What to Include in Your Security Testing Provider’s Agreement?
Security testing is a vital part of not just compliance but overall website/ web application security. Regardless of the type of website security testing and the service provider chosen for the purpose, a successful test requires good preparation.
And a clear Service Level Agreement between the security service provider and the organization is an important part of preparation. It sets the expectations for both parties and provides clarity on their obligations.
In this article, we help you understand what items must be included in your security testing provider’s agreement for achieving the mutual goals of the test.
Critical Items to Include in Your Security Testing Provider’s Agreement
Remember that this list is not comprehensive or exhaustive. We have put together important elements that highlight the width and depth of good security testing.
The Test Goals and Objective
Every SLA with the security testing service provider must include the goals and objectives. Goals and objectives set the tone for the rest of the process including scoping, methodology, outcomes, permissions, pricing, and so on. Without establishing clear goals and objectives before the process, the organization may fail to receive a set of vulnerabilities that have any connection or correlations to their risks.
The Scope of Security Testing
The scope of the test tells the tester what can and cannot be included. By defining a clear scope for pen-tests, organizations can ensure that systems and services not included in the scope are not touched by the testers.
Given the costs and efforts involved, not every component and system can be included for website security testing. Further, security pen-tests could lead to accidental downtime, and organizations must be ready for it. This makes the scope of tests all the more important.
The Obligations of Both Parties
The Agreement must include the obligations of both the application security testing service provider and the organization hiring their services. While the payment terms and financial obligations of the organization are mentioned in the SLA, it is critical to include a definitive deliverables statement from the service provider regarding possible outcomes from the tests.
Security Testing Service Provider’s Qualifications and Certifications
Qualified, experienced, and competent security testing providers will report all vulnerabilities, provide recommendations for fixing the security gaps, and are gentler on the organization’s systems. Certifications such as CREST, OSP, CEH, etc. are indicative of the level of technical capabilities and methodology of the tester.
The Testing Methodology, Process, and Tools to Be Used
Both parties must discuss how the testing is to be carried out, as well as the methodology and tools to be used for the testing. The process, methodology, and tools must be agreed upon in advance in writing.
Why is this important? Not all testing tools and methods are legitimate. Open-source tools could be malicious and may send scan results to malicious third parties, expose confidential information or give them access to the organization’s systems and network. This could harm the organization majorly.
Make sure to include confidentiality clauses in the SLA with the security testing service provider. The last thing organizations want is for their confidential information, test results or system information to be exposed by the pen-tester accidentally or intentionally. The pen-tester may be using proprietary techniques, tools, or report formats, which they would want to keep confidential. In such a case, both parties may exchange a mutual Non-Disclosure Agreement (NDA)
Permissions and Credentials
If the security tester needs to be given credentials for the process, it must be done in a secure and encrypted manner. The details of what credentials are to be provided and how may be included in the SLA.
Given that security testing is a criminal offense when performed without written permissions, it is critical that permissions are included in the contract. For instance, third-party services cannot be included in the scope by the tester without written permission from the third party. If they do, they will have to face legal charges.
The application security testing service provider must equip the organization with a detailed report highlighting all the vulnerabilities, flaws, and misconfigurations that impact the availability, confidentiality, and integrity of applications. This must be supported by a POC confirming the existence of the vulnerabilities and how they can be reproduced. The report must include recommendations to help remediate the findings. A good report must include an executive summary section to describe the findings in non-technical language. This helps the top management in making critical decisions based on the findings to harden the security posture.
A clear-defined and thorough SLA with the security testing provider enables both the organization and the service provider to understand and adhere to their obligations. It sets the foundation for high-quality testing that helps organizations to fortify their security posture.