Case Study
B2B SaaS platform security testing
Scoped, non-disruptive manual testing alongside the team's automation to validate business-logic and authorization workflows across the web app and APIs.
The Challenge: clarifying what automation doesn't show
A B2B SaaS company had a mature automated pipeline (SAST, DAST, dependency scanning in CI/CD). They needed clear answers on whether manual testing would reveal gaps automation can't model, especially in business logic and authorization-heavy workflows.
- • Confirm whether multi-step workflows could be bypassed without triggering scanners
- • Validate authorization across workspace, project, and document relationships
- • Define where manual testing should complement the existing CI/CD pipeline
A predictable, scoped manual test alongside automation
We agreed a fixed scope, safe test windows, and clear checkpoints before any testing began. The goal was to add manual coverage where automation is blind without changing timelines or disrupting production.
Set fixed scope, constraints, and safe windows
Documented the exact apps, APIs, and workflows in scope, plus rate limits and safe testing windows.
Controlled testing of workflow and authorization paths
Validated approvals, access boundaries, and multi-step authorization logic with reversible, non-disruptive tests.
Evidence-first reporting with clear fixes
Delivered reproducible findings tied to scope, with impact, ownership, and prioritized remediation guidance.
Findings from workflow chain analysis
We traced how a determined user could string together normal actions across workspaces, projects, and approvals, then validated those sequences in the app and APIs. This chain-based analysis is why Appsecco's manual testing sits alongside automation — each covers what the other misses.
IDOR in nested resource access
By reusing a project reference across workspace boundaries, a user could traverse to documents they shouldn't see. This surfaced only when we followed the same cross-resource path a user would take.
Resolution: Authorization checks added at each level of the resource hierarchy.
Business logic bypass in approval workflow
Calling the post-approval endpoint out of sequence allowed a submit-to-approved jump while all requests still returned 200. We verified the full chain from request creation to final action to confirm the gap.
Resolution: Server-side state validation added to enforce workflow sequence.
Privilege escalation via invitation flow
During acceptance, a user could modify their role in the payload and have it honored. We reproduced the invite -> accept -> role assignment path to show where server-side checks were missing.
Resolution: Role assignment moved to server-side lookup based on the invitation record.
Outcome
The team resolved the findings and documented how the manual tests complement their existing automation. With a clear record of what was covered and why, leadership had confidence in the scope tested and the fixes applied.
"The report made it easy to explain what was tested and what changed. It helped us defend the decision to keep manual testing alongside automation."
— Director of Engineering, B2B SaaS Platform
Safe next step
Talk through your SaaS scope.
No commitment required.
We can review the app, APIs, and workflows you want covered, including AI/MCP integrations when they're in scope, explain how we scope manual testing, and share a fixed quote if it is useful.
Start a conversationor see more case studies first