Penetration testing: the expected requirements of enterprise

Penetration testing is a critical practice in verifying the technical security of Software as a Service (SaaS) products. It’s an expectation among enterprise customers, especially when compliance reports like SOC 2 are involved. Enterprises often want to review the penetration test report themselves as part of their due diligence. Here’s a guide to understanding the role of penetration testing in your security strategy, how it differs from vulnerability scans, and how to apply the ‘just enough’ principle to keep your efforts efficient and aligned with industry standards.

The role of penetration testing
Penetration testing is designed to identify and exploit vulnerabilities within your systems, simulating the actions of an attacker. This process helps uncover potential security weaknesses that could be exploited in a real-world attack, providing insights that are crucial for strengthening your security posture.

Penetration testing vs. vulnerability scans
It’s important to differentiate between penetration testing and vulnerability scans, as they serve different purposes and are often confused due to the increasing automation in both areas.

  • Vulnerability scans: these are typically automated processes that scan your systems for known vulnerabilities. They are less intrusive and quicker than penetration tests, making them ideal for more frequent use. Vulnerability scans are often run continuously, daily, or at least quarterly, particularly after significant changes or updates to your tech stack.
  • Penetration tests: in contrast, penetration tests are more comprehensive and involve manual intervention by security professionals. They go beyond identifying vulnerabilities by attempting to exploit them, providing a more realistic assessment of your system’s defenses. While automation is becoming more prevalent in pen testing, the manual aspect still offers significant value in uncovering complex vulnerabilities that automated scans might miss.

Implementing 'just enough'
For Type 1 reports; you can get by with a confirmed plan for your first penetration tests being conducted as long as you have conducted a vulnerability scan. The penetration tests will then be reviewed during your Type 2 engagement. These should be conducted at least annually. Automated pen tests with human oversight can be accepted to pass the control, however, we recommend ensuring this fits enterprise expectations as this control area is one that enterprises often directly query regardless of it being covered in your SOC 2 or other compliance reports.


➡️ Doing less tip #1: complement pen tests with vulnerability scans

  • Frequent scanning: while penetration tests are typically conducted annually, vulnerability scans should be done more frequently to identify and address vulnerabilities as they arise. Good practice includes running scans at least quarterly or after every significant update or release.
  • Balancing the workload: use vulnerability scans to maintain ongoing security while reserving the more resource-intensive penetration tests for a thorough annual review. This approach ensures continuous protection without overburdening your team with constant, deep-dive testing.
Better practices
To do more than just pass your compliance requirements, you may consider:
  • Engage a high-quality pen testing firm that’s CREST certified, has a history of demonstrable quality standards, and has a high degree of human expert testing beyond just the automated scanning components.
  • Ensure the scope of your penetration tests aligns with the critical systems and covers all relevant components that may be susceptible to vulnerabilities.
  • Conduct penetration tests more frequently than annual, or effectively complement the annual tests with more frequent vulnerability scans. A good practice is to soon after releasing new major features or changing core security components, conduct another pen test or at least a vulnerability scan.

In a nutshell
Penetration testing is an essential component of your security strategy, particularly when working with enterprise customers who expect rigorous verification of your product’s security. By distinguishing between penetration tests and vulnerability scans and applying the ‘just enough’ principle, you can balance thorough security testing with efficient resource management. This approach ensures your systems remain secure, compliant and ready to meet the demands of your customers and auditors.