Testing, Testing, Don’t Forget Penetration Testing!

Part of making a great product even better is testing, testing and even more testing. Our newest product, Interactive Intelligence PureCloud, is no exception. We conduct ‘human driven’ penetration testing on an ongoing basis to find potential flaws above and beyond what typical automated security tools can find.

Why do we use penetration testing?

  • Automated testing excels at certain classes of known vulnerabilities, but has difficulty finding business logic flaws.
  • While rigorous automated and manual code review, as well as automated vulnerability testing are part of our build process, human-driven penetration testing continues to be the most reliable method of finding vulnerabilities in Web applications.
  • Shows we “walk the walk, as well as talk the talk.” Protecting the reputation of PureCloud and our customers is critical. Unauthorized exposure of data can significantly damage the reputation of both PureCloud and any affected customer.
  • Meeting compliance requirements: Industry best practices and standards such as ISO 27001 require regular penetration tests by competent personnel.

Within the PureCloud security team, our penetration testing is performed by personnel who are trained and hold prestigious certifications, including:

  • Certified Information Systems Security Professional (CISSP)
  • Certificate of Cloud Security Knowledge (CCSK)
  • SANS GIAC Certified Advanced Penetration Testers (GPEN and GXPEN)
  • Amazon Web Services Certified SysOps Administrator
  • Amazon Web Services Certified Solutions Architect

While we’re confident in the skills and sophistication of our internal penetration testers, having an external, professionally recognized entity conduct an assessment of PureCloud underscores our commitment to security and reliability.

As a result, we engaged a well-known security firm, Trustwave Spiderlabs®, for a Level 4 Web Application Penetration Test. This Spiderlabs® test is the most advanced level of testing that they offer. Each test simulates an advanced attack executed by a highly motivated, well-funded and extremely sophisticated attacker who will exhaust all options for compromise before relenting. The team testers were given two PureCloud organizations to test with full administrative rights.

The Results

Let me tell you, we were very pleased with the results! This was the first third-party penetration test for PureCloud and we had:

  • Zero critical findings.
  • No penetration of back-end systems.
  • No unauthorized data exfiltration.
  • Three addressable findings fixed within one week.

If you’re interested in learning more about how PureCloud performed on this test, or our internal penetration testing, contact us!

Does your company use human- driven penetration testing? Has this improved your products? We’d love to hear your success stories!

Eric Cohen

Eric Cohen

Eric Cohen serves as the Director of Security and Compliance for Interactive Intelligence PureCloudSM. A retired U.S. Navy Submariner with vast specialization in information systems and security for both the public and private sectors, Eric makes certain PureCloud stays secure and compliant.