Finducation - EZBudget™
Penetration Testing Policy and Program
Planned independent penetration testing program for application and infrastructure.
1. Policy Statement
EZBudget intends to evaluate its security controls through periodic penetration testing across both application-layer and infrastructure/network-layer surfaces. As of the effective date of this document, structured third-party penetration tests have not yet been completed; this policy describes the target program and current internal review practices.
Planned Independent Pen-Testing Application + Infrastructure Scope Current Focus: Internal Reviews
2. Scope
2.1 Application Testing Scope
- EZBudget web and mobile client surfaces
- Authentication and session handling flows
- Backend API endpoints and serverless functions
- Financial data integration boundaries (including Plaid-related flows)
- Input validation, authorization, and business logic abuse scenarios
2.2 Infrastructure / Network Testing Scope
- Hosting and deployment platform configuration
- Network exposure, transport security, and service perimeter controls
- Administrative access paths and privileged service interfaces
- Security header and platform hardening posture
3. Testing Methodology
- Rules of engagement and scope boundaries are defined before each engagement.
- Testing follows industry-recognized methodologies (e.g., OWASP-oriented application testing).
- Critical and high findings are prioritized for remediation and validation retest.
- Residual risk acceptance requires documented approval by policy owner.
4. Program Cadence and Triggers (Planned)
| Test Type | Minimum Frequency | Trigger Events |
|---|---|---|
| Application penetration test | At least annually | Major release, auth changes, new financial integrations |
| Infrastructure / network penetration test | At least annually | Hosting changes, architecture shifts, incident findings |
| Targeted retest | As needed | Closure validation for critical/high vulnerabilities |
5. Roles and Responsibilities
| Role | Responsibility |
|---|---|
| Policy Owner | Defines scope, approves engagement of third parties, and reviews results when tests are performed. |
| Engineering Team | Executes internal security reviews today and will implement remediation for future test findings. |
6. Reporting and Remediation
- Findings are classified by severity and mapped to affected components.
- Remediation owners and target dates are assigned for actionable items.
- Closure evidence is retained for audit and partner due diligence requests.
7. Due Diligence Mapping
| Questionnaire Assertion | Policy Position |
|---|---|
| Application penetration testing performed by independent testers | Planned - Program documented here; no independent application pen-test has been completed as of the effective date. |
| Infrastructure / network penetration testing performed by independent testers | Planned - Program documented here; no independent infrastructure/network pen-test has been completed as of the effective date. |
8. Approval
This policy is approved for external partner due diligence responses, including Plaid security/governance questionnaires.
Approved By: Deseo Developers LLC - Authorized Representative
Date: July 8, 2026
Contact: contact@deseodevelopers.com