Pentesting a company with an ignorant CTO

I have been conducting pentesting fintech companies for over ten years. Depending on the company’s structure, met with many different types of C-level managers. What makes those managers different is generally their education, knowledge, behavior, approach, or character.

Today’s leaders must understand the technology and concepts that drive their organizations forward in the ever-evolving digital world. This story revolves around a Chief Technology Officer at a payment gateway infrastructure company who found himself navigating uncharted waters when faced with a critical cybersecurity challenge. What makes him different is his ignorance of technology!

The CTO, a seasoned professional with a wealth of experience in the tech industry – at least on the CV –  took the initiative to commission a comprehensive penetration testing exercise for the company’s internal & external systems, web, and mobile applications. Recognizing the importance of safeguarding sensitive data and ensuring the security of digital transactions, he tasked an external team of security experts – the Vitriol pentesting team – with the job.

The struggle with API collections

As the testing team delved into the intricate workings of the company’s software platforms, they encountered an unexpected roadblock: incomplete documentation of the application programming interfaces (APIs) that formed the backbone of the systems. Without clear API documentation, the testing team struggled to assess the applications’ security posture thoroughly.

Despite repeated requests, the application development company responsible for the software platforms struggled to provide the APIs in the required format. This delay in obtaining the necessary files (We’ve asked for two options: Swagger UI or Postman Collections) led to frustration and confusion among the testing team members, who were eager to proceed with their assessments.

In the meantime, the CTO called me several times, asking for the penetration testing and PCI DSS certification processes. Amidst the challenges and delays, it was clear that the CTO found himself in unfamiliar territory. On a phone call, he asked me what an API is and its significance in the context of cybersecurity assessments. This admission highlighted a gap in his technical knowledge and raised questions about his suitability for the role of CTO.

Endless e-meetings for no result

Undeterred by the setbacks, the testing team persevered, resorting to numerous online meetings and collaborative efforts to obtain the necessary API collections. After significant effort and coordination, they finally sent a new collection. That time, the environment was missing. Waiting more for an API collection was not rational, so we created our own environment by mimicking the tokens of our authenticated users.

I was just thinking that everything was going well; the CTO sent an email covering the web application pentesting issues. The email was sent in English (Translated by Google from Turkish). I’ve checked and realized that the subdomains were not reachable. The FQDNS written in the email did not match the ones in the scope form. A few moments later, the reason was released: While sending the email, the CTO also added the Turkish-named subdomains, and Google translated them. For example, was translated to

Despite everything, we conducted the penetration testing. As you may imagine, the results were eye-opening, revealing numerous critical and high-level security issues across both the web and mobile platforms. The findings, from weak authentication mechanisms to vulnerable endpoints, underscored the importance of robust API security measures in safeguarding sensitive data. I’m not even talking about the vulnerabilities in internal systems…

To be or not to be a CTO

I hope the pentest results served as a valuable learning experience for the entire organization. At least, it highlighted the critical need for qualification among leaders in technology-driven industries and emphasized the importance of bridging the gap between technical expertise and leadership roles.

Through a dedication to continuous learning and a willingness to embrace new challenges, leaders can navigate the complexities of the digital landscape and steer their organizations toward greater innovation, resilience, and security.

And…. for the ones asking… What happened to this article’s hero, CTO? As far as I know, he moved to another company with the same title. I don’t know how he manages the new company, I don’t know how his technical skills will be enough with the evolving technologies, especially in the fintech industry. But I know at least he knows what an API is…

Write a Comment