8 Questions to ask your Application Security Testing Provider !

Choosing the right Application Security Testing Service Provider is not always an easy task. By asking the right questions and knowing what answers to look for, you can conduct the thorough evaluation of the various vendors available in the market and make the most intelligent choice for your business.There are numerous options like buying tools, using cloud based testing providers or the traditional consultants. I have discussed making the right choice in another blog. However, if you decide to choose Application Security Testing consultants, here are the 9 most important questions you should definitely ask based on the top metrics:


Here are top 8 Question to Assess Application Security Testing Provider of yours


1.  What’s the background of the individuals who will conduct the test?

The background of the people behind the Application Security Testing is one of the most vital factors. Some companies do have good processes but still the individual plays the most important role. So ask for the background of the people conducting the Application Security Tests.


2. What is the methodology of Application Security Testing?

Though the person is very critical, the methodology of Application Security Testing plays an equally major role. If there is a standard process, it ensures minimal quality irrespective of the state of the mind of the consultant. You don’t want that his breakup with his girlfriend causing a significant reduction in the quality of testing. There should be checks and balances to ensure quality irrespective of the situation. Different organizations can have different methodology but you need to figure out from methodologies whether key elements like false positives and business logic vulnerabilities are covered.


( Read More: 11 Ways To Measure The Effectiveness Of Your Identity & Access … )

3. How will he conduct business logic vulnerability testing?

Business Logic Vulnerabilities cannot be detected by scanners. You need very good processes and skills for theApplication Security Testing vendor to assess such vulnerabilities. It is important to know how the vendors shall conduct such testing.


4. Which tools shall they use?

A good automated scanner is very important for coverage. Free and open source tools are not as good in coverage compared to the best of the breed commercial tools. Free tools need heavy human augmentation and there are risks of higher false negatives.. A good application security testing tool that can crawl modern applications and handle javascript well is very critical. There are several other ways to benchmark an automated scanner. Check out our article on benchmarking automated scanner.



5. What are the contributions of the testers in security research (vulnerability discovery, research papers, tools, conference presentations etc)?

Everybody can run a tool. But everybody is not a hacker. You have to fight against the hackers out there on the internet. So it is important that you get a person who matches up to that standard. You should ask him about his background in original security research. Did he do something which is worth being presented in Defcon, Blackhat or other similar conferences?


6. How many and what type of Application Security Tests did he conduct before?

It is important to know the prior experience of the vendor in the field of application security testing. Did he conduct DAST, SAST, Architecture Review, Threat Modeling? You also need to check his experience in discovering Business Logic Vulnerabilities. This is one of the graveyards where many consultants fail unless they have proper experience.


( Read More: Pre-launch Preview: State of Security Technology Adoption in Enterp... )

Flexibility and Scalability

7. Can the vendor test during non-business hours?

Sometimes it might be critical to conduct test during non-business hours (nights/weekends). You need to select a Application Security Testing Vendor who is flexible enough to handle any such requirements that you may have.


8. Can the vendor meet up to your scalability requirements?

The last but not the least; if you have to test all your applications two times as per their respective release cycle or at least on a quarterly basis, will the vendor be able to meet such volume requirements. Do they have the infrastructure and the people to conduct such numbers of application security tests?


Few more suggestions by readers and community members Credits: Carlos Rodriguez, Milan Danrel

  • Customer references, with the ability to interview them. What kinds of problems were found by the vendor, and which ones weren’t?
  • Verification of background checks of the individual tester
  • Financial statements of the organization.
  • Which tools are being used by the tester?
  • Integration capabilities to collaborative solutions, GRC solutions, dashboard solutions, QA solutions & ticketing systems.
  • Does the vendor meet the compliance specific expectations? (eg. PCI DSS 1.2)?


Views: 295

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform


Security Trends and Emerging Technologies That A CISO Should Adopt In 2021

Started by Priyanka Aash Mar 3. 0 Replies

What are the challenges you as a CISO have been facing since the last year and share some security trends that are catching up? Help the community by sharing your knowledge and personal views on this subject. Or if you have any specific questions…Continue

CISO as an enabler

Started by Maheshkumar Vagadiya Jul 30, 2020. 0 Replies

Share the instances where you were able to convince the Executive management /board that CISO function is enabler rather then a hindrance.Thanks youMaheshContinue

Has Anyone Evaluated Digital Signature (like Docusign)?

Started by CISO Platform. Last reply by Yogesh Nov 19, 2020. 2 Replies

(question posted on behalf of a CISO member)Has anyone evaluated digital signature (like Docusign), any specific risk/ security areas to be looked into while finalising a vendor? Any and all inputs will be very much appreciated.Continue

What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?

Started by CISO Platform. Last reply by ANAND SHRIMALI May 20, 2020. 4 Replies

(question posted on behalf of a CISO member)What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?Related Question: …Continue

Follow us

Contact Us

Email: contact@cisoplatform.com

Mobile: +91 99002 62585

InfoSec Media Private Limited,First Floor,# 48,Dr DV Gundappa Road, Basavanagudi,Bangalore,Karnataka - 560004

© 2021   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service

/* */