Many companies will purchase a product or setup network resources, and then request that those applications or network environments be tested to assess the state of their security. However, there are times when the business developing a product wishes to have a penetration test performed. Sometimes this is in response to an incident. Other times, there are contract or compliance considerations driving the decision.
One of the questions frequently asked is whether we can test a product that is being sold to customers. And yes, this is something conducted on a regular basis. This type of testing often spans several different industries and technologies, and can be done on just about any product. This includes cloud solutions, web applications or portals, mobile applications, home-grown platforms that interact with corporate infrastructure, and more.
This question quickly follows the first one, and is addressed early in an engagement by identifying the proper scope. If things are scoped well, then the rest of the test typically flows much better. There are different types of penetration tests that can be done, but an application test is usually what people have in mind. It is not always straightforward when deciding how to proceed when determining what type of application test to do. In our experience, we’ve found that there are a lot of benefits to gray box testing, especially if this is the first time your product is being assessed. If you are still unsure, then it may be worth setting up a meeting to weigh the pros and cons of how best to proceed.
This question surfaces from time to time and the response is, “No, we do not pass the results on to other organizations.”. Due to legal requirements, such as NDA agreements, the results are returned directly to you as the party that purchased the penetration test. Any disclosure of the results to your customers should be handled in accordance with your organizations’ policies or requirements.
Yes. While we share the test results directly with you, it is common to work with organizations to communicate that a penetration test was performed. This is usually done as an attestation letter which can be shared with customers, auditors, and other businesses on an as-needed basis.
More Questions?
We hope you found this helpful. Please contact us if you have additional questions.