releases in production at any time. New features — including a rebuilt booking flow — were shipping faster than security review could keep up, and remediation from previous tests routinely stalled without an owner.
- Annual point-in-time tests stale within months on a weekly release cycle
- New features reaching production with no security testing at all
- Previous pentest findings lingering unremediated with no tracked ownership
- Payment partners tightening expectations for evidence of recurring testing
- No mechanism to focus testing on what changed each quarter
Objectives
- Establish a quarterly CERT-In-aligned testing cadence across web, API, and mobile
- Add pre-launch testing for high-risk new features before production release
- Drive every critical and high finding to verified closure each cycle
- Produce recurring evidence packs for payment partners and internal risk
- Reduce repeat finding classes release over release
Our Approach
1. Programme Design
A quarterly calendar was set with rotating depth: full-scope testing twice a year, change-focused testing in the other quarters, and an on-call slot for pre-launch reviews of high-risk features.
2. Change-Driven Scoping
Each cycle began with a delta review of releases since the last test, so effort concentrated on new endpoints, changed auth logic, and modified payment flows rather than re-treading stable code.
3. Pre-Launch Feature Testing
High-risk features entered testing before release. In one cycle this caught a critical authentication bypass in a rebuilt booking flow — a session-handling flaw that allowed access to other users’ booking details — which was fixed and re-verified before launch.
4. Remediation & Verification Loop
Findings flowed into the engineering tracker with severity-based SLAs; every critical and high was re-tested on fix, and closure rates were reported to engineering leadership each cycle.
5. Trend Reporting
Quarter-over-quarter reporting tracked finding classes and recurrence, feeding secure-coding focus areas back to development teams and evidence packs to payment partners.
Solution
- Standing quarterly VAPT calendar mixing full-scope and change-focused cycles
- Delta-based scoping that concentrates testing on each quarter’s changes
- Pre-launch security testing slot for high-risk features
- SLA-driven remediation loop with verified closure of every critical and high finding
- Quarterly trend reporting to engineering leadership and payment partners
Results
- Critical authentication bypass in a new booking flow found and fixed before launch
- Every critical and high finding verified closed within cycle SLAs since programme start
- Repeat finding classes reduced quarter over quarter as secure-coding feedback landed
- Payment-partner testing evidence produced on schedule every quarter
- Security testing now tracks the release cycle instead of trailing it by months
Liked the case study? Share on:



