After undergoing a SOC 2 penetration test (pen test) with Strike Graph’s pen test team, you will receive a report describing the methodology of the test, findings within your organization’s application, recommendations for vulnerabilities, and more. Your CSM will coordinate a meeting with a member of the pen test team and the relevant members of your organization to discuss the contents within the report and offer expert counsel. The following article addresses a question that is commonly asked during a pen test report meeting: What needs to happen after my organization’s pen test results are issued?
Within the executive summary of your organization’s pen test report, you will find a table denoting the meaning of and recommendations for each risk classification:
High Risk Vulnerabilities | Corrective action needed; attend to these items immediately or as soon as possible with high urgency. |
Medium Risk Vulnerabilities | Action plan recommended; attend to these items in a reasonable time. |
Low Risk Vulnerabilities | Investigate corrective actions; attend to these items as time allows. |
High Risk Vulnerabilities
For any high risk vulnerabilities, your auditor will want to see that some kind of remediation has occurred. Generally, auditors will want to see tickets in your organization's ticketing system documenting the remediation steps (i.e. code or configuration changes) and resolution for the vulnerability. If a high risk vulnerability is found in your organization’s application, our pen test team will provide numerous recommendations for remediation within the report, and briefly discuss them during the call. The pen test team’s written guidance is provided in the “Recommendations” section of the report, the report will also include links to helpful outside resources (such as OWASP).
In some cases, vulnerabilities listed as high risk in your pen test report may be issues that, after investigation, are perhaps false positives or due to the unique architecture of your product are not truly high risk items. If, after thorough investigation, your team believes that it is not necessary to remediate the vulnerability, that is fine from a SOC 2 audit perspective, but the auditor will still want to see some kind of evidence that the vulnerability was actioned appropriately. In this case you should still log a ticket for the vulnerability, but rather than documenting remediation steps you should document the reasons why the vulnerability does not actually represent a high risk to your environment.
All evidence of remediation for high risk vulnerabilities should be uploaded to the evidence item titled Penetration Test Resolution.
Medium and Low Risk Vulnerabilities
For medium and low risks, no action steps are mandatory from a SOC 2 audit perspective, but it is best practice (and appreciated by your auditor) to log remediation tickets in the backlog for those vulnerabilities as well.
Remember that performing an annual (at least) pen test is a requirement to fulfill SOC 2 criteria for most organizations. The pen test control within Strike Graph’s suggested control set requires that the pen test report and documentation of remediation is uploaded in order to be satisfied.
Questions?
Reach out through our chat feature for real-time Customer Success support 8 am - 5 pm PT Monday through Friday.