Disclaimer: I worked on Dropbox security. Not in appsec. I won't comment on the article, or the accuracy of the article, or anything that wasn't public before the article. I'm mostly just going to talk about what is broadly true for all or most companies.
I think it is worth noting that:
a) Pentesting 3rd party vendors is uncommon. This is something that the majority of companies rely on a SOC2 for.
b) Pentesting is not what the article is talking about, it's talking about bug bounties/ Vulnerability Reporting Programs. It is equally, if not more, uncommon for a company to bring a vendor into its VRP.
And yes, companies care greatly about traffic being routed through China.
> a) Pentesting 3rd party vendors is extremely uncommon. This is something you rely on a SOC2 for.
In my experience this is fairly common? Although that was my experience working on the pen-testing side so I guess it was a little biased. The company I worked for did a lot of this sort of thing – pen-testing for meeting due diligence requirements.
There's going to a company and saying "Are you SOC2? If not, we need you to be, and that requires a pentest - please go do that before we engage." There may also be, in this same vein, "We're strategic partners, we'll help you get that pentest". This is very common, I suspect the vast majority of pentests are compliance (and essentially sales) driven and would fall under this category.
That's different from "We have already engaged, you are already compliant with SOC2, you may do your own pentests, we will now separately pay for and manage a pentest of your company". This is not something I've seen too much of - perhaps that's just me not paying attention? But I'd be surprised if this were common at all.
Though I want to again restate that the article is focusing on VRP.
I find that very surprising that you uncommonly pen test 3rd party vendors. Working at a company that delivers a product to the enterprise, pretty
much every publicly traded company we work with requires us to go through a pen test, or requires that we provide a recent and independent pen test report.
If you rely on SOC2 compliance then you are indirectly requiring a pen test.
> I find that very surprising that you uncommonly pen test 3rd party vendors.
Just so we're clear "you" is not Dropbox, and I'm not talking about what Dropbox does or doesn't do. I'm saying that, in general, most companies don't pentest other companies, they ask those companies instead to prove that they do their own pentests, which usually amounts to asking for their SOC2.
> we work with requires us to go through a pen test, or requires that we provide a recent and independent pen test report.
I am stating exactly this. Most companies require proof via SOC2, and that is it. Very few will actually hire a pentest firm directly for a 3rd party vendor.
> If you rely on SOC2 compliance then you are indirectly requiring a pen test.
To quote myself: "This is something you rely on a SOC2 for."
I think it is worth noting that:
a) Pentesting 3rd party vendors is uncommon. This is something that the majority of companies rely on a SOC2 for.
b) Pentesting is not what the article is talking about, it's talking about bug bounties/ Vulnerability Reporting Programs. It is equally, if not more, uncommon for a company to bring a vendor into its VRP.
And yes, companies care greatly about traffic being routed through China.