Changing the Way You Deliver Pentests
Pentesting is shifting more and more away from functioning to support compliance and more towards functioning to support the ongoing security of web apps and infrastructure. With Secure by Design and DevOps premises in place, developer teams more and more often want to pentest to ensure their products are secure.
Pentest collaboration platforms like Cyver Core enable that shift by delivering vulnerability findings to the client as tickets. The client can then export those tickets directly to their work platforms, like Jira, ensuring they can be picked up as work items.
“You get closer collaboration with customers” says Luis Abreu, CEO of Cyver, “Pentest firms can bring more value to the customer by delivering a work ticket. Rather than taking the time to build a PDF report and then forcing the client to break that down, you take out those middle steps, and deliver vulnerability findings. Plus, using a platform, you can directly collaborate with the people doing the work of remediation. Devs can ask questions and pentesters can answer them. You become much more integrated into the client process – meaning you’re much more part of their cybersecurity“.
Simplifying Pentest Delivery and Vulnerability Remediation
With traditional pentesting, the pentest firm builds a PDF report, typically spending 8+ hours to create a document containing every vulnerability found during the pentest. You normally adapt this to include finding information, remediation tips, and duplication data – so developers can look for the issue, test it, and then fix it.
But, before they get to that, someone has to break that pentest report down. Either the COO sits down and breaks the report into individual findings, and then sends those to the relevant team, or the full PDF report is sent to every team.
“When I was working as a COO at Nmbrs, I’d have to parse pentest reports manually.” says Luis, “That meant going through the report myself and creating work items. I needed developers to work on remediating these findings – but I had to create tickets myself.”
The ideal is to deliver vulnerability findings as tickets, in a platform, or better yet, in the developers’ existing project management tool – so they don’t have yet another platform and more work to keep track of.
If your pentest management and collaboration platform automatically outputs tickets, your pentest firm delivers extra value to the client – both for cybersecurity and for compliance.
“For example, in my organization, Nmbrs, switching to using findings as tickets made a large difference in our processes. Not only was I no longer functioning as a man in the middle, no one was waiting for me to break repots into work items. Teams could get tickets directly from the platform and immediately start remediation. Our compliance officer could see remediation status and had a better idea of when we were or were not audit ready.”
“Even product owners benefited, as they didn’t have to help with breaking pentest reports down into tasks for their teams,” says Luis, “If your product owners receive a pentest report, they often don’t have the technical knowledge to understand what has to be solved. They’re just copy-pasting data – just another layer of processing. Findings-as-tickets mean the developers don’t have to ask the product owner questions she doesn’t know the answer to. Instead, they go directly to the expert – your pentest firm, expediting and simplifying the whole process. “
Traceability and Compliance
Tickets ensure developers can track what has to be worked on, what’s been fixed, and how it’s been fixed. If you don’t have a ticket, there’s no traceability.
“Of course, we talk a lot about improving cybersecurity at Cyver Core, but using findings as tickets improves your audit process as well,“ Luis adds, “If you’re showing an auditor your pentest results, you have to prove that you’ve not only done the pentest, but also that you’ve followed up on the findings. Without tickets, you don’t have that proof.”
Pentest collaboration and management platforms allow you to change the way you deliver pentests – shifting the focus to improving your customer’s ability to quickly deliver work to its developers, to remediate found vulnerabilities, and to collaborate with your pentest firm on cybersecurity.
Of course, with Cyver Core, your customers also get insights into those findings in the platform, to better understand prioritization, time-to-fix, and to ensure that teams get reminders when tickets aren’t remediated.
If you’d like to learn more about Cyver Core, schedule a demo to see it in action.