Client Work

The Challenge

Konga's AWS-hosted platform processes high transaction volumes across web and mobile channels serving millions of Nigerian shoppers. Ahead of a major platform release, the engineering team required independent validation of their cloud security posture and web application attack surface — with findings delivered at a level of detail actionable by their development team.

Our Approach

CipherFort performed a comprehensive AWS cloud security assessment reviewing IAM configurations, network architecture, S3 storage controls, logging posture, and encryption at rest and in transit. A concurrent web application and API VAPT engagement tested the e-commerce platform, checkout flows, and customer-facing APIs against OWASP Top 10 and business logic attack vectors. All findings were rated using CVSS 3.1 and delivered in executive and developer-ready technical report formats.

Outcomes

• Critical and high-severity vulnerabilities identified and remediated prior to platform release
• IAM privilege escalation paths identified and closed
• S3 storage misconfiguration risks remediated
• Findings delivered with developer-ready remediation guidance and remediation-verified re-test

The Challenge

As Indicina expanded its credit scoring and lending-as-a-service infrastructure across AWS and GCP, enterprise clients began requiring formal independent security assessments as part of their vendor due diligence. With an API-first architecture powering credit decisions and partner integrations across financial institutions, Indicina needed rigorous validation before onboarding new partners at scale.

Our Approach

CipherFort assessed Indicina's AWS and GCP cloud environments, reviewing data isolation between tenant environments, secrets management practices, access control policies, and logging and monitoring posture. A dedicated API VAPT engagement tested REST endpoints handling credit decisions, loan origination, and third-party financial institution integrations — with specific focus on broken object-level authorisation, injection vulnerabilities, and rate limiting controls.

Outcomes

• API security findings identified and remediated across partner integration endpoints
• Secrets management practices strengthened — credentials removed from application logs and CI/CD pipelines
• Multi-tenant data isolation verified across both cloud environments
• Assessment evidence used to support enterprise partner security due diligence requirements

The Challenge

VerifyMe Nigeria's platform processes identity documents, biometric checks, and KYC verification for financial institutions and enterprises across Nigeria. Enterprise clients began mandating formal security evidence as a condition of contract renewal and new onboarding. Given the platform's exposure to sensitive national identity data, a rigorous independent assessment of cloud controls and application security was critical.

Our Approach

CipherFort conducted a cloud security assessment of VerifyMe's infrastructure, covering biometric data encryption at rest and in transit, access control policies, API gateway security, and logging and monitoring posture. A VAPT engagement tested identity verification APIs, administrative interfaces, and client integration endpoints — with particular focus on authentication controls, data exposure risks, and authorisation boundaries between tenant accounts.

Outcomes

• Biometric data protection gaps identified and remediated
• API authentication weaknesses across client integration endpoints resolved
• Cloud security posture assessment report delivered to enterprise client procurement teams
• Security evidence package compiled for vendor questionnaire and contract renewal requirements

The Challenge

As Ebango's fintech platform scaled its customer base, independent security validation became a requirement in enterprise client and partner conversations. The team needed confidence in their cloud security posture and application attack surface — with findings prioritised clearly so engineering effort could be directed to the highest-risk areas first.

Our Approach

CipherFort performed a cloud security assessment of Ebango's cloud environment, reviewing IAM configurations, network security controls, data storage and encryption posture, and monitoring capabilities. A VAPT engagement covered the external-facing application and API surface, testing for common vulnerability classes and business logic weaknesses relevant to a fintech context.

Outcomes

• Cloud environment security gaps prioritised by exploitability and business impact
• Application vulnerabilities identified across external attack surface
• Critical and high findings remediated with CipherFort guidance
• Security findings delivered in executive and technical report format