There’s truth to that, but it’s dangerous to consider it an acceptable amount of signal. There’s a whole universe of ways to surface security debt far before a potential customer does that work on your behalf with a penetration test.

It’s valuable for a company to aggressively mitigate vendor risk in the way you describe, but it is a common warning sign when a vendor’s security story is “another customer audited us and we were OK”. That is a bad story.

A good story is when a vendor can describe how they surface debt systematically with employee, infra, and app security programs. This should exist before a potential customer has to *literally tell them* about their own debt.

So, while I think vendor penetration testing is a valuable practice for a customer — a vendor that solely relies on this form of signal for their security debt should be avoided. That signal comes far, far later than where our expectations should be, and a vendor should be able to represent more about their security than that. Otherwise, security start at sales, ugh.

Written by

Writing about risk, security, and startups.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store