Today, the global pentesting market is larger than it has ever been, and worth an estimated $1.6 billion in USD. It’s also expected to grow at some 13.8% per year. That growth is despite competition and encroachment by scanners and different approaches like Red Teaming – both of which eventually add on to the security of pentesting, rather than fully competing with it. Eventually, clients are at risk and, whether they’re building software to use on wearable devices, running SaaS, or building traditional infrastructure and websites, those risks are only growing. They need pentesting to identify, reduce, and mitigate vulnerabilities.
But, while pentesters are doing their jobs, many organizations simply aren’t following up. Pentesters find an average of 22 vulnerabilities per application during pentesting – but time to fix is another question entirely. Veracode assessed 700,000 security scans with time-to-fix ratios, finding that at 3 months following a scan, just 45% of findings were fixed. That’s critical for the client, especially when a few weeks or months of an open vulnerability can result in a breach.
Taking steps to encourage remediation ensures that clients are actually secure. Cyver helps by delivering tools including findings as tickets, metrics, and retesting support – so you help clients boost their time to fix rate and harden their environments.
Integrating into Agile Development
Most clients will run Agile – which means work is handled in sprints, worked on by a team, and rarely distributed in a top-down fashion. Most pentest teams deliver pentest findings in a report, which can be a 60+ page document detailing everything. Breaking that down into actionable work items to deliver to each team in charge of a relevant module means shifting back to top-down work distribution. Agile teams have to wait for someone to go over reports and send them work – and this process can take time. Plus, with a disruption of their normal work methods, pentest reports are met with resentment and often seen as an impediment to shipping software.
Shifting to pentest-as-a-service means you can avoid that process altogether. Pentest-as-a-Service platforms like Cyver import findings directly from your tooling (BURP, Nessus, etc.). These findings are uploaded as tickets – with individual pages where you can import vulnerability library data, add screenshots, and add comments for the developers. Once finished, you can publish the finding to the client.
When clients onboard their teams, added people receive notifications for findings. Teams can pick up new findings, add them to a sprint, and work on a fix – without waiting for someone to break down the larger report. Instead, they automatically see relevant data, in a format designed to be work-friendly. And, with the option to export tickets directly to Jira, Cyver’s platform makes managing work easy.
Offering Cybersecurity Consultancy
Most pentesters already offer a considerable amount of consultancy. Whether you’re discussing security with the client, offering tips to fix vulnerabilities, or sharing your considerable knowledge of the vulnerability – you’re providing consultancy. Offering that as a visible part of the service will help clients to remediate. Tools like Cyver allow you to share vulnerability library data directly with developers. We also implement metrics, which clients see as dashboards showing data like “Time to Fix”, “Risk Areas”, “Vulnerabilities by Criticality”, etc. This makes it easier for clients to see where and how they are vulnerable, how long it takes to resolve issues, and which parts of the application vulnerabilities normally relate to.
Plus, with integrated, secure communication on every finding, you can offer real advice on how to resolve issues. If you have insight into how a vulnerability occurs or why it occurs, you can offer that advice in a secure environment – linked to the specific vulnerability. That helps you to deliver value to the specific teams and people who need it, so they can fix those vulnerabilities and hopefully, implement security practices to prevent them in the future.
Most of the time, if a team resolves a vulnerability, they have to wait until the next year to see if it’s still there. Implementing retesting means they quickly see if remediation efforts have resulted in a true fix. It also means giving dev teams a deadline – because they’ll have to finish fixes before scheduling a retest.
Offering ongoing, scheduled pentesting with the same client is good for both parties. Your pentest firm obviously benefits from growth over dealing with each client once. But, the client also receives better assistance in the form of a pentester that knows their environment and can better ascertain where vulnerabilities are coming from. Retesting over time allows you to function as part of the client’s organization – albeit in an external fashion – with communication, insight into updates, and insight into changes in the vulnerability profile over time.
Eventually, giving clients better tools to remediate findings means delivering more value, ensuring clients stay secure, and building stronger relationships with them. That eventually means more business, more ongoing relationships with clients, and a more secure web. If you want to learn more about how Cyver can help, schedule a demo to see our software and hear how we can integrate into your pentest firm.