Coupa Penetration and vulnerability testing
Coupa performs automated infrastructure testing using Nexpose and manual application vulnerability testing on each major Enterprise release prior to production deployment. A "customer-facing" set of results of those test are available to customers and prospects under NDA/MSA and can be downloaded from the folders below.
Customer penetration testing: why we don't allow it
Our standard MSA (with our customers), has a clause that explicitly prohibits testing by our customers. There are a number of reasons for this prohibition:
- Most important, if Customer A is testing and discovers a bug that gives them access to customer B's data, we are required to consider that a breach, and have all the legal and contractual requirement for breach notification that we would in the case of a breach that was the result of an actual malicious attack. This could lead to legal challenges and everything associated with a breach. We do NOT want to knowingly bring this upon ourselves when we can prevent it.
- As part of our secure development process, and secure operations processes, we do ongoing infrastructure vulnerability and application testing. This testing uses industry-accepted tools, is on-going, and unlike a single "in time" test by our customers, this process helps us stay secure. Similar to brushing and flossing, you don't just do it every so often.
- We are a multi-tenant solution, so if one customer is testing their instance, it could have performance implications for other customers hosted on the same server. If it were an external attacker, we can take steps to block the action and mitigate any further issues. However, customers who are testing expect that they won't be blocked. Thus, we need to create a clone deployment for each and every customer test and incur the infrastructure costs as well as the administrative costs of managing that additional infrastructure (our customers will expect their testing instances to be available while testing).
We are happy to share an executive summary of our results of that testing, and even have a call to discuss a more detailed dive in the executive summary (as noted above).