All about PEN tests

The PEN test is part of a broader set of IT Security requirements, click here to go to the full list of requirements.

Introduction
As a bol.com ecosystem partner, you’ll be able to one of our quality rankings of Gold, Silver, Bronze and Ambassador. To obtain the Gold rank, we ask you to implement several IT Security precautions, which includes a yearly PEN test by an independent party.

What kind of test do we expect?
The annual PEN test we require is performed by Ethical Hackers, who will check important assets within the joint service for vulnerabilities that can be exploited. Vulnerabilities found through this method paint a picture of the potential risks, and help determine how these risks can be mitigated.

What should the scope be?
The PEN test should show adequate technical security for all data exchanged between bol.com and the sales partner through you, the third party. Therefore, all systems, interfaces and access paths that could potentially lead to the aforementioned data should be in scope.

Relevant items the PENtester should consider in their investigation are (may not be exhaustive for every situation):

• Technical testing of systems that process sensitive data (note: workplaces could fall into this scope);
• Systems that are externally accessible, such as web servers, APIs, VPN, etc.;
• Systems that are only accessible internally, such as databases, domain controllers, etc.;
• Critical infrastructure components, such as firewalls, domain controllers, etc.;
• Two-factor authentication on critical components*, such as admin accounts, domain controllers, remote access, databases, etc.;
• Production data that is not available or accessible from other environments, such as test/development environments.

What should you pay attention to in the approach?
The approach is about selecting the right party and looking carefully at what you would like to have tested. To prepare for this, you can look at the vulnerabilities that are common in organization PENtest ​​preparations that are mentioned here:

• www.certifiedsecure.com/checklists/
• www.owasp.org

Organisations that could help you:
When choosing one of the many Dutch or international organizations that provide PEN tests, make sure that the expertise matches the environment you have set up. In addition, it is important that the proposed test approach fits into the aforementioned scope.

Examples of organizations (not limited to this list):

• Securify
• The S-Unit
• Computest
• Eurofins
• Securance

What do I send to bol.com?
Plan of approach and scoping: the preparation of the PEN test is often described in advance by the PENtester. You can share the summary of this with us. Pricing details don’t have to be included. In terms of scope: every part of the technical environment and infrastructure that handles bol.com data should be included. A functional test (how policy is set up) isn't a priority to bol.com.

Follow-up plan: the PEN test findings might indicate changes needed in the current setup. We would like to see the management summary of the findings, as well as the plan for your follow-up, for the parts where data and/or the connection with bol.com is concerned.

What not to send to bol.com (e.g. exploitable descriptions)
You never send details about the findings to bol.com: no description of what a finding or vulnerability looks like, no (personal) data, and no data about connections with other customers. That said, if this leads to an important finding, it is of course useful to see how this can be solved. After all: this ultimately keeps your organization safer. You also don’t need to include pricing details.

What does bol.com do with this information?
These documents will only be used to ascertain the IT Security level needed to assign or maintain the Gold rank. All results shared with bol.com will be confidential and won’t be used for any other purpose. If necessary, bol.com has NDA templates available to guarantee confidentiality.