Insights18 February 2025byCarl Penwarden

Enhancing Security: Inside Our Annual Penetration Testing Process

A look inside Addressfinder’s annual penetration testing process from approach to key results and looking into the future. Find out how we adopted a new unified approach and why we provided source code access to testers

open laptop with code displayed

At Addressfinder, we know that trust is earned through a combination of reliability, security, and delivering exceptional service to our customers. As a leading provider of address, email and phone number verification, as well as address autocomplete services in New Zealand and Australia, we help businesses improve data accuracy, streamline deliveries, and enhance customer experiences. Security is at the heart of our operations, ensuring that our platform remains reliable, robust, and protected against potential threats.

One of the ways we uphold this commitment is through an annual penetration testing process. This year, we made significant changes to improve the depth and effectiveness of these tests. Here’s a look inside the process, what we did differently, and why it matters.


What’s new in our penetration testing process?

Every year, we engage experienced security professionals to identify and address vulnerabilities in our systems. While this has been a cornerstone of our approach to cybersecurity, this year we decided to enhance the process in two key ways.

1. A unified approach to testing

Previously, we conducted penetration testing separately for our API and portal. While effective, this siloed approach didn’t fully account for the interconnected nature of our platform.

This year, we combined API and portal testing into a single, unified assessment. By testing the system holistically, we were able to uncover vulnerabilities that might have been missed in isolated tests. This provided us with a comprehensive view of our platform's security posture.

2. Providing source code access to testers

For the first time, we provided penetration testers with access to our source code. This marked a significant departure from traditional black-box testing, where testers interact with the system externally without insight into the underlying code.

Access to the source code enabled testers to conduct static analysis, which involves examining the code itself for potential vulnerabilities. This approach offered several advantages:

  • Deeper Insights: Testers could understand the architecture, workflows, and business logic, which helped them identify subtle vulnerabilities that might not surface in dynamic testing.
  • Improved Testing Efficiency: With access to the code, testers could pinpoint the exact locations of vulnerabilities, allowing for faster and more targeted remediation.
  • Simulating Real-World Risks: By mimicking scenarios where an attacker might gain unauthorised access to our codebase, we were able to test our defences against worst-case situations.

Key results

The enhanced testing process yielded significant insights:

  • No critical issues identified: A testament to the strength of our existing security measures.
  • Findings: The report revealed 3 high, 3 medium, 6 low, and 4 informational issues.

Among the findings, one noteworthy discovery was the exposure of an outdated SSH key in our source code, introduced during development nearly a decade ago. While the key was no longer in use, its presence underscored the importance of maintaining rigorous code review practices.

Additionally, the testers identified areas where our workflows, such as single sign-on (SSO), could be refined to further enhance security and user experience. These findings allowed us to address potential vulnerabilities proactively and strengthen our platform.

The value of a proactive approach

This year’s penetration testing process highlighted the benefits of proactive and thorough security assessments. By combining API and portal testing and incorporating static code analysis, we were able to:

  • Gain a comprehensive understanding of our platform’s security.
  • Prioritise and address vulnerabilities more effectively.
  • Simulate real-world scenarios to validate our defences.

The insights gained through this process not only improved our current security posture but also equipped us with actionable strategies to maintain a secure platform as we grow.


Looking ahead

At Addressfinder, security is an ongoing journey. While we’re proud of the progress made this year, we remain committed to continuous improvement. Our future plans include exploring additional testing methodologies, enhancing real-time monitoring, and further strengthening our internal processes.

After successfully obtaining SOC2 Type 1 last year, we are passionate about achieving SOC2 Type 2 in early 2025 to continue to hold ourselves to the highest privacy and compliance standards.

Through these efforts, we aim to ensure that our platform remains a trusted tool for businesses across New Zealand and Australia. By staying ahead of potential threats, we continue to deliver the reliability and peace of mind that our customers expect from Addressfinder.


Security: A continuous mission

Cybersecurity is a shared responsibility, and proactive measures like penetration testing are key to protecting sensitive data and maintaining trust. By embracing innovation and evolving our processes, we’re building a stronger, safer future for Addressfinder and its customers.

Stay tuned for more updates as we’ve got some more exciting news about our security journey in the coming months.

Start verifying data in minutes

30 day free trial. No credit card required. Cancel anytime.