Organizations are more and more likely to use pentesting as part of cybersecurity. While that often relates to compliance and regulatory requirements, it’s also because organizations are more often aware of the fact that they are vulnerable. The cost of a breach is massive, both in terms of fiscal costs and reimbursements to customers, but also to reputation and future stability of the company.
At the same time, increases in pentests aren’t always resulting in increases to security. For example, one assessment by Accenture shows that 76% of pentests don’t result in remediated vulnerabilities. While, to a large extent, what clients do with data after pentesters hand over the report is their own concern, pentesters are more and more often taking on roles as cybersecurity consultants. Helping clients to remediate and to secure their environments delivers value in new ways – helping your firm to compete against scanners, red teams, and DIY approaches.
What is Finding Management
Finding management or Vulnerability Finding Management is the process of using tooling to manage vulnerability findings after the pentest. This includes tooling to track which vulnerabilities exist, how critical they are, and how long they’ve been open/when they were found. This contributes to:
- Understanding vulnerabilities and how they impact the total environment, including across servers, web apps, and assets.
- Managing the security of specific assets such as higher-risk servers or the production environment
- Prioritizing fixes and understanding what has the most likely impact based on criticality, assets impacted, and likelihood of exploitation.
- Understanding how long vulnerability findings normally stay open, when that increases the severity of the vulnerability, and how factors like Time-to-Fix rates impact the total cybersecurity profile.
- Being able to track and verify when vulnerabilities are remediated, both for internal cybersecurity and for meeting transparency requirements with external stakeholders.
Essentially, delivering findings management allows pentesters to function as a cybersecurity consultant, offering help with tracking and remediating vulnerabilities, keeping up with total security, and in verifying remediation.
Delivering Findings Management with Cyver Core
Cyver Core is a pentest management platform with a white label client portal, allowing you to deliver findings management as a free service to your clients. When you import findings data from tools like Burp or Nessus and write up findings data, Cyver Core uses that information to deliver traceable and manageable data to directly to clients with:
- Findings as Tickets – Tickets are automatically generated from your tool imports, meaning work can be directly assigned to client teams, either in the Cyver Core white label platform or via a Jira export
- Metrics and security dashboards – Findings are tracked in the dashboard, with automatic data aggregation, so clients can see Time-to-Fix, criticality, and vulnerabilities by assets.
- Retesting – Once clients remediate a vulnerability, they should be able to retest it without waiting for the next pentest. That’s why Cyver Core includes a “Request a retest” button, to automatically submit an RFP for retesting that specific vulnerability.
- Compliance and pentest framework specific dashboards, which you can add to or hide from the client portal on a client-by-client basis.
- Custom features for recurring clients, like being able to flag recurring vulnerabilities.
Eventually, this will allow you to build a longer and better relationship with the client, by helping them to secure their environment. And, with pentest and vulnerability finding management in place, the client remediates vulnerabilities found in the first pentest, meaning you spend less time on known vulnerabilities in the next pentest – so you can add to their security over time.