CUSTOMER OVERVIEW

The Bishop Fox customer delivers enterprise technology platforms that support commercial, operational, and financial processes for many major airlines worldwide. Its systems underpin everything from digital retail workflows to core transaction processing, supporting multiple specialized lines of business across the airline ecosystem. With a finite number of global carriers, opportunities to win new business are rare, and relationships are often measured in decades rather than years. The customer’s success depends on its ability to maintain high levels of service and customer trust.

As a long-established vendor in a highly specialized market, the company maintains complex infrastructure built up over decades. Recent growth, modernization initiatives, and evolving customer expectations prompted a renewed focus on cloud security, compliance preparedness, and validation of controls across its expanding environment.

“Our solutions were quite legacy in terms of architecture and tech, so we’ve had to revamp our processes: design, development, and hosting to put security at the forefront. Our customers care about security, and that shift has helped us stay competitive.”

– Principal of Enterprise Security & Architecture

THE CHALLENGE

The Bishop Fox customer delivers highly tailored solutions for major global airlines, each with its own dedicated infrastructure. This approach, while powerful for customization, introduces significant complexity in managing and securing a sprawling ecosystem of isolated environments.

Historically, the company relied on a mix of internal resources and third-party vendors for security testing. Over time, concerns grew that these assessments were not keeping pace with the company’s evolving cloud footprint or the increasing compliance expectations from clients. Prior assessments delivered primarily low or informational findings, which left internal teams questioning whether important vulnerabilities were being overlooked.

A key area of concern was PCI segmentation. As a payment processor subject to PCI DSS requirements, the customer needed to validate that its cardholder data environments (CDE) were properly isolated and secure. Their security team suspected weaknesses in segmentation but lacked the visibility and resources to confirm those concerns at scale. They were also concerned that rapid cloud growth and templated server deployments could inadvertently propagate misconfigurations or access issues across environments.

“Our environment is so large and complex that it’s impossible for any one person to fully map it out. That’s why we suspected there could be misconfigurations or gaps that had gone unnoticed.” – Principal of Enterprise Security & Architecture

Security Challenges:

• Determine whether PCI segmentation controls were truly effective across their AWS environments
• Identify high-risk exposures not previously detected by earlier assessments
• Validate that the cloud infrastructure supporting their core offerings could scale securely
• Gain deeper, more actionable insights than those delivered by prior vendors

THE SOLUTION

In response to these security concerns, the customer engaged Bishop Fox to conduct a focused engagement that included both PCI segmentation testing and a deep cloud penetration assessment of its AWS-hosted environments. The objective was to not only meet compliance requirements but also uncover hidden risks and better understand how attackers could move through their infrastructure.

Goals of the Engagement:

• Identify critical- and high-severity issues that could expose sensitive data or violate PCI compliance.
• Verify the segmentation controls of the cardholder data environment (CDE)
• Discover any vulnerabilities that would expose PCI data to the external network or allow an attacker to gain access to the internal network

To meet these goals, Bishop Fox approached the engagement with a real-world attack mindset. Consultants began by identifying application-layer risks and conducting targeted source code reviews to uncover weaknesses in how the systems handled user input and internal logic. They then reviewed AWS IAM configurations to evaluate potential privilege escalation paths. With this context, the team tested segmentation boundaries and mapped potential lateral movement across cloud services to understand how an attacker could navigate the environment.

Throughout the engagement, Bishop Fox maintained close collaboration with the customer’s internal teams, offering real-time updates and actionable recommendations. Reports went beyond surface-level findings, detailing how vulnerabilities were discovered, their impact, and how to remediate them effectively.

“The difference was the depth. Bishop Fox didn’t just run a scanner. They explained how the issue was discovered, why it mattered, and what we needed to do. That saved us time and gave us confidence that we were addressing the right things.” – Principal of Enterprise Security & Architecture

THE RESULTS

The results of the assessment confirmed the customer’s concerns and exceeded expectations in terms of depth and value. Bishop Fox uncovered findings that had not been flagged in prior assessments and enabled the customer to take immediate action:

• Remediated Vulnerabilities: Bishop Fox uncovered previously unknown attack paths that allowed lateral movement between internal systems and unauthenticated access. In one case, the team obtained unauthorized read access to a PCI database containing tens of millions of encrypted payment card records and demonstrated the ability to decrypt cardholder data by exploiting weaknesses in the company’s custom cryptographic implementation. These findings triggered widespread configuration updates across cloud environments.
  
• Rebuilt Server Templates: Vulnerabilities were traced back to misconfigured base images used across environments. Bishop Fox identified issues such as overly permissive IAM roles, including one role accessible from hundreds of instances that granted administrative privileges across seven AWS services. These findings led to a full review and rework of shared server templates, allowing fixes to be propagated at scale.
  
• Improved Audit Readiness: The assessment provided detailed remediation reports that supported the customer’s PCI DSS audit. With issues addressed proactively, the company was able to demonstrate compliance and preparedness with confidence. This included documentation of resolved SQL injection vulnerabilities its web applications, as well as improved segmentation enforcement across AWS environments.
  
• Increased Customer Trust: Major airline clients were reassured by the improved visibility and thorough reporting delivered by the Bishop Fox engagement. The detailed findings and evidence of remediation helped the company provide clear answers during security reviews from its most security-conscious customers.
  
• Shifted Internal Mindset: The findings challenged long-standing assumptions and encouraged teams to reevaluate how security was being approached in day-to-day operations. This included weak credential management practices, used by the Bishop Fox team to pivot across three internal Active Directory domains and gain database administrator (DBA) access to the production PCI environment. These revelations prompted internal reviews and changes in access governance.

The clarity and depth of these findings enabled faster decision-making, stronger internal alignment, and more effective responses to customer scrutiny.

“The report went straight to our infrastructure team, and they started remediation immediately. That kind of clarity doesn’t happen often. It made my job easier and helped us respond faster.”
– Principal of Enterprise Security & Architecture

“The segmentation testing was the most important part. We had clues that something might be off. And when Bishop Fox came in, they confirmed that and uncovered even more that we didn’t expect. It was a wake-up call."
– Principal of Enterprise Security & Architecture

CONCLUSION

The partnership with Bishop Fox delivered more than a technical assessment; it reshaped how the organization approaches risk across its cloud and PCI environments. The engagement revealed important gaps, provided actionable guidance, and accelerated remediation.

The impact of the assessment strengthened the company’s security posture and positioned it to better meet evolving customer expectations. Moving forward, the organization plans to continue investing in offensive security as it scales its cloud capabilities and navigates an increasingly complex threat landscape.

“Bishop Fox helped us challenge assumptions we’d relied on for years. It opened the door for us to rethink how we build and secure these environments.”
– Principal of Enterprise Security & Architecture

Learn more about Bishop Fox Cloud Penetration Testing Service