Does Pentesting Support Your Cybersecurity?
Today, pentesting is a normal part of cybersecurity, with most companies using at least some pentesting to support their cybersecurity efforts. In fact, according to the Core Security Penetration Testing Report by Fortra, 70% of companies use pentesting for vulnerability management, 69% for assessing security posture, and 67% for achieving or meeting compliance. This means that the majority of businesses are aware of cybersecurity threats and actively taking steps to understand those threats and reduce risks.
However, for many organizations, the question of whether or not traditional penetration testing actually supports cybersecurity efforts remains. At Cyver, we believe the answer is “Yes, but not lengthy pentest reports add inefficiency and slow down the process”. To improve that, we shift the focus away from traditional pentest reports and towards pentest-as-a-service, with ongoing testing, vulnerability findings delivered as tickets directly to relevant teams, and security posture and insight data available in an easy-to-read dashboard.
“Organizations are increasingly shifting away from needing pentest reports,” Says Luis Abreu, co-founder of Cyver, “Pentest platforms give you the tools to see vulnerabilities in near-real-time, to manage them efficiently, and to focus on remediation and hardening your perimeter, not on red tape and work delegation.”
Traditional Pentest Reporting Adds Work for Teams
Most modern companies use Agile work methodology to give a team full ownership of their module or feature. Those teams self-delegate, set their own work goals and prioritization, and work in 2-week sprints to rapidly adjust to changing priorities. Code is written, checked, and pushing into publication in a scheduled and predictable manner.
Then, a pentester comes in, tests everything, and submits a lengthy report, sometimes 500 pages or more. The company contact (typically COO or CTO) has to sit down and break that down, distributing top down work to teams. They then receive tickets to fix in their code as part of an outside process, which adds more work for every part of the company.
This process:
- Creates red tape
- Increases time to fix
- Creates resistance from devs who are used to delegating their own work
- Requires significant overhead and management
The result is that devs see pentesting as an outside process or an add-on to development, and slow time-to-fix, or an average of 205 days to remediate according to ZDnet.
Switching to Pentest-as-a-Service
Cyver uses pentest-as-a-service to ensure that pentesting fits into development cycles and into sprints. Here, pentest-as-a-service means:
- Pentests are ongoing and scheduled
- You budget for pentests upfront and allow devs to schedule pentests when they need them
- Vulnerability findings are delivered as tickets, which devs can pick up on their own
- Tickets are exportable directly to work management tooling, so devs can integrate fixes into sprints immediately
- Management and team leads can see non-technical overviews in the insights dashboard, to better understand risks without getting bogged down in technical details
Here, we achieve this with a pentest management platform, findings as tickets, and schedulable pentests. You also get integrated assets via the dashboard, for free, as part of your pentest.
Insights Not Lengthy Reports
Cyver uses a pentest management portal where you can onboard all relevant stakeholders. Devs receive tickets and alerts. However, everyone else can see data for relevant pentests based on their role and access levels.
When the pentest or cybersecurity assessment happens, the pentester uploads findings to the platform.
- Devs and IT staff receive notifications and access to tickets based on their role and project access
- Stakeholders can see data and findings overviews in the portal
- Team leads can track important data like vulnerability reoccurrence, types of vulnerabilities, and time to fix metrics
Pentests are Part of Development
Developers, product managers, and other stakeholders can log into the portal to interact with pentesters as needed. This includes requesting a new pentest to align with new releases, upcoming compliance needs, or major changes to the application. In addition, after fixing a vulnerability, you can request a retest (for free within 30 days of the pentest) to ensure it’s been fixed.
Vulnerability Findings as Tickets
Cyver also delivers vulnerability findings as tickets. These include the vulnerability finding, risk data, evidence, and relevant information about the finding. If the pentester has recommendations to fix, those are included as well. And, the developer can directly export those findings to Jira to create a work item for the next sprint.
“For example, in my organization, Nmbrs, switching to using findings as tickets made a large difference in our processes.” Says Luis, “Not only was I no longer functioning as a man in the middle, no one was waiting for me to break reports into work items. Teams could get tickets directly from the platform and immediately start remediation. Our compliance officer could see remediation status and had a better idea of when we were or were not audit ready.”
This ensures that relevant people can immediately see what needs to be fixed and why, so pentests become more focused on cybersecurity, rather than on reporting.
“Even product owners benefited, as they didn’t have to help with breaking pentest reports down into tasks for their teams,” says Luis, “If your product owners receive a pentest report, they often don’t have the technical knowledge to understand what has to be solved. They’re just copy-pasting data – just another layer of processing. Findings-as-tickets mean the developers don’t have to ask the product owner questions she doesn’t know the answer to. Instead, they go directly to the expert – your pentest firm, expediting and simplifying the whole process.“
Collaborating on Cybersecurity
Eventually, the end-goal of using a pentest management platform is to collaborate on cybersecurity with your pentester. We find vulnerabilities and pass them on to you in a way that allows you to quickly take steps to remediate. From there, we can check that the issue is fixed – and schedule your next pentest so you stay secure.
“You get closer collaboration with customers” says Luis “Rather than breaking down a report, you’re directly accessing a ticket, asking the pentester questions where they are needed, and then asking for a confirmation that your fix has worked. Devs can ask pentesters questions and get direct answers. Pentesting becomes much more integrated into your development process, meaning they’re much more a part of your cybersecurity.”
If you’d like to learn more, contact us for a demo.