While more and more organizations are using pentests to ensure cybersecurity, it’s still very common to test for compliance reasons. When that happens, pentesters must align the pentest report with the compliance norm, usually mapping vulnerability findings to the compliance framework to show the client how those vulnerabilities impact compliance.
Doing so is a necessity for many pentesters and it will continue to be an important part of creating pentest reports. That’s why, at Cyver Core, we built tooling to automate that mapping, using compliance frameworks as part of our pentest management and pentest report generation tooling.
Adding Compliance Norms to Pentest Projects
When you set up a new pentest project, you can select any of Cyver Core’s default compliance frameworks to add to the project. That will include checklists of tasks associated with the compliance norm, which you can then assign to a pentester on your team.
“We support all of the standard frameworks, like ISO27001, OWASP Top 10, PCI DSS, SANS Top 20, and others, out of the box. Of course, for very specific frameworks, you can also make your own. You can add a new compliance norm directly in the platform or upload one via Excel.”
“We have an open source Github with all of the frameworks there as well, you can just use those and share them – even if you don’t use Cyver Core”.
Report Templates for Compliance Norms
Cyver Core also allows you to create custom Pentest report templates per compliance norm. Here, you can fully customize every aspect of the pentest report, including the specific data, the language, and the descriptions.
For example, if you’re reporting for a Dutch compliance norm like DigiD, you could set up a second Vulnerability Library in Dutch, create a Dutch report template, and then automatically pull all of your data using Tokens. Your report would fully conform with the requirements for that pentest report. And, you could do the same thing with other compliance norms. For example, you could build a OWASP Top 10 report with sections for each of the top 10, pull from a vulnerability library with custom descriptions for that norm, and deliver a completely unique, but largely entirely generated report each time.
Using Tokens
Cyver Core uses tokens to automatically generate pentest report data based on information already in the platform. This means you can insert a token to map pentest vulnerability findings to a compliance norm, even if the client isn’t getting a pentest for compliance>
“Compliance frameworks are a requirement sometimes. However, they also help clients understand specific risk areas. They create categories of risk to bring attention to how vulnerabilities impact their security – so it can be about more than compliance, and with a Cyver Core token, you’re adding that information into your report with no extra work from you, so it’s free added value for the end customer”.
Delivering Findings via a Pentest Portal
Cyver Core’s portal allows you to directly onboard clients and their teams and deliver vulnerability findings as tickets, before you send a report. That allows the client to interact with the findings in the portal, where they’re mapped to compliance via the frameworks, via CVE, and based on data in your Findings Libraries. That can add considerable value over delivering a static document first, because it means clients can more easily break vulnerability findings down into work items and quickly remediate those vulnerabilities – or discuss them with the pentester. The portal still highlights how each vulnerability maps to compliance, enabling prioritization and risk analysis – while delivering the tools to remediate quickly.
When clients want to send the report to their auditor, Cyver Core also offers an external report feature, where the client can generate a PDF report with just the information required by the auditor. That improves security and privacy over the traditional method of sending the full report – while giving the client more control over what they share.
“Of course, the portal also offers a lot for pentesters as well. Cyver Core automatically connects findings to compliance norms via CVE and the Findings Libraries, meaning you don’t have to manually categorize everything.”
If you’d like to learn more about Cyver Core or using the compliance frameworks in the platform, contact us to have a talk or to see a demo. We’re happy to help.