The primary goal of any pentest is to eventually improve cybersecurity – helping the client to become more secure through awareness of vulnerabilities in their environment. That goal is sometimes pushed to a secondary status, as clients want to pass regulatory compliance or to meet vendor demands for a secure environment. That’s why many pentest reports are now geared towards showing compliance requirements rather than helping developers resolve those vulnerabilities. That’s also important.
However, while pentesters are finding an average of 22 vulnerabilities per application, only an estimated 45% of findings are ever fixed. The best companies fix many of their vulnerabilities in as little as 2 weeks. Many others leave vulnerabilities open, often for months at a time. For most of us, it’s not uncommon to find the same vulnerabilities as the previous year during a yearly pentest for compliance.
Unfortunately, cybersecurity risks are increasing. Automation makes it easier than ever for would-be-hackers to use programs to check for the low-hanging-fruit of open vulnerabilities. Helping clients to close those vulnerabilities, and faster, ensures those clients avoid those risks – which improves pentester value and deliverables to the client, improves the client relationship, and most importantly, keeps them and the web more secure.
How do you take those steps to help clients improve their time-to-fix rates? At Cyver Core, we believe the answer lies in integrating stakeholders into the reporting process, creating findings as tickets, and offering tracking and metrics, so teams and their higher-ups can see at a glance what’s open or not.
Findings as Tickets
Findings as tickets is a relatively new concept of delivering every finding as an individual ticket – which can be exported from a pentest management platform like Cyver Core to a work management platform like Jira. Building these tickets uses the same data from the report – with the vulnerability, a CVE or criticality rating, information about the finding, how to replicate the finding, and recommendations to fix. Normally, that data is lost in a 30-60+ page report and stakeholders must break it down and distribute it before developers or IT managers ever see it. With findings as tickets, the vulnerability tickets are pushed to those need-to-know people at the same time as the report. This saves the client time on breaking the report down, while ensuring devs have the information they need to immediately take action on a fix.
A report is a static document. You issue it once and clients sometimes even print it. When you deliver pentest reports in a platform like Cyver Core, that changes. Rather than receiving a static list of vulnerability findings, clients receive tickets – mapped by critically, asset, and network – which they can then use to track those vulnerabilities.
Cyver Core delivers insights into vulnerabilities, how they impact assets, and what they affect. That allows clients to see their risk profile, to see when vulnerabilities are still open, and to better prioritize fixes based on criticality. Plus, with the option to mark specific vulnerabilities as accepted risk, to update vulnerability status after remediating, and to request retests – it puts the client in control of not just knowing which vulnerabilities they have but also what has been done about them.
Faster time-to-fix metrics almost always correlate with better security. Tools like Cyver Core automatically track how long vulnerabilities are open, with recommendations based on CVE scores. That allows client teams to easily see which vulnerabilities pose the most risk for better prioritization. Risks also automatically increase criticality as they are left open, so the client can always see when leaving a vulnerability open adds to risk.
Eventually, good cybersecurity means more than finding vulnerabilities, it means resolving them. Many pentesters work hard to contribute to that with good advice, good recommendations, and even following up to ensure remediations worked. Platforms like Cyver Core work to make that easier – so you have the tools to automate, remind, and deliver clients everything they need for timely remediation.