Today, an estimated 92% of all new organizations are Agile. And, most of those organizations build, manage, and use software in some form or another. Pentesting is, traditionally, your best way to ensure ongoing security, while allowing you to meet regulatory compliance. But, for many, traditional pentesting doesn’t fit into Agile workflows. Instead, PDFs reports force Agile companies to break down work and deliver it in a top-down fashion. That doesn’t work for teams who are expected to pick up their own work, to take ownership of their own modules, and to be involved with every aspect of their application.
While Agile works very well for the kind of rapid organizational testing and flows that enable good remediation – most organizations cannot benefit from it with traditional pentesting. Instead, most Agile organizations concerned about security rely on SAST, DAST, and vulnerability scanners to ensure ongoing security. That’s good, scanners should always make up the baseline of security. But, you still need the human insight that comes with a pentesters expertise. Most importantly, pentesting can deliver vulnerability findings in an Agile friendly way with Pentest-as-a-Service, so you get the best of both worlds.
What is Pentest-as-a-Service?
Pentest-as-a-Service is the process of digitizing pentesting and delivering it on a recurring basis, with findings as tickets, and the resources to act on vulnerability findings.
At Cyver, that means:
- A pentest-as-a-service platform for you + your teams
- Pentest management tooling
- Schedulable pentesting
- Pentest credits, so finance can budget for pentesting and put dates, times, and frequency in the hands of the teams requesting them
- Recurring pentests, with the next planned as part of the last
- Vulnerability findings delivered as tickets
- Communication including live chat with the pentesters
- Export to tools like Jira
- API support
- Free retesting, delivered as part of the original pentest
These allow us to deliver penetration testing in a way that meets the needs of Agile teams. Rather than breaking down PDFs and delegating them to relevant teams, those stakeholders can receive notifications immediately, ask relevant questions, and roll the finding into the next sprint.
What are Findings as Tickets
We deliver findings as tickets as part of the overarching report. When you log into our platform, Cyver Core, you can access any findings we’ve delivered as part of the pentest. Each vulnerability finding is uploaded independently with data including:
- Description of the vulnerability
- Proof of findings/screenshots
- Replication data
- Our criticality rating including CVSS score
- Any comments or notes from the pentester
It’s also linked to affected assets, so that teams assigned to an asset automatically receive an alert. This allows you to enable teams to continue taking ownership of their assets and modules – so remediation continues in a fully Agile way.
Link to Your Tools
Delivering findings as tickets also means you can link those findings to your existing tools. Cyver offers a Jira integration, so you can manage findings in the tools your developers already use. We also offer an API. This allows you to import ticket data to existing work management platforms. You can also export pentest management data – such as pentest schedules, finding and remediation data, and our pentest insights. These include data on time to fix, areas of vulnerability, criticality levels, and most frequently occurring vulnerabilities.
Eventually, Cyver works to deliver pentesting as part of the Agile sprint. Pentesters can request assessments as they launch large or impactful updates to applications. We deliver code reviews to improve security before updates. And, we deliver pentest results in a format that enables compliance officers, IT staff, and developers to quickly pick up vulnerabilities and resolve them – with us acting as a consultant. And, once they’re done, we always retest to ensure the problem is actually resolved.