Penetration testing
Security assessment
Roche allocates resources to maintain industry-standard internal and external penetration testing activities to protect patient and user safety.
Protecting patient safety: Roche’s penetration testing commitment
Roche is dedicated to protecting patient and user safety by implementing an objective and consistent security validation program. We allocate significant resources to maintain industry-leading internal and external penetration testing (pentesting) activities as a core part of our comprehensive security strategy.
Continuous and comprehensive security validation
At Roche security testing is not as a single event. It is a continuous and adaptive process. Penetration tests are performed systematically at critical moments such as:
Before a product launch
After significant architectural changes
On a recurring basis to be adaptive to a changing security landscape
To further encourage ongoing vigilance, we supplement these internal tests with Bug Bounty programs, inviting the security expert community to help identify potential vulnerabilities.
Thoughtful and thorough planning
The scope of our penetration testing activities involves careful planning which is designed to ensure the entire attack surface of our products are considered. This includes comprehensive assessments of our cloud based solutions:
Web applications
APIs
Cloud infrastructure
Mobile applications
Additionally, the security validation extends to our medical device instrumentation portfolio.
Independent expertise and verified quality
To maintain objectivity, penetration testing is conducted by dedicated, independent internal security team separate from development organizations. This separation adheres to IEC 81001-5-1:2021 and is occasionally supplemented by leading third-party partners. Our specialists' extensive experience and technical skill are validated by internationally recognized certifications, including:
Offensive Security Certified Professional (OSCP): Advanced practical penetration testing
CREST Registered Penetration Tester (CRT): Professional, ethical and high-quality testing
Certified Ethical Hacker (CEH): Foundational ethical hacking techniques
This high qualification ensures our testing methodologies remain current and align with best practices.
Transparency and accountable remediation
Our testing employs a rigorous "white box" methodology, enabling an exhaustive assessment that is aligned with the testing plan's objectives. Testers have access to such things as:
Technical information
Code
Configuration details
Product and system architectures
This effort allows testers to facilitate a comprehensive evaluation. Our process adheres to leading industry best practices and security frameworks, such as the Open Worldwide Application Security Project (OWASP) Top 10 and benchmarks established by the Center for Internet Security (CIS).
- Not every digital product is available in all markets. The use of any third-party app is subject to a separate license agreement with the respective third-party app developer. Roche gives no warranties (express or implied) with regard to any third-party app. Third-party apps might not be available in your country. This website and its content may be accessible worldwide, Roche assumes no liability with regard to the access to the information, which may not be compatible with legislations or regulations in force in your country.
- MC--19710