Silent Sector Blog

Should You Be Sharing Penetration Test Reports?

Written by Zach Fuller | Jul 8, 2021 4:40:43 PM

 

TRANSCRIPTION

If you're trying to land a large enterprise contract and you're in the middle of the vendor vetting process and you're starting to get security questionnaires and the security team of your prospect is asking for things like your penetration test report and your governance documentation, just remember, unfortunately, your prospects, your clients are not always right. Just because they ask for those things doesn't mean that you send them, because think about what you're sending right. Your penetration testing reports, your government's documentation is a lot of sensitive information and it even can actually undermine your credibility a little bit if you put yourself in the shoes of the people vetting you, the security teams of these large organizations that you're after, if you're just willing to send everything over there thinking, oh, wow, they're pretty open with their information. Right. So a lot of these things can be accomplished in a different way. And sometimes it takes a little bit of pushback on your side. For example, instead of sending a full penetration test reports, send a letter of attestation. Your pen testers should have provided that to you. An overview of the penetration testing activities, the results and so on.

If they need to get on the phone with your prospect and discuss the penetration tests and how it went, maybe share screenshots of the report, then that's fine as well. But it's a lot better to do that than send a full report. Same thing with governance documentation. Usually those discussions can be had over video conference and you can screen share and walk through the documentation. They can get enough of what they need to understand whether or not you have your security program in place to their standards. And meanwhile, you're not spelling out a bunch of sensitive information, because if you do, if you start sending all this stuff out, think about what's going on. The tides are turning right and all of a sudden you should be vetting them from a security perspective. You should be having them send down response to a security questionnaire, because now if you send all this over, they're harboring your sensitive data that's stored in their environment. So just consider that when you're in the middle of the vendor vetting process.

Contact Silent Sector to speak with an expert about penetration testing considerations, requirements, and methods.