Hello,<p>I'm currently the Tech Lead / CTO at a small 20-person startup that has seen quite a bit of growth this year.<p>We store quite a bit of contact information (names, phone numbers, email addresses), and have quite a few <18 year old users (we are a high school fundraising platform). We'd like to make sure we are doing our best to keep that information protected.<p>I think our biggest concern at the moment is a data leak.<p>We would eventually like to move towards SOC2 (likely through Vanta), so I'm not sure if there is a way to "kill 2 birds with one stone" here.<p>I inherited this project from a contracting shop, and although I'm feeling fairly comfortable with it at this point, I'm very much in a "I don't know what I don't know" situation.<p>Any specific recommendations for things to look for or things to avoid? Are most companies the same in that they're just going to run a set of automated scripts against your services?<p>Thanks for any help!
I can only speak to a very specific example that I setup and ran at my last job for a SOC 2 annual pen test. We used a service called Cobalt Core (not affiliated), but they're kind of like UpWork for pen testers.<p>Aside from that, I'd imagine the general process is very similar. You define your parameters on what they're looking for, where to look for it, and what not to do. First thing I'd say is to make sure you have an isolated staging environment for them that they can attack without you disturbing them or them disturbing you.<p>If there are any parts of your code base that you're specifically concerned about, ask them to focus there! The goal of a pentest is to find what's broken (which it seems you're already on board with). An old CEO of mine wanted us to pass the pentest, not actually gain value from it... Take advantage of the fact they have people who know more than you and I (hopefully) to try and compromise the application.<p>They should give a nice write up with details on what they found and I've had a good experience asking them questions about solutions and future prevention.<p>I'm sure quality varies, but I wouldn't be surprised if the majority of what gets done for the average pentest are the same list of scripts that try to abuse Django admin and such, so I can't really speak to other qualities. Lots of injection focused attacks, but can't hurt for them to try.
You're better off doing a private bug bounty through bug crowd or hackerone.<p>Pentests are point in time assessments. Usually with one to two testers, with limited scopes of expertise.<p>Bug bounties can bring in hundreds of testers with a wide breadth of expertise that continuously test.