Vendor risk management and penetration testing

Prospective customers are increasingly asking their SaaS providers to share the results of the latest security testing exercises, as a part of their vendor due diligence process. From the security point of view, this practice is appreciable. Over the course of the last few years, the security of the services being availed has become a crucial factor in the vendor selection process. While large scale enterprises started performing vulnerability assessment and penetration testing many years ago, other service providers are increasingly conducting penetration testing exercises to demonstrate that they maintain an adequate level of security.

As required by various regulations and standards, many organizations have a vendor due diligence process in place. This due diligence process involves an exhaustive questionnaire which has to be filled by a prospective vendor. This questionnaire generally has open-ended questions that ask about the security testing activities of the vendor and evidence for the same.

Compliance requirements

Based on the industry sector you operate in; compliance requirements are going to vary. If you deal with credit card data, it is reasonable to presume that you need to comply with PCI DSS. Or if you process health-related information, you are expected to demonstrate compliance with the Health Insurance Portability and Accountability Act (HIPAA). Similarly, there are so many standards, frameworks, best practices, etc. that an organization can comply with. All of them help in achieving the same goal: giving an assurance that information security risks are controlled and managed.

If a customer uses your platform to process credit card data, your platform must comply with PCI DSS. Accordingly, if your customer (an organization) is performing important business operations through your platform, this introduces a security risk that they must manage. This is precisely why they have a vendor risk management process in place. Vendor risk management may have other requirements as well; but for this article, we are going to focus on penetration testing.

Who should conduct penetration tests?

As a SaaS provider, you cannot declare for yourself that your platform/application is secure because you carried out a penetration test. While you can conduct internal security tests, it is equally important to work with an external party to execute penetration tests on your IT infrastructure and document the findings. Ideal SaaS providers should aim to address the findings of the penetration testing exercise and request a retest to verify the measures that they have put in place.

BreackLock offers an innovative SaaS platform to fulfill the security testing needs of our clients in one place. This cloud platform combines the power of machine intelligence with human expertise. Through BreachLock platform, our customers can order tests and retests in a matter of a few clicks.

Apart from vulnerability assessment and penetration testing, a customer may inquire you about internal security practices for employees and vendors. They can also ask you whether you perform such risk assessments or not. During vendor risk assessments, questions related to the following are very common:

1. Who conducted the penetration test?
2. What is their expertise?
3. What was the scope and methodology of the penetration test?
4. How did you ensure the confidentiality of customer information that the penetration testing team accessed during the test?
5. Information about reports and prioritization of vulnerabilities and issues
6. Corrective measures and follow-ups

Scope and frequency of penetration tests

Scope for penetration testing exercises is decided before the testing process begins. It is pertinent that the penetration testing team, as well as your organization, fully agree to the scope. You must ensure that your penetration tests have full coverage of your IT infrastructure. One recommended measure here is to prepare a network map to help you in documenting the scope. As far as methodology is concerned, your vendor will have a pre-defined methodology that you can ask them about.

Frequency of penetration tests is a significant challenge that SaaS providers often face. Rarely, a standard or regulation would specify the duration of security testing activities. From what we have seen over the years, it is expected that you conduct penetration tests once every year as well as when significant changes occur in your network. If the industry you deal in is highly sensitive or critical, you may go for six-monthly tests.

How does BreachLock help?

Being a SaaS security provider, we understand the specific needs of our fellow SaaS providers. We execute comprehensive penetration testing exercises, retest your patches and fixes, and provide a third-party security certification that you can utilize when your customers ask for vendor risk management. With a highly experienced and certified team, our methodology is aligned with OWASP and OSSTMM testing methodology. Given that all of our offerings are facilitated through our client platform, all our clients get standard assurance and high-quality consistent results. Schedule a call now to learn more about Breachlock Penetration Testing