We use essential cookies to run this site. Analytics & marketing cookies load only with your consent — see our Cookie Policy and Privacy Policy.

Large Online Travel Platform case study hero background

Large Online Travel Platform: Quarterly VAPT Programme that Caught a Critical Auth Bypass Pre-Launch

PCI SSC Qualified Security Assessor — CYBERSIGMA CONSULTING SERVICES LLP

QSA Authorized
CEMEA · Asia Pacific · USA

Our Offerings -PCI-DSS Audit,RBI/SEBI/IRDAI/Aadhaar/NBFC & Housing Cybersecurity Audit,SOC1/2/3,GDPR,ISMS,ISO,

Large Online Travel Platform: Quarterly VAPT Programme that Caught a Critical Auth Bypass Pre-Launch

One-off penetration tests age quickly on platforms that ship weekly. This engagement shows how a large online travel platform converted annual point-in-time testing into a standing quarterly VAPT programme — and how that cadence caught a critical authentication bypass in a new booking flow before launch, when it cost a sprint to fix instead of an incident.

Client Overview

The client is a large online travel platform serving customers across India, selling flights, hotels, and holiday packages through web and mobile channels with a high-velocity release cycle. The drivers were CERT-In security directions applicable to its infrastructure, payment-partner testing expectations, and internal risk appetite after industry breaches. Scope covered customer-facing web and mobile apps, booking and payment APIs, and each quarter’s newly shipped features.

  • Industry: E-Commerce / Online Travel (large platform)
  • Region: India
  • Regulatory driver: CERT-In directions, payment-partner testing mandates
  • Timeline: Standing quarterly cycles; each cycle ~3 weeks test-to-closure
  • CyberSigma team: Programme lead, rotating web/API/mobile testers, remediation coordinator

Challenge

Annual testing left nine-plus months of untested releases in production at any time. New features — including a rebuilt booking flow — were shipping faster than security review could keep up, and remediation from previous tests routinely stalled without an owner.

  • Annual point-in-time tests stale within months on a weekly release cycle
  • New features reaching production with no security testing at all
  • Previous pentest findings lingering unremediated with no tracked ownership
  • Payment partners tightening expectations for evidence of recurring testing
  • No mechanism to focus testing on what changed each quarter

Objectives

  • Establish a quarterly CERT-In-aligned testing cadence across web, API, and mobile
  • Add pre-launch testing for high-risk new features before production release
  • Drive every critical and high finding to verified closure each cycle
  • Produce recurring evidence packs for payment partners and internal risk
  • Reduce repeat finding classes release over release

Our Approach

1. Programme Design

A quarterly calendar was set with rotating depth: full-scope testing twice a year, change-focused testing in the other quarters, and an on-call slot for pre-launch reviews of high-risk features.

2. Change-Driven Scoping

Each cycle began with a delta review of releases since the last test, so effort concentrated on new endpoints, changed auth logic, and modified payment flows rather than re-treading stable code.

3. Pre-Launch Feature Testing

High-risk features entered testing before release. In one cycle this caught a critical authentication bypass in a rebuilt booking flow — a session-handling flaw that allowed access to other users’ booking details — which was fixed and re-verified before launch.

4. Remediation & Verification Loop

Findings flowed into the engineering tracker with severity-based SLAs; every critical and high was re-tested on fix, and closure rates were reported to engineering leadership each cycle.

5. Trend Reporting

Quarter-over-quarter reporting tracked finding classes and recurrence, feeding secure-coding focus areas back to development teams and evidence packs to payment partners.

Solution

  • Standing quarterly VAPT calendar mixing full-scope and change-focused cycles
  • Delta-based scoping that concentrates testing on each quarter’s changes
  • Pre-launch security testing slot for high-risk features
  • SLA-driven remediation loop with verified closure of every critical and high finding
  • Quarterly trend reporting to engineering leadership and payment partners

Results

  • Critical authentication bypass in a new booking flow found and fixed before launch
  • Every critical and high finding verified closed within cycle SLAs since programme start
  • Repeat finding classes reduced quarter over quarter as secure-coding feedback landed
  • Payment-partner testing evidence produced on schedule every quarter
  • Security testing now tracks the release cycle instead of trailing it by months
CyberSigma office locations across India, UAE, Egypt and Australia

Our Office

Locations we operate from

HQ, Noida, India

405, 4th Floor, Majestic Signia, Sector 62, Noida, Uttar Pradesh 201309

Pune, India

InCube Centre, Tejaswini Society, Lane 2, Aundh, PUNE, India, 411007

Mumbai, India

A802, Crescenzo, C /38-39, G-Block, Bandra Kurla Complex, Mumbai-400051, Maharashtra, India

Bengaluru, India

Maharaj, 152/4, 8th Cross, Chamrajpet, Bengaluru, Karnataka, India, 560018

UAE

Business Point Building - Office No. 702 - Dubai - United Arab Emirates

UAE

L.L.C Muna AlJaziri Building, Office No 303 Al Mararr Dubai, UAE

Egypt

19 Dr. Omar Dessouky Street, Cairo- Egypt 4271020

Australia

Level 4, 80 Market Street, South Melbourne 3205