Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)
Managed WAF Start at $99

What to Include in Your Security Testing Provider’s Agreement?

Posted DateAugust 17, 2021
Posted Time 3   min Read

Security testing is a vital part of not just compliance but overall website/ web application security. Regardless of the type of website security testing and the service provider chosen for the purpose, a successful test requires good preparation.

And a clear Service Level Agreement between the security service provider and the organization is an important part of preparation. It sets the expectations for both parties and provides clarity on their obligations.

In this article, we help you understand what items must be included in your security testing provider’s agreement for achieving the mutual goals of the test.

Critical Items to Include in Your Security Testing Provider’s Agreement

Remember that this list is not comprehensive or exhaustive. We have put together important elements that highlight the width and depth of good security testing.

The Test Goals and Objective

Every SLA with the security testing service provider must include the goals and objectives. Goals and objectives set the tone for the rest of the process including scoping, methodology, outcomes, permissions, pricing, and so on. Without establishing clear goals and objectives before the process, the organization may fail to receive a set of vulnerabilities that have any connection or correlations to their risks.

The Scope of Security Testing

The scope of the test tells the tester what can and cannot be included. By defining a clear scope for pen-tests, organizations can ensure that systems and services not included in the scope are not touched by the testers.

Given the costs and efforts involved, not every component and system can be included for website security testing. Further, security pen-tests could lead to accidental downtime, and organizations must be ready for it. This makes the scope of tests all the more important.

The Obligations of Both Parties

The Agreement must include the obligations of both the application security testing service provider and the organization hiring their services. While the payment terms and financial obligations of the organization are mentioned in the SLA, it is critical to include a definitive deliverables statement from the service provider regarding possible outcomes from the tests.

Security Testing Service Provider’s Qualifications and Certifications

Qualified, experienced, and competent security testing providers will report all vulnerabilities, provide recommendations for fixing the security gaps, and are gentler on the organization’s systems. Certifications such as CREST, OSP, CEH, etc. are indicative of the level of technical capabilities and methodology of the tester.

The Testing Methodology, Process, and Tools to Be Used

Both parties must discuss how the testing is to be carried out, as well as the methodology and tools to be used for the testing. The process, methodology, and tools must be agreed upon in advance in writing.

Why is this important? Not all testing tools and methods are legitimate. Open-source tools could be malicious and may send scan results to malicious third parties, expose confidential information or give them access to the organization’s systems and network. This could harm the organization majorly.

Confidentiality Clauses

Make sure to include confidentiality clauses in the SLA with the security testing service provider. The last thing organizations want is for their confidential information, test results or system information to be exposed by the pen-tester accidentally or intentionally. The pen-tester may be using proprietary techniques, tools, or report formats, which they would want to keep confidential. In such a case, both parties may exchange a mutual Non-Disclosure Agreement (NDA)

Permissions and Credentials

If the security tester needs to be given credentials for the process, it must be done in a secure and encrypted manner. The details of what credentials are to be provided and how may be included in the SLA.

Given that security testing is a criminal offense when performed without written permissions, it is critical that permissions are included in the contract. For instance, third-party services cannot be included in the scope by the tester without written permission from the third party. If they do, they will have to face legal charges.

Test Report

The application security testing service provider must equip the organization with a detailed report highlighting all the vulnerabilities, flaws, and misconfigurations that impact the availability, confidentiality, and integrity of applications. This must be supported by a POC confirming the existence of the vulnerabilities and how they can be reproduced. The report must include recommendations to help remediate the findings. A good report must include an executive summary section to describe the findings in non-technical language. This helps the top management in making critical decisions based on the findings to harden the security posture.


A clear-defined and thorough SLA with the security testing provider enables both the organization and the service provider to understand and adhere to their obligations. It sets the foundation for high-quality testing that helps organizations to fortify their security posture.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

web application security banner

Spread the love

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Application Security Checklist
The Comprehensive Web Application Security Checklist [with 15 Best Practices]

Secure your web apps effectively with this comprehensive web application security checklist. Mitigate all risks and bolster your application’s defense.

Spread the love

Read More
Cloud AppSec Measures
10 Ways to Implement AppSec Measures for Your Cloud Ecosystem

Secure your cloud ecosystem with these 10 AppSec measures. Learn how to implement robust security measures to protect your data

Spread the love

Read More
Application Security: How Prevention Beats Remediation?

More sophisticated attacks and threat vectors are targeting businesses today. Learn how prevention beats remediation for application security.

Spread the love

Read More


Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Know More Take Free Trial


Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!