Summary
Key results
Security verification of all new and updated applications
Clear, actionable recommendations addressing identified vulnerabilities
Parallel application development and increasing exposure to vulnerabilities
In the insurance sector – where sales, customer service, and claims processes increasingly rely on web applications – security is essential for operational continuity and regulatory compliance.
Vienna Insurance Group launched a comprehensive IT modernization program that included the development of new applications and the enhancement of existing systems, some of which processed sensitive customer and agent data.
Most projects were delivered by external vendors applying their own security standards. Without independent verification, there was a risk that applications could reach production with undetected vulnerabilities. This created potential exposure to post-deployment security incidents, costly remediation efforts, and delays in system launches.
Additionally, new releases – both web and mobile – were introduced continuously, requiring regular security validation prior to publication. Without a permanent, independent testing mechanism, the organization faced the risk of inconsistent protection standards and vulnerabilities identified only after deployment.
To mitigate these risks and ensure resilience against cyber threats, VIG partnered with Sii Poland – a trusted provider supported by a team of over 1 500 certified testers (95% ISTQB-certified) and extensive experience delivering services for large international insurers such as UNIQA and ERGO.
Comprehensive security validation of new and evolving applications
Sii’s objective was to provide VIG with an independent and reliable security assessment of applications developed by multiple vendors.
Sii experts performed vulnerability assessments and penetration tests in line with OWASP (Open Worldwide Application Security Project) best practices – an internationally recognized standard for application security testing – complemented by manual exploitation attempts to validate real-world impact.
Scope of work included:
- Grey-box penetration testing – simulated attacks performed with limited system knowledge
- Vulnerability assessment – identification of weaknesses in both application and communication layers
- Manual verification and exploitation of detected vulnerabilities to confirm actual risk exposure
- Secure code review to identify security flaws not externally visible
- Testing aligned with the OWASP Web Security Testing Guide for comprehensive threat coverage
- Detailed reports for each application, including vulnerability descriptions, risk ratings, and remediation recommendations
As a result, VIG received a prioritized list of risks together with clear guidance on effective mitigation measures. The cooperation is ongoing and cyclical, with security tests conducted regularly for new applications and subsequent releases.
Secure releases and improved centro over application quality
Through independent testing delivered by Sii Poland, Vienna Insurance Group gained confidence that newly developed and modernized applications are resilient against common attack vectors and that security quality does not rely solely on the vendors responsible for development.
The organization achieved full transparency of risks and actionable remediation guidance, enabling vulnerabilities to be addressed before systems enter the production environment.
Improved security governance also delivered long-term benefits, including reduced remediation costs, stronger regulatory compliance, and increased resilience of the IT landscape against cyber incidents.
The recurring testing model enables VIG to maintain a consistently high cybersecurity standard in a dynamically evolving IT environment and ensures regulatory compliance with every release. Ongoing cooperation with a single, experienced partner enhances process predictability and shortens response time to identified threats.
Key results
- Verified security of new and modernized web applications
- Clear identification and prioritization of detected vulnerabilities
- Actionable remediation recommendations for each application
- Increased system resilience and minimized exposure to potential threats
- Consistent security standards regardless of the application vendor