Penetration testing is a reality for any company that takes security seriously. Not only is it an important part of any serious cybersecurity program, it’s also required by most major compliance frameworks. Unfortunately, many organizations make a serious mistake when buying penetration testing services for their web applications: they don’t whitelist the tester on their Web Application Firewall (WAF).
And on the surface, that makes sense. After all, the customer wants to know if their web application can be exploited from outside the organization. And, of course, anyone who wants to attack the application will have to go through the WAF.
Penetration testers are supposed to be good at hacking. Surely they should be able to figure out a way to evade the WAF to test the application? As logical as these ideas may seem, they are (at best) misguided and misinformed.
Some companies fear the season of audits where routine maintenance and proper procedures may have taken a backseat to current business events. This, however, does not condemn you to a tough auditing process. Following these simple steps will ensure your team can function flawlessly when tasked with the audit process and make compliance come more easily. These steps are focused mainly on training your employees, adhering to periodic control requests, and maintaining your information security infrastructure.