System/Application Penetration Testing Clause Samples

System/Application Penetration Testing. Upon each new major release of any software provided to Southwest by Supplier hereunder, but not less than once per year during the term, Supplier shall perform application penetration testing and promptly notify Southwest of the results of each such penetration test. The penetration tests will be performed by independent third party SANS-certified penetration testers or by a mutually acceptable independent third party testing company and will include assessment of the mobile and hosted components of any applicable application. Web applications will, at a minimum, be assessed against the then-current OWASP Top Ten. Non-web applications will, at a minimum, be assessed against the then-current CWE/SANS Top 25 Most Dangerous Software Errors. Application testing will include both automated analysis and manual assessment. Mobile components of the software will, at a minimum, be manually assessed (code review and penetration test) against the then-current OWASP Mobile Top Ten Risks and the OWASP Mobile Top Ten Controls. Any “very high,” “high,” or “medium” severity vulnerabilities and any vulnerabilities with CVSS (Common Vulnerability Scoring System) ratings higher than 4.0 will be promptly remediated and retested for verification at Supplier’s sole cost and expense. On request, Supplier will make the results and remediation plans from penetration testing available to Southwest.