Confidential client · Romania · Q4 2025
The cryptographic chaining architecture deployed in healthcare and financial engagements — making audit logs tamper-evident and forensically sound.
How the healthcare platform moved from hardcoded database credentials to dynamic Vault-issued credentials — eliminating the root cause of half the audit findings.
Credential storage was a high-priority finding in this engagement. How Argon2id compares to bcrypt and PBKDF2, what parameters are appropriate, and what to do when you inherit a legacy hashing scheme.
The GDPR compliance engineering framework applied in this engagement — audit logging, data minimisation checks, and the remediation roadmap for the 12 GDPR-relevant findings.
A Romanian healthcare SaaS platform storing patient appointment data, medical records, and insurance information for 40 clinics across Romania was pursuing a partnership with a major hospital network. The hospital's IT security team required a documented security audit before signing — specifically: a penetration test, a GDPR compliance review, and a Kubernetes security assessment. The platform had never had a formal security review.
The platform ran on a managed Kubernetes cluster (AKS) with a React frontend, a Python Django API, and a PostgreSQL database. The engineering team was three people. They had moved fast building the product and acknowledged that security had been a lower priority than shipping features. They expected findings — they needed to know what they were and how to fix them systematically.
The deadline was firm: the hospital's security team had a review meeting in six weeks. We had four weeks to complete the audit and two weeks for the client to implement remediations before the meeting.
We ran a four-track parallel audit: attack surface mapping, Kubernetes security review, application security assessment (OWASP Top 10), and GDPR/data processing compliance review. All findings were documented with severity ratings, reproduction steps, and specific remediation guidance.
Nmap and Masscan enumerated the external attack surface. We found three unexpected open ports — two were development services accidentally exposed to the internet (a Jupyter notebook and a Redis instance with no authentication). These were the two Critical findings. Both were closed within 24 hours of the report.
We ran kube-bench against the CIS Kubernetes Benchmark and Trivy for container image scanning. Key findings: 11 containers running as root, no network policies isolating namespaces, several images with HIGH CVEs that had available patches, and Kubernetes secrets stored as base64 (not encrypted at rest). We recommended migrating to HashiCorp Vault for secrets management and provided the Helm charts to do so.
We found SQL injection vulnerabilities in two API endpoints (critical — direct database access possible), insecure direct object references in the patient record API (a logged-in user could access other patients' records by incrementing an ID), missing rate limiting on the authentication endpoint, and verbose error messages exposing stack traces in production. The IDOR vulnerability in the patient record API was the most severe finding — it would have allowed any authenticated user to read any patient's full medical record.
The GDPR review covered data processing agreements with sub-processors, patient consent flows, data retention policies, and breach notification procedures. Primary finding: there was no formal data retention policy — patient data was kept indefinitely. We worked with the client's legal counsel to draft a retention schedule and implement automated deletion workflows for records past their retention period.
"We knew we had gaps — we didn't know some of them were that serious. The structured report gave us a clear priority order and the remediation guidance meant we could fix things without hiring a security team."
— CEO, Confidential Healthcare PlatformThe client passed their subsequent ANSPDCP review without any findings and now uses the audit infrastructure we deployed to produce automated monthly compliance reports.