Stars-image
0 Comments

Should You Be Sharing Penetration Test Reports?

 

TRANSCRIPTION

If you're trying to land a large enterprise contract and you're in the middle of the vendor vetting process and you're starting to get security questionnaires and the security team of your prospect is asking for things like your penetration test report and your governance documentation, just remember, unfortunately, your prospects, your clients are not always right. Just because they ask for those things doesn't mean that you send them, because think about what you're sending right. Your penetration testing reports, your government's documentation is a lot of sensitive information and it even can actually undermine your credibility a little bit if you put yourself in the shoes of the people vetting you, the security teams of these large organizations that you're after, if you're just willing to send everything over there thinking, oh, wow, they're pretty open with their information. Right. So a lot of these things can be accomplished in a different way. And sometimes it takes a little bit of pushback on your side. For example, instead of sending a full penetration test reports, send a letter of attestation. Your pen testers should have provided that to you. An overview of the penetration testing activities, the results and so on.

If they need to get on the phone with your prospect and discuss the penetration tests and how it went, maybe share screenshots of the report, then that's fine as well. But it's a lot better to do that than send a full report. Same thing with governance documentation. Usually those discussions can be had over video conference and you can screen share and walk through the documentation. They can get enough of what they need to understand whether or not you have your security program in place to their standards. And meanwhile, you're not spelling out a bunch of sensitive information, because if you do, if you start sending all this stuff out, think about what's going on. The tides are turning right and all of a sudden you should be vetting them from a security perspective. You should be having them send down response to a security questionnaire, because now if you send all this over, they're harboring your sensitive data that's stored in their environment. So just consider that when you're in the middle of the vendor vetting process.

Contact Silent Sector to speak with an expert about penetration testing considerations, requirements, and methods.

About the Author

Written by Zach Fuller

Zach’s Experience Zach Fuller has built businesses across some of the most demanding arenas in the public and private sectors, and he brings the same discipline and clarity of purpose to cybersecurity. Fuller served as a Green Beret in the U.S. Army, conducting highly sensitive combat operations in Afghanistan. He was awarded the Bronze Star Medal, the Meritorious Service Medal, and additional decorations for his service overseas. The experience shaped more than a resume — it forged a methodology: to serve, protect, and lead others to victory. After leaving the military, Fuller moved into private equity, where he built an investor relations team and systems for a fast-growing firm. As Executive Vice President, he led the team to raise over $300M in private capital for residential and commercial real estate acquisitions. He also helped the company earn recognition as an Inc. 500 Fastest-Growing Private Company in America. Today, Fuller applies that same operational precision to cybersecurity as a managing partner of Silent Sector. Holding certifications including the Certified Ethical Hacker (CEH), CompTIA Security+, CompTIA Network+, CompTIA A+, and Certified Cyber Intelligence Professional (CCIP), he leads strategy for the firm built on one mission: to protect mid-market and emerging companies — the backbone of the American economy — through Expertise-Driven Cybersecurity®.