Penetration Test Requirements
In this article, we will look at what a quality penetration test should look like to get certified and get the highest score on CER.live. Penetration test is part of the cybersecurity assessment methodology, accounting for 25 points out of the total 100-point scoring system.
To obtain certification on CER.live, an exchange must demonstrate that its penetration test meets all required standards. The following are the defining characteristics of a high-quality penetration test for a crypto exchange, as required by CER.live:
1. Comprehensive Scope
The penetration test must cover all critical components of the exchange, including the trading platform, wallet systems, user authentication mechanisms, databases, and all APIs. If the exchange offers a web interface or mobile applications, these must also undergo thorough security assessments for both general and platform-specific vulnerabilities. All relevant components should be tested to ensure that every potential attack vector is examined.
2. Realistic Testing Scenarios
Testing must be performed using methodologies based on recognized industry standards (e.g., OWASP, NIST, PTES, and relevant blockchain security guidelines). The test should simulate real-world attack scenarios and reflect current threat landscapes. The penetration testing provider must clearly document the methodology used, ensuring transparency, repeatability, and coverage of both traditional and blockchain-specific risks.
3. Testing Environment
Penetration testing should ideally be conducted in a non-production environment that accurately mirrors the production system, ensuring testers can thoroughly and aggressively assess security without impacting real users or live operations. The report should contain an Environment Validation section to confirm that the staging environment faithfully reproduces production. If a staging environment is unavailable, testing may proceed directly against production systems.
4. Internal, External, and Cloud Testing
The penetration test should assess security from multiple perspectives, including attacks by external threat actors against internet-facing services, scenarios involving public exposure of cloud resources versus risks arising from internal misuse or compromised credentials, and common cloud-specific misconfigurations such as overly permissive identity policies, open storage buckets, or misconfigured managed services. Focusing on access scope and platform-specific failure modes ensures thorough coverage of all likely attack vectors.
5. Tester Independence and Qualifications
The penetration test must be conducted by an independent, qualified third party with demonstrable expertise in blockchain and web application security. The provider should present relevant certifications or accreditations (PCI DSS, NIST, OWASP, PTES, MITRE ATT&CK, SANS, OSSTMM).
6. Reporting and Remediation Guidance
A comprehensive report detailing all vulnerabilities discovered, their severity levels, proof-of-concept examples, and actionable recommendations for remediation is essential. The report should prioritize vulnerabilities based on their potential impact on the exchange. The company must demonstrate that all findings were fixed.
7. Relevance of the report
The report should be issued no more than one year prior to the application for listing on CER.live. The submitted report will expire one year after its submission unless the exchange renews it.
