Application penetration tests are performed by independent third parties on a quarterly basis and by OneLogin on a weekly basis. The objective of these tests is to help ensure we discover potential security vulnerabilities in our app and are steering clear of the OWASP Top 10 and the SANS Top 25. Testers are granted access to their own OneLogin account and the underlying source code and we alternate the vendors that we use. We perform ad hoc pen tests, as needed, when rolling out significant features or functionality that might not be covered by the periodic tests.
What’s the primary purpose of this initiative?
Penetration tests help OneLogin identify potential security vulnerabilities in our app, including those in the OWASP Top 10 and the SANS Top 25.
What’s the scope?
The core app is covered during every assessment and additional services including mobile apps and browser extensions are focus areas on a rotational basis.
How often are you evaluated/audited?
Third party penetration tests are performed on a quarterly basis and internal penetration tests are performed weekly.
Who performs the evaluation/audit?
Currently rotating between three different vendors.
Who is the primary audience?
OneLogin - internal use only
Where can I get a copy of the report/certificate?
Results of penetration tests are not shared with anyone outside of OneLogin. A scope letter from the last test can be shared with prospects or customers.