If you expect a system to perform when you need it most, you’d better test it. And it’s a fact of life that it will be a better test if it’s done by people who did not build that system in the first place. We’re not talking about manipulation here. It’s just that a fresh perspective will raise at least some areas of weakness that are otherwise inevitably overlooked. An ethical hack is such an independent test.
For a prospective customer, third party audits and a prestigious customer list will often suffice as adequate validation but in some cases there is simply no substitute for checking under the covers yourself. As CTO at BoardVantage, far from being a purely negative ‘cost-of-sale’, I welcome third party inspection. Different eyes might uncover overlooked details, and the hack itself serves as a process refresh which is difficult to accomplish with just internal staff
An ethical hack is usually performed either by the information security team of an F-100 or financial institution, the IT department of a smaller organization, or a third party specialist. Because in commercial SaaS environments, the production system is in use 24×7, the ethical hack is ALWAYS performed against a mirror system. That way you obviate the (slim) possibility of customer data being compromised or bring about potential performance deterioration during DoS (Denial of Service) testing.
It is much easier to talk the talk on security than walk the walk but an ethical hack will quickly separate the vendors who fall in the former group from the ones who have made the costly investments and who fall in the latter. So, if a vendor is serious about security, ethical hacks are a wonderful source of customer feedback. Third parties, immune from internal politics, can make observations that might be difficult for internal QA departments and security teams. By subjecting oneself to a plethora of different tests by different teams, the vendor dramatically increases the coverage of possible exposures.
While an expensive investment for both customers and vendors, ethical hacks remain the most effective way to verify the security of any SaaS vendor. In addition ethical hacks remain one of the best ways for a vendor to assure that the systems meet the standards and that the vendor’s standards are in fact up-to-date.