Pentesters are high-skilled, often relying on insight, intuition, and years of building experience to assess and test properties. Pentests themselves are also often complex. Most of us utilize a range of technologies, skills, and testing to assess the security of a website. That might include leveraging tools like Burp and Nessus. It might include setting up incredibly customized scans. And, it almost always included manual checks and exploitation.
Once you find vulnerabilities, you write up a report. That almost always includes in-depth information relating to the vulnerability, its criticality, and likelihood of occurrence. Some of us build massive vulnerability libraries, with data we can copy paste and drop in. And, you still add proof of the finding, replication data, and even recommendations to fix. That massive amount of data compilation is similar to consultancy, in that you normally offer specific recommendations based on the finding, the organization it’s impacting, and its total impact.
No one questions that pentesting is incredibly high value – requiring considerable skill and insight. So it doesn’t make sense that reports are delivered in one way. Pentest deliverables are boiled down into a single document – which organizations must take upon themselves to break down for other uses. As most pentesters know, they often just don’t. That has to change if pentesters are to provide value in delivering remediation and security, rather than just compliance.
Organizations Are Increasingly Agile
The 2017 Pulse of Profession Report by the Project Management Institute (PMI) suggests that 71% of all development was Agile then. Today, it’s estimated to be as high as 92%. Nearly every software company is Agile. And, nearly every company is a software company.
What does that mean for pentesting? In most cases it means that the people asking for pentests actually want to remediate.
Agile teams distribute ownership across a wider number of teams. Each team has full ownership of a specific module, feature, or server. When something goes wrong, or there’s a vulnerability, they take ownership and fix it, so the whole application remains secure. That’s also incredibly hard to achieve with pentest reports. Why?
Pentest reports can be broken down and distributed across teams. But, they’re not usually organized by asset. They’re also not usually organized in a way that allows more than one person to break them down. So, when you send a PDF report to an Agile company, they have to return to waterfall work methods, distributing tasks from a top down perspective. That rarely works, if there’s even anyone in the company to do it.
Vulnerability Scanners Deliver in Other Ways
At the same time, existing vulnerability scanners already deliver Agile-friendly findings reports. Rather than lumping everything into a PDF intended for compliance or top-down distribution, they create tickets per finding. This method allows Agile teams to easily distribute work based on impacted assets and modules, to roll the work into the upcoming sprint, and to take ownership and fix it as part of team schedules.
That’s also important, because many Agile companies are already using scanners as a basic level of security. Many also aren’t, but the popularity of Acutenex and Netsparker shows that these tools are here to stay. And, that’s good. They help organizations establish basic security so that when you go to do a pentest, you can spend time looking at harder to find issues.
But, it also means that these same teams are accustomed to working with findings as tickets. And, to adapt and offer real value, most pentest teams have to do so as well.
Report Automation Tools Make Sense
Delivering findings as tickets would be intensely difficult using traditional pentesting. Currently, most pentesters use programs or manually copy-paste findings from files into a single PDF report. Aggregating everything already takes hours. If you had to do so while moving everything into individual tickets, it would take longer.
But, Pentesters are already moving to report automation tooling. These tools work in numerous ways but almost always automate moving findings from different tools, software, and documents into a single report. Using this sort of automatic setup, it’s a lot easier to automatically create individual findings, much like scanners do.
Pentest management platforms like Cyver Core, which integrate the full pentest management process, including asset management and pentest templates, take this a step further. For example, when you import tooling, it automatically connects with the relevant client asset. And, it pulls data from your existing vulnerability library – so you have to fill in as little information as possible. Findings are delivered as individual tickets. But, you can still compile them into a single report, complete with summaries and overviews, for a traditional report.
The Future of Pentesting
As cybersecurity threats become more prelevant, more and more organizations are taking charge of their cybersecurity. That often involves using scanners and tooling to establish basic security. But, it also means setting up and creating processes to ensure findings are actually resolved. When these organizations hire pentesters, they are increasingly at the point of needing human insight to find new vulnerabilities. Pentesters are increasingly asked to work as consultants, filling in the role of pentester while offering advice on remediation, replicating findings, and matching vulnerabilities across assets.
Eventually, it is that shift which will allow pentesters to deliver more value. Moving beyond delivering “just a report” means shifting how you manage and deliver work. It doesn’t change how you work. But, for most pentesters, new tooling like Cyver Core saves significant time, enables scaling, and creates new opportunities for ongoing work with the same clients.
To learn more, read our Whitepaper: the ROI of Pentest-as-a-Service Platforms