Partner Knowledge Base Home

Home Product Releases News

Filter:
Submit Search

Partner Cyber Security FAQs

Best Practice has introduced Cyber Security requirements for all Partners connecting commercial applications to our practices databases. This is to ensure we have done our due diligence in vetting Partners security practices and have made the effort to protect from potential vulnerabilities when connecting these applications.

This FAQ page is designed to help answer any commonly asked questions about this process.

Frequently Asked Questions

How often do we need to do a Penetration Test / Cyber Certification?

  • Penetration Testing is to be completed every 2 years

  • Cyber Certifications are to be completed yearly.

What company should we use?

Best Practice strongly recommend a CREST accredited company to be used. These can be found using the following links:

Can I use a non-CREST company for a Penetration Test?

While you can use a company that is not CREST certified, Best Practice Software will then validate that company and/or the penetration testers' qualifications and suitability for such testing. If Best Practice is unable to validate suitability, then you will be required to organise another test.

What does the penetration test need to cover?

The objective of the penetration test is to determine if there is any third-party risk to Best Practice Software or potential for supply chain attack from Best Practice Software.

The penetration test will need to evaluate all applications and integration services that communicate with Best Practice Software Bp Premier application via Halo Connect.

This includes Windows Applications that run on the desktop and connect to remote resources, these form part of the application under security test, and logins to these applications should be provided to any penetration tester as they form part of the system under test.

What should I ask the Penetration testing company to do?

Our suggested wording is as follows:

<Your company> is seeking to engage with Best Practice Software.

The scope of this penetration test is to evaluate all applications and integration services that communicate with Bp Premier directly or via Halo Connect, specifically, but not limited to <insert applications here>.

Testing will occur in a production-like environment using sample data to avoid impacting live services and will be grey box access.

Why grey box access and not black box?

When black box testing is performed, the effort is spent seeing what the entry points might be for an attacker within the given time box. Grey box allows the testers to bypass the entry points and check that the application itself is built securely in the event of a compromise.

Grey box will provide more return on investment to partners who will gain information on missed security best practices.

Find more information on black and grey box testing here: Blackbox Pentest vs Whitebox Pentest vs Grebox Pentest.

Is there a Penetration Test score we need to meet?

Any items that come under critical or high must be rectified within two (2) business days or such other periood as reasonably agreed by Best Practice Software. Medium items will be assessed by Best Practice.

How much does it cost?

The cost for the service is dependant on scope, complexity, and daily rate of the penetration test company. Testers should provide a quote and an outline of the work that they will perform.

What if the quote that has come back is expensive and we don't have it in our budget?

A Penetration Test and Cyber Certification needs to be considered part of the cost of running the business. Government grants or capital raising options may be considered if additional funding is required.

What happens if we can't meet the renewal deadlines?

If you are unable to meet the obligated deadline, please contact the Partnership team as a matter of urgency at partners@bpsofware.net. In the communications, you'll need to include the reason that you are unable to meet the deadline.

What is a 'significant change' that would require a new penetration test?

As per your partner agreement, Best Practice requires a new test be completed when significant changes occur. A significant change is any major change to your product or technology, such as:

  • Authentication changes

  • Authorisation changes

  • Architectural changes

  • New data flows.

If you have any further questions or concerns, please reach out to our Partners team via email: partners@bpsofware.net.

Last updated 10 November 2025.

 

This material is classified as commercial-in-confidence. Unauthorised distribution of this information may constitute a breach of our Code of Conduct, and may infringe our intellectual property rights.

Privacy Bp Software © Copyright 2025