Introduction
A global industrial technology organization with dozens of subsidiaries was facing increasing pressure from customers to demonstrate the security of its products and solutions. With customers demanding more transparency and assurance, the company recognized the need to establish a scalable penetration testing program across multiple business units—one that could deliver high-quality assessments on an ongoing basis without the delays and overhead typically associated with traditional engagement models.
The organization turned to Winmill for help. What began as a single project focused on selecting and implementing an application security solution quickly evolved into a broader partnership. Impressed with Winmill’s technical expertise and responsiveness, the client chose Winmill’s Penetration Testing Stream subscription to use across ten of its subsidiary operating companies, spanning hundreds of teams and product lines.
Problem
The client’s core mission is to deliver safe, reliable, and secure products to its customers. Many of the devices produced by its subsidiaries were originally developed as standalone equipment. Over time, these products evolved into connected IoT devices with expanding ecosystems —networked via Wi-Fi and other communication protocols, supported by mobile applications, and backed by cloud-based platforms. This transformation introduced new layers of complexity and risk.
With customers now demanding evidence of robust product security (often with contractual obligations to do so), the client needed to bolster their already-mature security and DevOps programs with a consistent and repeatable penetration testing process that could assess web applications, IoT devices, mobile interfaces, and cloud endpoints—all while helping product teams quickly remediate vulnerabilities and communicate results to stakeholders.
Solution
Winmill’s Penetration Testing Stream was the ideal fit. This subscription-based model enables continuous testing with minimal lead time and eliminates the need for time-consuming scoping documents and change orders.
Using the Winmill Pen Test Portal, each participating product team was able to request and manage tests independently, while Global Security Teams have full visibility into the entire product landscape. Starting new projects is painless, with product owners and engineers able to provide key information via the Portal, in advance, streamlining scheduling and delivery timelines.
The results firmly exceeded expectations. A recent assessment’s scope included two IoT products that each leverage an integrated web application. The assessment uncovered several significant issues that were missed by expensive scanning tools including:
- Critical Severity:
- Remote Code Execution
- Insecure Firmware Updates
- Vulnerable to Credential Stuffing
- High Severity:
- Improper Access Control; Use of Hard-Coded Credentials
- Cross-Site Request Forgery (CSRF)
The client received their deliverables precisely on the proposed end date for the assessment, including an Executive Summary Report for management and a Detailed Technical Findings Report containing comprehensive explanations of each finding with remediation recommendations tailored to the client’s internal development teams. After fixes were implemented, the client was able to easily slip in their retest on the schedule, meeting their deadlines, without impacting other business units. Winmill conducted follow-up testing to validate the resolutions — resulting in a clean report that the client could confidently present to their customers.
Results
With the Penetration Testing Stream, our client gained a streamlined, scalable process for assessing and improving product security across all of its subsidiaries. The program’s subscription model saved time and administrative effort while ensuring consistent, high-quality results.
Winmill’s detailed but practical remediation guidance made it easy for engineering teams to fix issues quickly — helping them reduce risk, fulfill contractual obligations, and meet customer expectations for product security.
Winmill has provided exceptional service to 4,000+ clients, including more than 200 Fortune 500 companies. Our clients include industry leaders such as Disney, Cisco, Booz Allen Hamilton, Kaiser Permanente, The Home Depot, and Columbia University.