ScienceSoft Global
Risk-Based, ISO/IEC 27001 and GDPR-Aligned Gray-Box Pentest for Sharpist
Summary
ScienceSoft verified the security of web and mobile apps and an API for Sharpist, a SaaS coaching and leadership platform. The testers simulated role-specific attack scenarios to verify the security controls that matter most to enterprise buyers.
About Sharpist
Sharpist GmbH is an enterprise SaaS product company specializing in corporate coaching and leadership development. It offers individual and group coaching through web and mobile apps, backed by a network of over 1,000 certified coaches. Since its launch in 2018, Sharpist has served global leaders such as Porsche, Airbus, IKEA, BASF, and Metro.
Sharpist invests heavily in ISO/IEC 27001 certification and GDPR compliance to maintain the privacy of its clients’ data. As part of its security program, the SaaS company conducts regular third-party penetration testing of its continuously evolving digital coaching platform. Seeing ScienceSoft’s proven track record of risk-based security testing, Sharpist brought it in for gray-box pentesting.
Risk-Based Gray-Box Pentesting of Digital Coaching Platform
ScienceSoft and Sharpist began the engagement by defining the testing goals, limits, and scope to ensure alignment with business priorities and protection of critical assets. The testing scope covered the following components of the Sharpist digital coaching platform: iOS, Android, and web apps, as well as an API.
Sharpist selected the gray-box approach, which combines the speed of black-box testing with white-box depth where it matters most. The testing process followed the PTES, the OWASP Web Security Testing Guide, the OWASP Mobile Security Testing Guide, and the NIST 800-115 methodology. ScienceSoft’s team began by using open-source intelligence (OSINT) to map the attack surface, including domain names, subdomains, and publicly accessible assets. Based on the gathered data, ScienceSoft’s testers identified and prioritized potential entry points and the most relevant attack vectors.
During the active testing phase, ScienceSoft’s team used automated scans to catch known vulnerabilities quickly. Next, they proceeded with manual testing to eliminate false positives and simulate real-world attacks, including exploitation scenarios.
Using pre-approved logins for the learner, HR specialist, and coach roles, ScienceSoft targeted the highest-impact risk areas. The focus areas included:
- Authorization and multi-tenant isolation. For example, ScienceSoft verified that permission checks reliably blocked learners or coaches from HR-only functions and from accessing other customers’ environments.
- Session and tokens. The team verified token expiration, rotation, and secure storage.
- Reporting and export safety. ScienceSoft ensured that file exports were sanitized to prevent CSV injection.
- Mobile security. The testers assessed local device data protection, root and jailbreak detection, and OS-version policy (no installs on deprecated Android/iOS versions) for mobile apps.
ScienceSoft documented every confirmed vulnerability, detailing its potential business impact, reproducible evidence, and remediation steps. The team classified the issues according to the OWASP Top 10, the OWASP Mobile Top 10, and the OWASP API Top 10, and prioritized them by severity using NIST CVSS. As a result, Sharpist received a comprehensive report with both technical details and an executive summary, making results clear for technical teams and business leaders. For each item, ScienceSoft also recommended the responsible team (e.g., Development, DevOps, Security) to streamline ownership.
After Sharpist's in-house IT teams applied the fixes, ScienceSoft verified the remediation through a retest.
Victor von Eisenhart-Rothe, Security and Compliance Manager at Sharpist GmbH, says:
Their engineers went beyond standard test procedures and identified several risks that would have been easy to overlook. The reporting was clear, practical, and focused on the real level of risk. It gives us solid evidence to support our compliance efforts and the data-protection commitments we make to our customers.
Key Outcomes for Sharpist
- Testing efforts were guided by Sharpist’s business priorities, resulting in a precise assessment that focused on risks that could directly threaten Sharpist.
- The testing and reporting methodology, based on PTES, NIST SP 800-115, and OWASP, supports ISO/IEC 27001 and GDPR Article 32 expectations for regular, risk-based security testing and evidence, contributing to Sharpist’s compliance program.
- Targeted automation, combined with manual verification, provided Sharpist with fast, reliable pentesting results, free of false positives and backed by reproducible, real-world attack paths.
- The structured pentest documentation with clear vulnerability impact and exploitation likelihood estimates, reproducible evidence, and a remediation plan with suggested ownership helped Sharpist streamline issue resolution.
- The executive summary in the report provided actionable insights for business stakeholders, helping them make quick, informed decisions on remediation efforts.
- ScienceSoft confirmed applied remediations with a post-fix retest, giving Sharpist confidence in the strengthened security posture.
Technologies and Tools
Acunetix, BurpSuite, Metasploit, Nmap, SQLMap, Nikto, Apktool, apksigner, jadx, STEWS, Zed Attack Proxy (ZAP), MobSF, Postman, Python, PHP, Bash, Powershell.
