fix

Simple answers to tough questions

Your questions answered

Table of Contents

Tell us more about your depth of coverage. How does your comprehensiveness compare to other penetration testing vendors?

We conduct light threat modelling with every penetration test. Our team creates tailored attacks based on your data flow, business logic, integrations, competitive landscape, industry and clients. 

In addition to the testing methodology customized to your attack surface, we also map to multiple standards (OWASP Top 10, SANS Top 25, WSTG, ASVS, NIST) for the most in-depth coverage. 

What information would you need in order to provide accurate pricing?

Pricing for pentesting services is based on the scope of the attack surface. This is determined by assessing the number of endpoints, public facing IPs, roles and authentication methods. Check out our 5 Steps to Scoping a Penetration Test Document here.

How much time do my developers have to dedicate to the penetration test?

Penetration testing will not derail your sprint cycle, if it is considered a part of it. Planning and preparation will reduce the anxiety and stress of condensed timelines and help build more security champions on your team. Evaluating and improving your sprint cycle and security relationship will help push features and updates more efficiently, without compromising security. For more information on pentesting and sprint cycles, read our blog.

How does penetration testing help us with compliance?

Our comprehensive penetration tests help you meet compliance frameworks such as SOC 2, ISO 27001, PCI-DSS, HIPAA, as well as cybersecurity insurance requirements. All of our application penetration tests include infrastructure testing. This assists in meeting both the infrastructure and application controls required for compliance and provides security assurance.

Does feature development change our penetration testing strategy?

Many clients choose biannual or quarterly Penetration Testing as a Service, to integrate security into their development pipeline. The initial baseline penetration test provides depth of coverage and the subsequent penetration tests addresses the new features and product developments only. This strategy speeds up security operations and aligns with your product roadmap.

What certifications do your penetration testers have?

All of our penetration testers are full-time, in-house Canadian based security professionals. They are experienced ethical hackers and hold a variety of qualifications such as Offensive Security Certified Professional (OCSP), GIAC Web Application Penetration Tester (GWAPT), GIAC – Secure Software Programmer- .NET (GSSP.NET),  Certified Ethical Hacker (CEH), AWS Certified Security - Specialty, and AWS Certified SysOps Administrator - Associate designations. On top of that, they bring a ton of experience from sophisticated security teams like IBM X-Force and Wells Fargo Central Security Code Review team, proving their ability to handle any size of application. In November 2022, our penetration testers competed in a grassroots security conference CTF and came first place beating out penetration test teams from Shopify, IBM and other respected security teams. We are proud to support our penetration testers in their continued professional development including speaking engagements at industry conferences (DEF CON and Confoo).

What security controls are you following?

Within Portal, clients data is physically separated, and each client has their own database as Portal has single tenant architecture. Granular access permissions based on role and project assist clients in meeting compliance and technical risk, aligning to least privilege best practices. Portal has complex password requirements and leverages OAuth for client authentication.

What do your penetration test reports look like?

Our actionable reports include an executive summary, vulnerability descriptions, impact on the business, steps to reproduce and suggested remediation methods. All vulnerabilities are peer reviewed twice  and risk is calibrated according to CVSS and DREAD. 

What support do you provide post pentest including retesting?  How much does it cost?

After the report is delivered, there is an optional read out report meeting with our team to go over the results and assist with remediation. Email and our slack integration is available for quick questions regarding your report. Decision making support on when to eliminate, mitigate, delegate and accept risk is offered to all clients and 3 rounds of retesting is included to support with your SLAs. Penetration Testing as a Service clients benefit from unlimited on demand retesting and 2 hours of security consulting per month.

Have a question not listed here?

Get answers: info@softwaresecured.com