Synder App
Highlights
- 9-day security engagement April 07–15, 2025
- Penetration testing for SOC 2 readiness without social engineering
- No unauthorized access gained, overall risk assessed as Medium
- Delivered the list of identified defects
- Provided a remediation plan ranked by severity and business impact
Client
CloudBusiness is a software development firm that provides cloud-based solutions for businesses, accountants, and bookkeepers. The Synder App is one of their core offerings. It is an accounting automation tool that synchronizes and reconciles transactions across multiple sales channels and payment platforms.
Challenge
Since the platform processes large volumes of confidential financial data, ensuring strong security and resilience against potential cyber-attacks is especially important. The client was in the process of obtaining SOC 2 certification and engaged SoftTeco’s security team to conduct penetration testing and evaluate the security posture of the Synder App.
Tech stack
Components
OWASP ZAP
Acunetix
JWT_Tool
Burp Suite
SQLmap
SSLScan
How it works
SoftTeco security testing team assessed the Synder App from April 07, 2025 to April 15, 2025, simulating real attacker actions without social engineering. The team used a hybrid approach combining SAST (static analysis), DAST (dynamic analysis), and manual testing. Our engineers started with automated discovery, validated each finding, and then expanded manual testing to cover edge cases and logic flaws.
Testing followed a Black Box model as an authenticated user with limited knowledge of the environment. Our QA engineers used PTES, OWASP Web Security Testing Guide, and NIST 800-115 to keep coverage structured and repeatable. We then classified every confirmed issue using OWASP Top 10, OWASP API Top 10, and CVSS, so the client could prioritize fixes and use the output as evidence for SOC 2 work.
Have a testing request?
Describe the product you need to test, and our team will send you a cost estimate and the next steps.
Results
SoftTeco’s security testing team did not gain unauthorized access, but identified vulnerabilities that could be exploited over time and rated the overall risk as Medium. Our QA specialists classified each confirmed issue by severity based on its potential impact on the client’s business workflows and on how the application handles confidential financial data. We delivered a report with prioritized corrective actions to strengthen protection against real-world attacks, and the client requested a retest after implementing the recommended changes.
