How can we safely allow a client to perform penetration testing?

Non-Disclosure Agreements

A NDA is a fairly standard thing in most penetration tests. No serious penetration tester will protest against an NDA.

The company conducting the penetration test may later approach you and ask you for your permissions to anonymously talk about the findings at your company for educational purposes, which you can always deny if you feel it would harm your business.

This could look like "In a penetration test for ACME Corp., we were tasked with testing a SaaS solution. During the test, we found that ..."

Details on who is performing the test

It makes sense to know who the actual testers are, just in case you need to contact them directly for one reason or another. However, you should keep in mind that not all penetration testers have certifications yet, especially those who just started out. So it could very well be that a company may decide to also assign a newly hired penetration tester to the project so they get more experience, in addition to an already experienced team.

Restricted Scope

This is also very usual to see in penetration test projects. It's up to you to define the scope of the assessment, and as such also what kinds of tests a penetration tester is allowed to perform.

Testing Environment

Again, the scope is up to you. If you say you would rather offer a staging server than production, that is very reasonable. In fact, I always prefer testing on staging than on production environments, because I don't want to be the reason thousands of customers suddenly can't access their software anymore, simply because some exploit code I ran crashed a machine by accident.

A copy of the report

That's another reasonable request to make. In fact, you're getting a penetration test done on your software and you don't even have to pay for it. That's a win for you!

All those are normal things for you to request. The options are also up to you and what risks you want to accept and what mitigations you want.

It's also acceptable to tell them 'no'.

What I did when I worked at a SaaS company was to employ our own pentester and made their report available to potential customers under an NDA. Far fewer risks that way and you have more control.

Yes, it is absolutely standard and fair for you to request those items. You should go a step further and have a contract in place that includes a non-disclosure agreement and scope of testing.

Having a discussion with the penetration testing service can illuminate this document; you can work with them to determine what should and should not be tested. Begin by thinking of things you definitely do and do not want tested. They can make recommendations and guide your scope. Of course, you should have buy in from your executives.

A brief anecdote: our testers asked us for permission to install a keylogger on the machine of our CTO and I gave them the green light. When I informed my manager, thinking "Sure, he'll approve this," he quickly changed the light to red and and told the testers to pull the device. Lesson learned: work with management to determined what's in scope.

Additionally, you will want to have a remediation plan in place, so make sure your departments know what's up and are prepared for the work to come.

Finally, for reporting, you should absolutely get a full report of their discoveries. Also, make sure you get a client facing document. This can be a glowing review that communicates to your clients that you take privacy and security seriously. This can also expedite sales velocity. The service should also do a re-test after you've remediated (within three to six months). Our service doesn't charge for this but some may. Bring this up with them and see what they say.

Good luck, and engage with the testers. They often like it when you show interest and help them help you!