We have a B2B Saas service which runs on Microsoft Azure. Microsoft publishes a lot of information about Azure security but occasionally customers ask us about the security testing and audits that have been performed on our own software - rather than Microsoft’s platform generally.
What good practice should we follow here? Is it enough to say we regularly have our systems tested by certified independent specialists? Or should we provide more detail - if so to what level?
This will vary according to your business and the transparency you have with your customers. Most of the companies perform tests on their application and share with the customers the standards they have been tested against, but not the "step-by-step" of the testing.
For example, let's say you have a web application, you can mention to your customers that your application was tested against the OWASP web application standards. That should be enough to satisfy most of the customers.
If you deal with sensitive information, you may need to get certified in some regulations. For example, if you deal with credit card information, you need to be PCI-Certified. Once you get this certification, you just need to proof to your clients that you passed on PCI, but you don't necessarily need to describe every single test that was done.
Most larger clients will assess the contract (and your security capability) using artefacts from organisations such as the Cloud Security Alliance. It is therefore worth putting some investment into having a good answers for questions in the Consensus Assessments Initiative Questionnaire (CAIQ) - this won't just keep you right but will also be a valuable sales tool when signing new contracts with clients.
There are other standards that you can apply of course, CSA is the one I have seen the most.
