Pen Testing

Pen testing depending on sensitivity of data, web application scans can also be possible, but not for external hosted apps. Those would be done by a third party. Criteria for when Pen test is required:

C3 would be every two years or when code changes (C3 is a broad classification of data)
C4 every year or whenever the code changes

Source: Meeting Minutes 3/31/2021 gCORE DCR Security & Change Controls Review

GitHub Advanced Security Security Alert Triage Runbook