12 questions to ask your app testing partner
Security is no longer a “nice to have” feature in your software. In a world of emerging threats and increasing compliance requirements, your customers and employees expect that you have done the work to uncover and address security issues. Your security testing strategy is fundamental to how you do business.
But, not all security testing is the same.
When you choose an app testing service provider to test your applications, it’s essential that you clarify exactly the type of support you will receive. Testing vendors have vastly different levels of security expertise, testing capabilities and service quality.
Remember, you’re not just putting one project in their hands, you’re entrusting your reputation and the security of your business to them. It takes time and planning to find the right application testing vendor.
To help make the process successful – and relatively painless – we’ve put together a list of questions you can ask any potential testing provider.
#1. What type of tests do you offer?
The right vendor will understand which type of test to apply to the particular risk profile of each of your applications.
Vendors should be able to use a mix of industry-standard tools to run automated scans for common vulnerabilities. But, automated testing alone is not sufficient to uncover high-impact vulnerabilities in critical applications.
To defend against multi-step attacks or ones that involve social engineering, it’s essential that your vendor have the capability for manual testing to mirror the perspective of a hacker.
They should be able to establish a security baseline that blends dynamic analysis with manual testing. And, they should be able to conduct a thorough assessment with manual business logic testing that is specific to your needs.
#2. When you find vulnerabilities, how will you help me fix them?
Classic application testing vendors consider their job just that–running tests. They may hand you a list of bugs and flaws but neglect to include the context you need to understand the root causes or offer any guidance to fix the issues.
Even when providing a turnkey service, the best vendors should have a security analyst review findings with you directly and offer remediation advice to make your software more secure.
As a result, your application design and development process will become more secure and your developers will better understand secure coding. Fewer security issues will ever reach the testing phase.
#3. How easy is it to run tests?
Dig into the details: What does it take to request a test on one or more of your applications?
- Do you need to schedule in advance and confirm testing resources are available? Or, does the vendor allow you to schedule tests and set testing windows?
- Can you specify which applications you want to test and the type of tests you want for each?
- Does only one person have the ability to request tests, or can anyone on your team request a test when needed?
Make sure your vendor provides sufficient resources to jumpstart your testing program.
#4. If–or shall we say when–my testing needs change, how will that affect my budget?
Let’s say your business grows and you need to test a higher number or wider variety of applications. Or, you may be asked by one of your customers or partners to test applications in a different way to meet their security requirements. Your testing vendor must provide flexibility to manage your evolving application portfolio without increasing your costs.
If you are conducting a search for a testing provider, you’ll want to do some more in-depth research. We’ve got eight more questions for you to consider as you compare options.
