Skip to main content
Custom BuildsReady-to-Launch
Sandbox

Introduction

Before reaching 50 customers on Unit or within 3 months after the API key handover, you are required to provide the results of a recent and valid penetration test.

Penetration tests will be required annually thereafter. Penetration test providers must be approved by the Unit security team to ensure the quality and scope of the test. Please see more details below.

| Item | Explanation | Guidance | | | ------------------------------------------------------------ | ------------------------------------------------------ | ------------- | | Penetration Test Type| There are three primary types of penetration testing: black box, gray box, and white box.

In gray or white box testing, the tester is provided with valid credentials, allowing them to test flows that require authentication. This enables the tester to identify and evaluate potential security vulnerabilities in areas that would otherwise be inaccessible in black box testing. |

  • Unit accepts only Gray box or White box penetration testing.
| | Penetration Test Scope | In a penetration test, test/fake accounts are created by the tested party for a penetration tester to use.

The provided test accounts should have access to all the internal and external APIs (especially APIs involving financial related actions)| Penetration tests should cover:

  • Network (Internal and external)
  • Web application
  • Mobile applications (if applicable)
  • Other APIs (e.g. application login, reset password, and other business flows provided as part of the customers’ solution.)
| Penetration Test Validity | Regularly conducting penetration tests is crucial for detecting any security weaknesses present in the application. |
  • The penetration testing report must have been conducted within the past 12 months.
  • Our customers will be mandated to perform a penetration test at least once every year.
  • The full version of the report must be shared without any masked or hidden sections.
| | Penetration Test Provider | We have created a list of trusted service providers to simplify the process of conducting a penetration test for our clients. Those vendors are already familiar with the scope of the required test, so you can directly engage with one of them, and share the pentest results with Unit at the end of the process.

Alternatively, you can select a different vendor for the test. Choosing a different vendor will require approval from Unit’s Security team that can be received after sharing the vendor’s name, the testing scope, and the testing methodology.|
  • Unit requires the test to be performed by one of Unit’s approved penetration test vendors or a vendor of your choice that was pre-approved by our Security team.
| Penetration Test Remediations | It is important to ensure that any identified vulnerabilities are addressed and that the system or network is adequately secured against potential threats.|
  • All medium and above vulnerabilities identified must be fixed and retested by the penetration tester.
  • Our information security team will review the results of the penetration test to assess the severity of any identified vulnerabilities and determine if any further remediation is required.
| | Initial Penetration Test Timelines | Before you reach 50 customers on Unit or 3 months after API key handover, you must provide us with the results of a valid penetration test. | If you have conducted a gray or white box pen test in the last 12 months:

  • If the results are satisfactory (no medium or high findings) or include a sufficient mitigation plan, we do not require another full test. However, we do require a connection-focused penetration test before you reach 50 customers. The focus of this test is the addition of Unit functionality and the effects it will have on you and+ your customers.
  • If the results are not satisfactory (some medium or high findings) and do not include a sufficient mitigation plan, we will require a full penetration test following launch and before you reach 50 customers, including a test of your connections to Unit.
If you have not conducted a gray or white box pen test in the last 12 months:

  • We will require a full penetration test following launch and before you reach 50 customers, including a test of your connections to Unit.
| | Ongoing Penetration Testing Requirements | Penetration tests are required to be completed annually while you are live on the Unit platform. | Penetration tests are required to be completed annually while you are live on the Unit platform.| |