Fitting Pentesting into DevOps Cybersecurity Budgets with Pentest Credits
Pentest-as-a-Service helps you integrate pentesting and cybersecurity into development. Organizations like Cyver deliver regular, schedulable pentests built around remediation, with Agile-friendly findings-as-tickets, direct communication with pentesters, and free retesting to ensure fixes work. But, the idea of Pentest-as-a-Service is also to move pentesting and cybersecurity into the hands of the people building code, managing fixes, and launching updates.
Agile work methodology has taken over the software world. Chances are, if you build applications, you run Agile. That means predictability is low, road maps are built around outcomes not direct assets, and teams are in charge of when and how they produce results. That makes it difficult for management to choose when and how to pentest – because pentesting has to align with changes to the application. Using traditional pentest budgeting, you can’t simply hand your DevSecOps team freedom to pentest whenever they’d like. They’d have to draft a request, send it to finance, and wait for approval – a process which can take months.
That’s why Cyver uses a credit system, moving budgeting and pentest timelines directly into the hands of the DevOps and DevSecOps teams using them.
Our Pentest Process for DevOps Cybersecurity
Cyver uses a credit system, meaning all pentest budgeting can be handled upfront. We also offer discounts for volume purchases, making it easier to commit to multiple pentests upfront, and smarter to do so if you know you need multiple pentests throughout the year.
- Finance sets a cybersecurity budget based on the previous year’s threat assessments, costs, and the current risk assessment.
- Budget is spent on pentest credits at Cyver – based on total budget, predicted number of pentests needed, and total budget. Cyver uses fixed rates for pentests based on project size, scope, and complexity – meaning pentest costs remain the same throughout the year.
- Credits are handed off to stakeholders, who can then choose when and how to pentest. For example, team leads can schedule pentests as it becomes obvious when major updates or changes will be ready – ensuring that the two line up. In addition, dev teams can request code review to catch early bugs – without having to run requests through Finance.
The end-result is that DevOps teams get much more control over cybersecurity, because they choose when and how to test. And, with pentesting in the hands of developers, they become much more engaged in the full process – allowing for better total security and better total results.
Moving Forward with Release-Driven Pentesting
Release driven pentesting makes the most sense for modern applications. New releases create risks, require pentests for compliance, and mark the most key points at which to assess for new vulnerabilities. You can’t align releases with a fixed schedule. In addition, continuous pentesting is often too expensive for many DevOps cybersecurity teams. Release driven pentesting is the best of both worlds – combining recurrent testing with points where you are most likely to introduce new vulnerabilities to the application. But, managing release driven pentesting without involving dev teams is all but impossible.
Our credit system, which allows DevOps to schedule their own pentests, bridges that gap – ensuring new features and major updates are always tested, without requiring micromanagement of when releases will be ready.