TIP #6: Testing happens before an application is moved into production
Ideally, a penetration test for a new application should be conducted during the user acceptance testing phase, and just prior to moving it into production. This will allow a penetration tester to try different attack vectors without the risk of impacting business continuity, and, more importantly, prevent you from commissioning a vulnerable system.
But it’s never too late to conduct a penetration test, and the test can even be completed post-production. A knowledgeable penetration tester will advise this.