I have a client that uses a private web application I built for them. It stores personal information.
They want to partner with another company, and that company requires that the web app undergoes a penetration test to check security before they will work together.
Client: I talked to a pentest provider, they say you should ask your host’s permission before commissioning the test. Can you check if pentests are allowed?
Me: (after checking) No, my current host does not allow pentests and would suspend the account. I will need to move the web app to a new host. It will cost $X and I can do it at the weekend to avoid disruption. Can you give me the go-ahead to do that?
Client: Oh by the way I arranged the pentest, it’s being done tomorrow. Do we still need to move the site?
Obviously I told them to cancel the test immediately but with a 15 hour time difference between myself and the client, I’m really not sure what the next 24 hours will bring.