You Need Vulnerability Findings as Tickets
Traditional pentesting involves requesting a one-off pentest from an ethical hacker or team, waiting for the assessment to finish, and then receiving a pentest report. For many organizations, that means receiving a PDF file that can be 60+ pages long, detailing the technical aspects of what was found, how to fix it, and what methodology was used. With only one deliverable for what can be several weeks of work, the pentester puts as much data and detail as possible into the deliverable, meaning you get a single document with an overload of data.
That pentest report then goes into different parts of the organization, where it’s used to (hopefully) remediate those findings, to show findings to senior management, and to show compliance to auditors.
Cyver’s process involves delivering findings as tickets to allow developers and IT professionals to immediately fix issues – without first waiting on someone to break down the pentest report into actionable items. The people who need information get that information and nothing else, so they can quickly take action and remediate vulnerabilities. That’s critical to integrating cybersecurity into your development processes.
However, we still deliver pentest reports, and here’s why.
Reporting Across Departments
The pentest report can be invaluable in sharing cybersecurity data. For example, finance typically needs an awareness of how much cybersecurity is a problem in order to make relevant decisions on budgeting for future development or security cycles.
However, pentest reports are often too technical to be of use to non-technical people and aren’t geared towards showcasing the cost of pentesting and follow-up remediation. Cyver’s ticketing system allows you to track number of tickets and therefore percentage of sprint taken up by cybersecurity issues – which can be a much better indicator of total costs for budgeting purposes.
For Senior Management
Every pentest report includes a section intended for senior management because reports are often used to build awareness of cybersecurity issues in senior management. That can be essential to getting buy-in for cybersecurity projects, budget, and dedicating team activities towards remediation or secure-by-design training or practices.
At the same time, that same purpose can be achieved with dashboards showing insights and metrics. For example, Cyver delivers insights into vulnerability findings with simple metrics showcasing the severity of risks, reoccurrence, time-to-fix, and number of vulnerabilities per asset. That can be more informative than a technical report, while allowing technical people to drill further into data to see what’s actually going on.
Compliance and Audits
Chances are, you’ll always need pentest reports for compliance and audits. Some compliance regulations actually require that you submit a report as part of the audit. However, it’s also increasingly common that you can showcase your vulnerability findings in a dashboard to satisfy the auditor. In addition, Cyver’s approach means that you can see findings, react to and remediate them, request a retest, and then request your report – meaning you can prove to your auditor that the finding has actually been remediated.
Switching to Pentest-as-a-Service with Findings as Tickets
At Cyver, we use a different approach. We understand that in the traditional pentest delivery model, the pentest report only creates extra work for the developers and IT teams actually fixing the issues. Rather than delivering a full pentest report each time we find a vulnerability, we create a ticket for that finding, and deliver that – complete with all of the data the team needs to remediate that.
Old Process:
- Pentest
- Pentest Firm delivers a Pentest Report
- Pentest Report is distributed across the organization
- CTO, Compliance Officer, or Team Leads break the product report down into findings and individually add them as tickets to software
- The team receives information with 2+ steps of communication between them and the pentesters who found the issues
New Process:
- Cyver pentests the application
- We load findings into our pentest management portal and your relevant team members receive an alert
- Those findings include proof, methodology, and replication data on the ticket
- Tickets can be exported directly to work management tooling like Jira
- Relevant people can ask questions of the pentester directly
- The finding can be marked as accepted or remediated and the team can request a retest of that finding (for free within 30 days of the original pentest)
- You can request a full pentest report for compliance or internal reporting purposes
- Generate a separate report for management, without technical details or share the full report with technical people.
Essentially, our process shifts the focus of pentesting to a “security first” approach, moving away from pentesting for the sake of pentesting and towards pentesting so that relevant people know how to make their applications more secure.
Pentest reports can still provide value. However, they are mostly only truly useful in situations where you need a report to showcase compliance, such as for an audit. Otherwise, a dashboard and findings as tickets can provide much more internal value.
If you’d like to learn more about how we deliver pentests, get in touch to schedule a demo.