How Changineers commissions external penetration tests and acts on the findings.
Changineers commissions an external penetration test of the platform once a year. The vendor is procured fresh each year rather than being on a standing engagement.
Each test covers:
- The production application, both authenticated and unauthenticated paths.
- The supporting AWS infrastructure.
Beta, internal tooling, and corporate IT are out of scope unless specifically agreed for that engagement.
What happens with the findings
Section titled “What happens with the findings”The test report comes back as a list of findings with severity ratings. Each finding is added to the risk register in Vanta, where it is prioritised against other risks based on severity and impact.
Findings that need fixing are turned into security tickets in Jira with the appropriate priority. Engineers pick them up against other work in the normal sprint planning process. Remediation target windows are governed by Vulnerability management; this page does not redefine them.
Findings that are accepted as-is (false positive, not exploitable in the deployed configuration, mitigated by another control) are recorded against the risk register entry with the rationale rather than a Jira ticket.
Reports
Section titled “Reports”Test reports are made available to customers through the Changineers trust portal.