Traditionally, just 78% of the vulnerabilities (or less) found in pentests are ever resolved. While part of that relates to compliance, and the fact that many pentests are requested for the sole purpose of passing an audit, it means that numerous businesses remain vulnerable, even after discovering vulnerabilities. In today’s cybersecurity fraught environment, in which breaches exposed over 32 million records in the first half of 2020, security is more important than ever. Yet, organizations like Varonis claim that just 5% of businesses are fully protected. Breaches can cost tens of thousands of euros, yet millions of businesses are vulnerable.
Pentests are one way to secure your website, your applications, and other assets. But, pentests don’t secure your website, they just help you find vulnerabilities. That’s why Cyver uses Pentest-as-a-Service to deliver a more hands-on approach to vulnerability management and remediation. That’s especially useful for Agile and DevOps teams, because our pentest findings as tickets mean you can simply hand findings to teams as part of Agile sprints.
How does that work?
What is Pentest-as-a-Service
Pentest-as-a-Service means switching pentesting away from a one-touch, analogue process, to a recurring, digital process with results delivered in the cloud. At Cyver that means onboarding clients to our pentest management portal with:
- Pentests planned and delivered in the cloud
- Findings-as-tickets with status management
- Integration with tools like Jira
- Digital dashboards with pentest management
- Online scheduling, so you can schedule your next pentest immediately
- Pentest Credits so you can invest your cybersecurity budget upfront and leave pentest times up to devs and compliance officers
- Direct collaboration with pentesters to improve remediation
- Free retesting following remediation
- Pentesting scaled to your environment
Pentest-as-a-Service essentially allows us to function as a long-term cybersecurity consultant and partners. Rather than getting a one-touch pentest, you get ongoing pentesting, ongoing support, and collaboration on remediation and retesting so you know your environment is secure.
Vulnerability Management and Data Analytics
Vulnerability management tools are increasingly important for tracking and managing risks, but specific tools are expensive. That’s why Cyver delivers data management to our clients for free, with every pentest. When we find a vulnerability, it goes into your database.
- See vulnerability status
- Track remediation
- Assign a responsible party
- View data such as replication information, fix recommendations, etc.
- Track time-to-fix metrics
- Map findings to any compliance needs you might have
Over time, this allows you to see how secure you are based on number and severity of vulnerabilities, to see frequently recurring vulnerabilities (so Devs can fix the underlying issue), and to track how and when vulnerabilities crop up.
Assigning Responsibility & Ownership of Cybersecurity
Pentest-as-a-Service platforms like Cyver allow you to make vulnerability remediation part of development. For example, you can onboard teams into the platform. They see when vulnerabilities are added to the platform and can immediately work on remediating them. Assigning specific people to pentests and vulnerabilities means those stakeholders can access, manage, track, and remediate vulnerabilities in a traceable and visible way. This is also ideal for Agile, where you want to assign ownership of a module or feature to a single team. Hanging that team access to the dashboard, where findings are traceable per asset, empowers that team to easily roll remediation into the sprint.
Cyver also makes it easier to give teams ownership of cybersecurity for Secure by Design development and DevOps. Our pentest credit system means you can budget for pentests upfront and invest in credits. Developers can then request pentests to align with major application updates, new feature rollouts, and compliance audits, without having to go through a complex budgeting phase each time. Plus, with transparent, predictable costs for pentesting, you can more easily fit a year’s pentesting into a single budget analysis.
An Ongoing Partnership with Pentest-as-a-Service
Pentest-as-a-Service means we deliver pentests over a longer period, scheduled at intervals to meet your needs, and delivered in the same platform. We get to know your environment and risk profile, we can see your vulnerability library, and we communicate and collaborate with devs and compliance officers on resolving issues. This helps you to improve security right away, because you get insight on how to find and resolve vulnerabilities, rather than just a list. It also improves your security over time, because we’re familiar with your environment and we can scale up pentesting as your environment hardens.
Pentest-as-a-Service allows us to deliver better pentests, not just because you get results in an accessible and manageable way, but also because you have more access to the tools, knowledge, and collaboration you need to improve security.