No no, I absolutely agree with you (about the hazard). I worry about any company that puts all it's app test eggs into one large contract with a big firm (a statement which I'm sure would make one of my salespeople cringe). I find that the places who use a combination of multiple app testing companies in combination with their internal teams seem to fare much better.
For this specific vulnerability, I find it shocking that even the most rudimentary assessment wouldn't have caught it; but my own personal befuddlement might be biasing me against thinking that (2) is likely.
For this specific vulnerability, I find it shocking that even the most rudimentary assessment wouldn't have caught it; but my own personal befuddlement might be biasing me against thinking that (2) is likely.