Web App Security Testing in Bengaluru · SaaS

Bengaluru web-application security buyers are mostly product CTOs, AppSec leads, platform engineers and security champions embedded in engineering — not compliance officers, and not procurement. They want testing that catches the bugs auto-scanners miss, written in a form their engineers can act on without translation, delivered against a release cadence that does not assume the product team stops shipping for the duration of the engagement. They also want vendor consultants who have written code, can read the team's stack from a quick repo walk, and do not need a Burp-friendly target deployment built from scratch to test against. That is the bar the Bengaluru SaaS belt has set since the 2020-21 wave of unicorn-scale AppSec hires raised the floor — and that is the only bar we play to.

Our testing baseline is OWASP ASVS Level 2 with Level 3 controls layered for product teams in regulated verticals (BFSI fintechs, healthtech, US-enterprise-target SaaS). API Security Top 10 (2023 edition) is treated as first-class scope, not an after-thought — most Bengaluru products are API-led with thin web front-ends, and the actual attack surface lives in the OpenAPI / GraphQL schema, the gateway authz layer and the partner-integration tokens. GraphQL gets explicit field-level authorisation, depth-limit and batch-query abuse testing because the dominant Bengaluru GraphQL anti-pattern is endpoint-level authz with object-level authz quietly delegated to the ORM. We also test gRPC + Connect-RPC stacks where the product has moved beyond REST.

Beyond the schema, we test business-logic abuse — the bugs scanners cannot find. Multi-step workflow tampering, race conditions in payment / refund / subscription flows, IDOR variants on tenant-scoped resources, BOLA chains across the partner-integration surface, OAuth / OIDC scope misuse and refresh-token replay, SSO assertion injection (Okta / Azure AD / Google Workspace / PingFederate as IdPs), and multi-tenant data isolation on shared-database SaaS designs. The last is the single most common bug class we close on Bengaluru SaaS — tenant separation enforced by a where-clause that some new code path forgot to apply, and the auto-scanner happily reports zero issues because every endpoint returns 200. We probe row-level-security on PostgreSQL, partition keys on DynamoDB / Cosmos, and the index-template predicate on Elasticsearch / OpenSearch deployments. Most of these are invisible to scanners and to inexperienced manual testers, and they are the bugs the enterprise customer's CISO will find on the next vendor questionnaire if we do not.

Reports are written for developers and consumed by engineers. Every finding ships with Burp / Postman / curl repro (depending on the team's tool of choice), a mapped CWE and OWASP ASVS reference, a remediation snippet in the project's language (TypeScript / Node / Python / Go / Java / Ruby — we match the stack), and a Jira-importable CSV that fits the team's existing field schema. For teams that prefer the GitHub workflow we file findings as private repository Issues with the security label and the SLA-class set, ready for the AppSec lead to triage. We do not deliver 200-page PDFs that go unread. The same evidence is mapped to OWASP ASVS, SOC 2 CC controls and ISO 27001 Annex A so a single engagement closes both the compliance and the AppSec asks at once.

Kickoff is onsite at the client's office — Outer Ring Road (Bellandur / Marathahalli / Sarjapur), Embassy Tech Village, Koramangala, Indiranagar, Whitefield, Electronic City. Senior consultants travel from Mumbai BKC for kickoff, threat-modelling whiteboard and exit-review; the actual testing runs against staging environments hosted on AWS Mumbai, AWS Singapore or GCP asia-south1. Typical scope of one product takes 2-3 weeks plus a 1-week re-test, with critical and high findings re-validated post-fix at no extra cost. For larger products with web + mobile + multiple APIs + admin console + partner-integration surface we run a 5-6 week engagement with a phased deliverable cadence so the AppSec team is not blocked on a single final report.

Continuous-testing retainers are available for product teams shipping weekly or fortnightly. The retainer model: a quarterly full-coverage run, a monthly delta test against new product surface (new endpoints, new auth flows, new partner integrations, new tenant boundaries), and a same-day Slack-bridge channel for the AppSec lead to flag bugs found in production for joint root-cause review. The retainer is priced against the actual code-velocity of the product, not against an arbitrary headcount, and the detection-engineering hand-off back to the team's security champion is the explicit deliverable of every quarter.

We run a short developer brief at the end of every engagement — 60 minutes with the engineering team to walk through the highest-impact findings, the classes of bug behind them, and the secure-by-default patterns to put into the codebase so the next sprint stops introducing the same issues. Pre-commit hooks, eslint-plugin-security configurations, Semgrep rules tuned to the team's bug history, a tenant-scoping middleware contract, an authz-decorator pattern for the GraphQL resolver layer — whatever is the highest-ROI guardrail for the next quarter's code velocity. Most clients see findings drop by half on the second annual VAPT after that briefing, which is the explicit success metric of the engagement.

For Bengaluru SaaS teams preparing for SOC 2 Type II, ISO 27001:2022 surveillance or an enterprise customer's pre-sales security review (the Fortune-500 buyer's CISO questionnaire that arrives in the back half of the sales cycle), we shape the VAPT report so the same artefact answers all three at once — the SOC 2 auditor reviewing CC7.1 / CC7.2, the ISO 27001 surveillance assessor reviewing Annex A 8.* controls, and the enterprise customer's CISO running through the vendor-pack. The OWASP ASVS L2 / L3 attestation, the sanitised executive summary, the remediation timeline and the MITRE ATT&CK mapping all live in the same document. No separate evidence pack to assemble later. For bug-bounty programmes (HackerOne, Bugcrowd, Intigriti) running in parallel, we calibrate the engagement scope against the bounty's existing coverage so the spend does not double up on what the crowd already finds.