Pentest-as-a-Service is the concept of contracting repeat pentests, across the same assets, and managing vulnerabilities long-term, with the intent of hardening the environment. Normally, this means integrating that testing into development, cybersecurity policy, and aligning it with production. If you’re getting started with repeat pentesting for the first time, getting value out of that process often means taking steps to align budgets, teams, expectations, and development cycles, so that your pentest delivers the most possible value.
What is Pentest-as-a-Service (PTaaS)
Pentest-as-a-Service, often shortened to PTaaS is a pentesting delivery model, in which you schedule and receive cyclical pentesting, built around a pentesting plan or strategy. This should function as one of your layers of cybersecurity to complement automatic scanning and secure-by-design or DevSecOps processes and methodology.
At Cyver, it specifically means that we deliver pentesting on a recurring and scheduled basis, via our cloud platform. We also offer integration with client teams, delivering vulnerability findings as tickets and live chat between pentesters and the devs doing fixes, as well as remediation tracking, vulnerability metrics, and free retesting of fixes for the first 30 days after the pentest. That allows us to put the focus on helping you to resolve cybersecurity vulnerabilities.
Mapping Pentesting to Your Development Roadmap
Pentest-as-a- Service typically increases the frequency of pentesting from 1-2 times per year to a period which makes sense based on how you release updates. Here, most organizations benefit from at least one yearly pentest to assess the full environment. But, your teams likely release large updates at least quarterly. Mapping pentests to the development roadmap ensures you can test new updates as they’re released, preventing unforeseen vulnerabilities and breaches. Cyver can also align that testing with code review before release.
For most organizations, a pentest of affected assets is more than enough to check for vulnerabilities on an update. Aligning with development means you can schedule those smaller pentests to catch new issues as they’re introduced, without the expense of investing in a full environment pentest on a monthly or quarterly basis.
Integrating Compliance Testing
Most organizations need some form of compliance, which means you’ll want to test the full environment, in line with compliance norms and frameworks. That usually means setting goals separate from development and assessing the full environment or the environment impacting the compliance standard. Scheduling this kind of pentest upfront also means you’ll have fewer issues with resourcing – so you can simply proceed with a compliance check at a pre-selected point, remediate any found vulnerabilities before the audit, and then re-test to show the auditor a clean pentest report. Once you have that in place, it can greatly simplify ongoing audits.
Aligning Teams with Pentesting to Remediate
Finally, pentest-as-a-service means that pentesting becomes much more involved for your teams. Rather than receiving a pentest report and waiting for someone to break it down, devs receive direct notifications in the platform. Once you onboard them to the Cyver Core portal, stakeholders see when vulnerabilities are found, what the criticality is, and who’s responsible. From there, they can export those findings directly to tools like Jira for easier tracking. And, once a fix is implemented, teams can update the status of the finding in the portal, request a retest to verify the fix, and manage the long-term view of vulnerabilities in the application.
This sort of approach often requires something of a mindset shift, as pentesting is often seen as disruptive rather than collaborative. That makes sense, considering pentesting can delay ship dates, result in extra hours worked etc. However, with pentest-as-a-service, the process becomes much more collaborative, pentesters engage directly with teams, and findings are pushed as tickets, as part of work that fits into sprints. That can change how teams approach pentesting internally, leading to a more secure environment over the longer term.
Eventually, pentest-as-a-service works to give your team the tools to find, see, and manage vulnerabilities over the long-term, as new updates are pushed to the application, and to ensure those vulnerabilities are actually remediated.
If you’d like to learn more about pentest-as-a-service or if you’d like to see how Cyver can help you harden your environment long-term, schedule a demo or a quote to get personalized advice from our lead pentester, Mike Terhaar.