In most cases, when you request a pentest, it’s either with the goal of hardening your environment or tackling specific security concerns or to meet a compliance goal. In either of those cases, you receive a list of vulnerabilities we find, along with remediation advice, replication advice, and a vulnerability rating to help you prioritize the fix. For most organizations, actual prioritization depends on factors like whether the pentest is intended for a compliance audit. In this case, you obviously want to prioritize any fixes that could impact your passing the audit – which is why Cyver maps vulnerabilities to compliance norms as well – so you can see, at-a-glance, what you have to resolve to pass the audit.
The thing is, most organizations aren’t actually very good at remediating pentest findings in a timely manner. In fact, only about 45% of vulnerabilities are ever actually fixed. That’s a big deal considering we find an average of 22 or more vulnerabilities per application we check. Boosting those time-to-fix rates is essential for hardening your environment and for ensuring you’re secure.
Cyver helps you to do so using better pentest deliverables, designed around remediation. The process involves integrating stakeholders into the reporting process, delivering findings as tickets, and offering tracking and metrics, so you can see, at a glance, what needs to be fixed and when.
Findings as Tickets
Most teams use tickets to manage work and to track its progress and status. When you get a traditional pentest report, you have to break the findings from that report down into tickets yourself. Sometimes that happens. In other cases, teams responsible are handed a full pentest report, which they have to go through and find relevant items from themselves. In either case, the pentest report must be broken down into relevant and actionable items.
Cyver uses a “findings as tickets” delivery model, in which we first push all vulnerability findings to you as tickets. These tickets include the vulnerability description, our methodology, and information from the pentester on how to replicate it. In most cases, we’ll also add information on a suggested fix.
In every case, we’ll also add in a CVE rating, where we set a criticality and risk rating for the vulnerability. This allows your teams to prioritize fixes based on either the criticality and recommended time-to-fix window or to do so based on how the vulnerability impacts the upcoming compliance audit.
Most importantly, those tickets can be accessed in our Cyver platform or exported to your existing work management tooling, like Jira.
Integrated Teams
Cyver also ensures that stakeholders, or the people who need to know about vulnerabilities, can get that information. Our clients can onboard teams to the platform, set roles, and set responsibilities. That means you can onboard the product manager, team lead, or manager for a specific feature or module. They will receive notifications as vulnerabilities affecting their module are uploaded. Then, they can immediately get started on a fix – rather than waiting for someone to break down that report or to let them know there’s an issue.
Direct Communication with Pentesters
Onboarded teams can chat directly with the pentesters responsible for their pentest. Here, all communication is local to the pentest or to the specific finding. This allows you to request more information, to share screenshots in a secure environment, or to otherwise ask for help.
Free Retesting
Finally, once your teams mark a vulnerability as fixed, they can request a pentest. We limit free retests to the first 30 days after the pentest, partially to ensure that workloads stay manageable for us long-term, and partially to encourage you to work on remediation as quickly as possible.
Metrix and Security Dashboards
You can always log into your Cyver dashboard to see free metrics and views of open pentests and vulnerabilities. This includes Time-to-Fix metrics, where you can see how long it takes to fix vulnerabilities. This includes your open vulnerabilities mapped to recommended time-to-fix windows, with vulnerability criticality updated according to time spent open. That can help with prioritization, while reminding your teams that vulnerabilities are open and should be fixed within a certain period.
In addition, you can see vulnerabilities mapped by criticality, by asset, by type, and by compliance norm. Our goal is to give you the information you need to prioritize and handle remediation, in as efficient a manner as possible.
Eventually, pentests should be about hardening your environment. The thing is, they’re not unless you actually take steps to remediate findings. At Cyver, we try to deliver those findings in a way that makes remediation as simple as possible.
If you’d like to learn more, schedule a demo for more information or visit our How it Works page.