Today’s threat landscape is grim for many companies. Ransomware and hacks happen on a daily basis, even to some of the largest organizations in the world, which theoretically have the highest security budgets. Most are very aware that they need consistent and ongoing scanning and assessments to detect vulnerabilities to reduce those risks. At the same time, the current cybersecurity environment is complicated.
Pentesting constantly is not affordable or practical for most. Instead, vulnerability scanners, ranging from Nessus and Dradis to IBM’s Security QRadar and Rapid7’s InsightVM are filling the gaps. Even big organizations like Spotify, which run some of the highest profile bug bounty programs out there, use tools like Dradis.
That’s important, because thousands of organizations are making that shift. Scanners, whether web, hosted, cloud, etc., fit neatly into security budgets. More importantly, they fit into Agile sprints and schedules – allowing developers and compliance officers to simply pick up work as it’s available, to resolve issues. Scanners deliver findings neatly inside a tool, each with its own page, details, and export data – making it easy to create tickets.
Unfortunately, scanners aren’t “enough” security. A scanner will never match the ingenuity and insight of a pentester. The human insight remains crucial. As, even third-party experts recommend, the best security is comprised of scanners for basic security, bug bounty programs to catch new vulnerabilities and problems, and regular pentesting as a layer on top. Organizations can, and often should, choose to add red teaming as an additional “organizational” layer on top of that, but many companies don’t need to.
So, scanners serve a purpose and a good one. A vulnerability scanner can catch and flag routine issues related to configuration, known vulnerabilities, and poorly used settings. These types of issues are easy to find and easy to fix. Once basic security is resolved, Pentesters can go into that environment and spend their time tackling harder-to-find issues that require human insight.
Yet, that’s often not how it works. Instead, organizations are using scanners as their primary means of security. Sometimes that relates to costs. In other cases, it has to do with the fact that vulnerability scanners deliver findings in an organized, traceable, and actionable manner. When Dradis or Nessus flag a vulnerability, it’s delivered in the tool, as a ticket, which can be exported to other tooling. IT staff and developers can see, at a glance, which part of the application the vulnerability affects, how many assets the vulnerability affects, and even criticality. Rolling findings into sprints is easy.
That’s a far cry from pentesting, which still focuses on delivering a report. And, while 30+ page reports are ideal for compliance purposes, they serve little other value. Pushing a large report at a manager, who is likely already overworked, and asking them to break it down into actionable tasks means remediation takes much longer than it should. In fact, real remediation rarely actually happens. Organizations like Cobalt and Gartner suggest that less than 70% of findings from traditional pentesting are ever remediated. And, that’s not good enough.
If Pentesters want to resolve these issues, it means making changes to adapt to the new environment. That means:
- Delivering findings as actionable tickets
- Working as a consultant to help teams resolve vulnerabilities
- Offering traceable work, so clients know what was checked and why
- Delivering vulnerability management tooling, similar to what clients get with scanners
- Integrating into client teams to offer recurring pentests, on a schedule aligned with Agile development
- Building long-term relationships with the same client, to improve security over time
- Using workflows and processes that integrate into Agile sprints
Development practices like Agile shift focus away from management-driven, top-down work and towards self-delegation, team ownership, and team control of modules. Agile isn’t going away. It also requires that Pentesters deliver vulnerability findings in a way that can be quickly distributed across teams, based on module, asset, and ownership – so that team can take ownership, remediate, and harden their environment.
Pentest management platforms like Cyver Core allow you to make that shift, leveraging tooling to change how you deliver pentests to the client. Your skills and expertise remain the same. But, instead of manually compiling reports, you upload findings to the platform, directly from scanners and tooling. From there, Cyver Core automatically creates a ticket, which you can push to the client right in the tool. The client still gets a PDF report for compliance needs. But, they also get findings-as-tickets, real-time updates, and insights like heat maps and time-to-solve metrics based on those tickets.
The end result is a pentest experience much more like using a scanner, but with the security and human insight of a pentester.