Penetration Testing and Rules of Engagement
Third-party risk assessment begins with understanding how vendors and partners are evaluated before and during a business relationship. One of the most powerful assessment tools is penetration testing — a simulated attack conducted to identify real exploitable vulnerabilities before actual attackers do.
Penetration Testing
A penetration test (pen test) is a simulated, authorized cyberattack against a target organization or system. Unlike a vulnerability scan, which identifies potential weaknesses, a penetration test actively attempts to exploit those weaknesses to determine whether they are genuinely exploitable and what an attacker could achieve if they succeeded.
- Pen test vs. vulnerability scan: A vulnerability scan is passive — it identifies and categorizes potential weaknesses using automated tools. A penetration test is active — a skilled tester attempts to exploit identified vulnerabilities to gain unauthorized access, escalate privileges, or exfiltrate data. Pen tests answer the question "can an attacker actually get in?" rather than just "is there a potential entry point?"
- Types of penetration testing: Black-box testing (tester has no prior knowledge of the target, simulating an external attacker), white-box testing (tester has full system knowledge, simulating an insider threat), and gray-box testing (tester has partial knowledge, common in vendor assessments).
- Third-party pen testing: Organizations may require vendors and suppliers to provide penetration test reports as part of due diligence. A vendor who cannot produce a recent pen test report has a gap in their security assurance program.
Rules of Engagement
Before any penetration test begins, the rules of engagement must be formally documented and agreed upon by all parties. Rules of engagement define the boundaries and parameters of the test.
- Scope: Which IP address ranges, domains, systems, and applications are included in the test and which are explicitly excluded. Out-of-scope systems must not be touched even if the tester discovers they could be accessed.
- Schedule and timing: When testing may occur (business hours vs. after hours), whether testing may affect production systems, and how long the engagement lasts.
- Authorized techniques: What attack techniques are permitted (social engineering, physical access testing, denial of service testing) and which are prohibited.
- Emergency contacts: Who to call if a tester accidentally takes down a production system, discovers an active breach, or finds critical infrastructure at risk. Emergency escalation paths must be documented before testing begins.
- Data handling: How discovered sensitive data must be handled. Testers who encounter real customer data, credentials, or PII during a test must know the protocol for handling and reporting that data without further exposure.
Vendor Assessment Methods
Beyond penetration testing, organizations use several mechanisms to assess vendor security posture. Each method addresses different aspects of third-party risk and provides different levels of assurance.
Right-to-Audit Clause
A right-to-audit clause is a contractual provision that grants the customer organization the right to audit the vendor's security controls, processes, and compliance status at any time. It is included in vendor contracts during the vendor selection and negotiation phase.
- Purpose: Vendors provide services using customer data. Without a right-to-audit clause, the customer has no mechanism to independently verify that the vendor is maintaining the security controls they claim to have. The clause creates accountability.
- What audits cover: Security control effectiveness, access management, data handling practices, compliance with contractual security requirements, incident response capabilities, and patch management processes.
- Negotiation importance: Vendors who refuse right-to-audit clauses raise a significant red flag. A vendor unwilling to allow an audit is a vendor with something to hide. The absence of this clause in a contract is itself a risk indicator.
Independent Assessments
An independent assessment is conducted by an outside firm that has no relationship with either the organization being assessed or the vendor. Independence eliminates bias and provides credibility that internal assessments cannot provide.
- Why independent matters: Internal security teams may miss gaps in their own controls due to familiarity. Vendors conducting self-assessments have an inherent conflict of interest — they are unlikely to report findings that damage their own business. An outside firm with no stake in the outcome provides objective findings.
- SOC 2 reports: A common form of independent assessment for cloud and SaaS vendors. A SOC 2 Type II report is produced by an independent CPA firm and covers security, availability, processing integrity, confidentiality, and privacy controls over a defined period (typically 6-12 months). Requesting a SOC 2 report is a standard vendor due diligence practice.
- Broad industry experience: Independent assessors bring experience from assessing many organizations across the industry. They know what good looks like and can benchmark a vendor's security posture against industry norms in ways that internal teams cannot.
Supply Chain Analysis
Supply chain risk extends beyond the primary vendor to the vendor's vendors. A supplier who uses a compromised sub-supplier introduces risk into the organization's environment through the supply chain.
- Supply chain attacks: Instead of attacking an organization directly, adversaries compromise a trusted supplier or software provider. The malicious code or access travels with the legitimate software or service into the target environment.
- SolarWinds case study: Between March and June 2020, attackers (later attributed to a Russian state-sponsored group) inserted malicious code into SolarWinds Orion software updates. The updates were digitally signed with a valid SolarWinds certificate, making them appear completely legitimate. Organizations that installed the updates (approximately 18,000 of SolarWinds' 300,000 customers) unknowingly installed a backdoor. The compromise was not publicly announced until December 2020. This attack demonstrated that even trusted, established vendors with strong reputations can be compromised through their software development pipeline.
- Supply chain controls: Vendor security questionnaires that cover sub-supplier relationships, software bill of materials (SBOM) requirements, software composition analysis, and contractual requirements that vendors maintain security standards for their own suppliers.
Vendor Due Diligence, Monitoring, and Conflict of Interest
Third-party risk management is not a one-time event. It begins during vendor selection, continues through the contract relationship, and requires ongoing monitoring to detect changes in the vendor's security posture or business stability.
Vendor Selection and Due Diligence
Due diligence during vendor selection reduces the risk of engaging a vendor who cannot meet security or operational requirements. Due diligence should include:
- Financial verification: Confirm the vendor is financially stable. A vendor that goes bankrupt mid-contract creates operational and data recovery risks. Review financial statements, credit ratings, and banking references.
- Background checks: Verify that the vendor organization and its key personnel do not have histories of security incidents, regulatory violations, or legal judgments that indicate unreliable security practices.
- Security questionnaires: Formal questionnaires covering the vendor's security policies, patch management, access controls, incident response procedures, data handling practices, and compliance status. Common formats include the Standardized Information Gathering (SIG) questionnaire.
- References: Speak with current customers about their experience with the vendor's security responsiveness and incident handling. Ask specifically about past incidents and how the vendor communicated and responded.
- Conflict of interest detection: Identify whether the vendor has relationships that could compromise their objectivity or loyalty. A vendor that also serves direct competitors may have access to competitive intelligence. Personnel conflicts (a vendor employee who is a relative of an executive) require disclosure.
Ongoing Vendor Monitoring
A vendor that passes initial due diligence can change. Financial conditions deteriorate, key security staff leave, regulatory violations occur, and data breaches happen. Ongoing monitoring detects these changes.
- Periodic security reviews: Annually or more frequently depending on data sensitivity, conduct formal reviews of the vendor's security posture using updated questionnaires, audit reports, and penetration test findings.
- Financial health monitoring: Subscription to financial monitoring services that alert when vendors file for bankruptcy protection, receive adverse credit ratings, or experience significant financial events that could affect service continuity.
- News and social media monitoring: Track news coverage and social media for reports of vendor data breaches, regulatory actions, executive misconduct, or other events that indicate increased risk from the vendor relationship.
- Vendor owner assignment: Assign an internal owner for each significant vendor relationship. The owner is responsible for maintaining the relationship, tracking security questionnaire status, escalating concerns, and ensuring contractual security obligations are met.
Conflict of Interest
A conflict of interest occurs when a vendor relationship creates situations where the vendor's interests are not fully aligned with the customer organization's interests. Conflicts of interest compromise the integrity of the vendor relationship and may indicate security risk.
- Examples: A partner company is also engaged with a direct competitor (could enable competitive intelligence leakage). An executive's family member is employed by the vendor in a role that influences contract decisions. A vendor offers gifts, meals, or travel to procurement staff (creates obligation that can distort vendor evaluation). A vendor's security assessor also provides security consulting services to the same organization they are assessing (independence is compromised).
- Detection mechanisms: Vendor disclosure requirements in contracts (vendors must disclose conflicts), background checks on key vendor personnel, gifts and entertainment policies that require disclosure, and rotation of vendor relationship ownership to prevent relationship capture.