When a founder-led business gets their first Vendor Security Assessment, it's a bittersweet moment. On the positive side, it usually means that the startup is being taken seriously by an enterprise -- often a prospective customer. On the negative side, a tough vendor security assessment often puts a startup on its heels as far as figuring out a way to acceptably answer the difficult questions therein.
One topic that comes up frequently, is testing. Enterprises know that early-stage companies are often highly resource-constrained, and it begs the question of whether the product/solution has been tested in a way that gives confidence that the startup can deliver way they say they'll deliver. From the enterprise's perspective, probing on testing practices is just a "common sense" way to get a sense for the maturity of the small business that they are considering working with.
But, what types of tests are startups being asked about, in a typical Vendor Security Assessment? We set out to answer precisely that question, by analyzing our internal archive of vendor security assessments, and here's what we found.
The most frequently requested test in a vendor security assessment is no surprise. Or, at least we hope it's no surprise. Penetration tests and web vulnerability scans rank #1 in our list of most frequently requested tests. Put simply, enterprises know that technology companies rely on a wide range of 3rd party libraries and tools, and infinite cloud infrastructure configuration options. All of that leads to a well-founded desire to ensure that vendors are conducting penetration tests and web vulnerability scans. Sometimes vendor security assessments ask you to attach your testing results, other times (we've never understood this) they simply ask whether you have or haven't done this type of test. However, it's safe to say that if a questionnaire asks about this type of test, that you should hustle to do any necessary remediations so that you can supply a "clean" testing report if asked.
This one has been rising in popularity, especially in the context of vendor security assessment processes. Why? Because we all no that disaster will eventually strike. A datacenter outage. A key management member that is immediately unavailable. An inability to access the company's physical office. A pandemic.
You get the idea.
Asking startups to disclose what they do (or don't do) for disaster recovery testing is a huge step in understanding their preparedness for the many "what if" cases that could potentially cause a service disruption. Pro tip: if you don't yet do any disaster recovery testing, start with a battle-tested disaster recovery plan from Havoc Shield, and the guidance therein about reasonable testing procedures.
This is a broad one. One we hesitated to even include, because it's so broad that it doesn't provide much insight into what (precisely) the enterprise is looking for. But, it is indeed the third most popular type of testing requested in a vendor security assessment, so we're dutifully including it here. When asked (vaguely) whether you do or don't have any "security testing" practices, some of the areas that should be high on your mental list are documented testing procedures (and results) related to:
When a vague question arises, you have the benefit of being able to apply reasonable interpretation (perhaps interpretation favorable to you), but your answer does need to have some defensible basis.
We're increasingly seeing acceptance testing come up as a topic in the vendor security assessment processes that our clients find themselves in. Although this type of testing doesn't necessarily relate to security, it's found a home in security-related questionnaires. Our thought process on this one is that enterprises want some sense that their vendors are working against some documented set of use cases or requirements and that the product/service isn't "done" until it satisfies those agreed-upon scenarios.
When enterprises ask about your testing practices in a vendor security assessment, take it as a signal that they are probing your organizational maturity. Show well on these types of questions, and you'll be well on the way to setting the tone that you have a thoughtful set of internal policies and practices, that are enterprise-ready. Any trouble along the way, drop us a line -- we're standing by to help.