A SOC 2-compliant penetration test is required if you want to pass your SOC 2 (Type 2) audit. There are many types of penetration tests available for web apps, mobile apps & networks, but not all of them will help you pass your SOC 2 compliance audit. If you want the best chance at passing and maintaining your certification, then you should be using a semi-annual penetration test that is designed to meet SOC 2 standards.
Today I'm going to open your eyes to what makes a SOC 2 penetration testing service run like clockwork so that you can make the best decision possible about which penetration test to use on your web/mobile application and pass your SOC 2 type 2 audit!
Let's start with some common sense...
Before you go any deeper I should point out that the strategies to get a positive SOC 2 report that worked in 2019 or 2020, may not work in 2023 and beyond.
Auditors want to see that your cloud software's vulnerability assessment program is dynamic and able to cope with the fast changing cybersecurity landscape. Just as is the case with a PCI-DSS or ISO27001 audit, SOC 2 certification is not just a piece of paper, it's about building a culture of security.
The final certification that you recieve is just third party verfication to your customers and users that you have the right risk management processes in place and that your information management systems can cope with the different types of cybersecurity risks that your organization will encounter.
Presumably you're seeking SOC 2 certification because you don't need to go through the pain of PCI-DSS accreditation, you want to sleep easier at night and also because your clients are demanding more details about your security program, right?
So now that you're here, I'm going to show you how to do this right, the first time.
What are the main types of penetration tests that can be done on your applications?
Pen tests come in many flavours, but for web or mobile application penetration testing we think they're best classified into three main categories:
- Black box penetration tests are where our penetration tester is not provided with any information about the application before starting. This can be done either by manually scanning for open ports and vulnerabilities, or more likely, a combination of automated dynamic vulnerability scanning combined with manual web application penetration testing.
- Grey box penetration tests are where our penetration tester is given a list of URLs or IP addresses and login credentials to conduct automated and manual pen test on the public pages of your application and also behind your login.
- White box penetration tests are where the penetration tester has access to all of your application's source code. In addition to performing manual and automated pen tests we also perform static scanning of your code base to find vulnerabilities within it.
Is a manual penetration test the same as a vulnerability scan?
Some penetration testing companies may also try and pass off an automated dynamic vulnerability assessments as an annual penetration test. Why technically this isn't incorrect or unethical, we have never seen such automated assessments pass muster with any SOC 2 auditor.
You might be offered this "dynamic vulnerability assessment as a penetration test" option when they sense you are just looking for the cheapest pen test option or if the pen test company isn't actually aware of what type of pen test will help you pass your SOC 2 audit.
Vulnerability assessments or vulnerability scans are usually done for a specific set of IP addresses by an automated vulnerability assessment tool. Most importantly a vulnerability assessment report is usually not vetted by cybersecurity experts before it gets to you.
Whereas, a suitable grey box pen test that is actually SOC 2-compliant will be performed for your web application AND associated cloud infrastructure.
Please don't mistake this as me telling you that vulnerability scans or automated pen tests are not important. As you'll read below, smart SaaS companies make regular automated vulnerability scans an everpresent part of their security architecture.
Just that results from these scans alone will not be enough for you to satisfy the SOC 2 controls and pass your audit.
Is a pen test required for SOC 2?
The penetration testing process is often thout about in terms of risk and cost management. But it's not just a technical assessment, it's also an exercise in trying to figure out how much business-impacting damage you can expect from your IT department if someone were to try and exploit those vulnerabilities.
So the SOC 2 framework has these two requirements, called trust service principles, of all companies who want to pass a SOC 2 audit:
- CC4.1 – Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certifications made against established specifications (for example, ISO certifications), and internal audit assessments.
- CC7.1 – The entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
TLDR; these requirements are vague and leave everything to the mood of the auditor who is preparing your SOC 2 report. That's why you should choose a SOC 2 penetration testing service provider that has helped other software companies implement the right security controls to achieve SOC 2 compliance.
Would you like us to walk us through your options for SOC 2 preparation & compliance?
Is a vulnerability scan report enough for SOC 2 certification
Unfortunately you're out of luck here. Regular vulnerability scanning is a great (and very important tool) to pick up vulnerability regressions. But no automated vulnerability scan tool is yet smart enough to replace a pen test.
Your SOC 2 auditor will probably need proof that your risk management processes includes regular vulnerability scans. Unashamedly, we recommend our Cyber Chief automated vulnerability scanning tool because it:
- Is very user-friendly;
- Fits with most software development workflows;
- Allows software teams with zero penetration testing experience to run their own 1-click vulnerability scans;
- Gives you actionable dashboards to help you benchmark and track your web application security resilience; and
- Provides best-practice security fixes, including code snippets, for vulnerabilities that it finds.
This graph should help you understand where vulnerability scanning fits into a SOC 2-compliant web application information security program:
By the way, today's auditors are smart. They know if reports from vulnerability scans or automated vulnerability assessments are being passed off by you or your penetration tester as a SOC 2 penetration testing report. Don't take the risk, because not only will you be out of pocket if you try and do this, you'll also lose face in the process.
What other factors should I consider when choosing my SOC 2 pentesting service providers?
So now you've chosen the web/mobile app penetration test that you want, but is that it?
Of course it's not: you're not just buying a bag of choc-chip cookies, where you choose from normal or extra choc!
Your software engineering team is probably not going to want to go through a vulnerability assessment process - nobody likes to be told they're wrong and also because "what would these security guys know about my application anyway??"
So in order to help them out and reduce their anxiety, ask yourself these 6 questions:
- Is your ultimate goal just a secure app or are you looking for a commercially-driven ROI?
- Have you selected the frameworks against which you want your penetration tests performed?
- How will your dev team minimise the time they spend applying best-practice fixes for the vulnerabilities?
- What type of penetration test do you actually need to pass your SOC 2 audit?
- Does your team have capacity to patch all vulnerabilities and update existing security controls?
- How will you ensure that vulnerabilities don't re-appear during future sprints?
It's natural to be overwhelmed by all these questions. But you have two options:
- Take some extra time now to make the right decision; or
- Risk choosing the wrong SOC 2 pen testing company and be left pulling your hair out when your team hates you for foisting a pen test on them and your SOC 2 auditor is raising their rather bushy eyebrows in your direction.
The good news is that answering these questions and getting you more clarity only takes about 30-35 minutes when our team is guiding you through the process. So get your SOC 2 pen testing discovery call and be sure that you're making the right call for you.
Want to see how top software teams shift left with application security & pass their SOC 2 audits with no fuss?
Do I only need one pen test to get SOC 2 certification?
Remember, SOC-2 web app pentest is the start of a process, not just a one-off, tick-box event.
So your first penetration test should be done as soon as possible to find out what you need to fix. It can even be done before you actually start your SOC 2 Type 1 certification process, because it will give your engineering team time to fix all the vulnerabilities that have been identified.
Once that initial pen test has been completed and any necessary fixes have been made, then you do your second penetration test which will lead up to your SOC 2 certification audit.
When you get your SOC 2 report, you will have to recertify every year because a SOC 2 accreditation only lasts for 12 months. Therefore, you should budget and prepare to do at least one penetration test annually. Just beware that one annual pen test might not be enough to gain a favourable SOC 2 report, especially if your team is not conducting regular vulnerability scans.
Look at your SOC2 certificate not as the end goal, but as the start of a journey that helps you build a culture of security in your teams.
Depending on your industry, the scale of your operations and the type of data you hold some SOC 2 auditors like to see that you do 2 or more grey-box penetration tests annually, plus very regular automated vulnerability scans.
Because my team has performed many SOC 2-compliant cloud application pen tests for clients around the world, I can also let you in on some inside knowledge.
Your SOC 2 report will have more chance of helping your pass your SOC 2 audit if you also prove to them that you conduct regular vulnerability scans along with your twice-yearly penetration tests.
This is why each of our penetration testing plans comes with discounted access to our AI-powered Cyber Chief automated vulnerability scanning tool.
Can any penetration testing services company help me with SOC 2 compliance?
Most will say they can, and that's why you may get confused in the process of selecting a top external pen testing partner.
That's why I've given you a robust decision-making framework in the form of the 6 questions above. We use those 6 questions with our clients for two main reasons:
- To ensure that you know what you're getting from your penetration testing services provider so that you can reduce your costs and increase your ROI; and
- So that we can deliver you exactly what you need in as short a time as possible, again to increase your ROI.
Remember it only takes about 30-35 minutes when our team is guiding you through the process of deciding which pen test you need to secure your application and get SOC 2 certification.
So get your SOC 2 pen testing discovery call and be sure that you're making the right call for you.
As you can see, the vulnerability assessment process for SOC 2 compliance is not a one-size fits all project.
You need to work out what you really need and which type of test will help you pass your SOC 2 audit, which is why we offer a discovery call with an experienced pen tester who can guide you through the steps necessary for meeting your goal.
Get in touch today for your free consultation - it’s as easy as clicking the button below or contacting us via email at solutions[at]audacix.com!
We also have some great offers if you are currently Tugboat or Vanta customer. So book your call to find out if you're eligible.
