Comment by bawolff
3 years ago
Pentests are really different from soc2 type audits.
But quality of pentests do vary significantly depending on who you buy from.
Rubber stamps can be useful as an absolute minimum base line, because companies will lie through their teeth that their product is "secure", and at least with even a poor pentest you know you probably wont get easily hacked by a script kiddie, which may be a valuable assurance.
When you get easily hacked by a script kiddie, you can CYA internally about all the “preventative measures” you took by showing off the rubber stamp.