10 years ago, nearly all pentests were performed for compliance. Today, that’s changing rapidly. New threats, increasing levels of hacks, and the fact that 60% of businesses are breached all contribute to rising cybersecurity awareness. Organizations are adapting by using pentesting for security rather than just compliance, by adding on vulnerability scanners to catch “low hanging fruit”, and sometimes even by adding additional layers of security with red teaming.
But, while organizational approaches to Cybersecurity are certainly changing, pentesting mostly isn’t. In fact, most pentesters deliver work in the same way they did 15 or even 20 years ago. You assess applications, write up a report, and deliver a 30–120-page report. It’s up to the organization to break it down and actually do something with it.
That doesn’t work with modern, Agile teams. It also doesn’t work for pentests centered around remediation rather than passing an audit.
Agile Work Methodology
An estimated 92% of new software teams use Agile. That’s important, because it changes how teams approach and deliver work. It also changes how your vulnerability report is likely to be used.
Agile Teams:
- Take full ownership of a feature or module per team.
- Are self-delegated and often set their own goals, workloads, and prioritization
- Work in 2-week sprints, in which all work for the 2 weeks is set upfront
- Rapidly change focus to higher-priority items as the need arises
Essentially, Agile teams are perfect for rapidly pushing work out and having it completed. They allow even large software companies to adapt to quickly changing technology and consumer behavior. And, they allow teams to quickly respond to delivered vulnerabilities in a single sprint, because workloads are set every 2 weeks rather than quarterly.
That’s great for improving security, but it does mean that PDF reports aren’t really compatible with the work style.
Why Traditional Pentest Reports Don’t Work with Agile
When you deliver a pentest report, it’s normally to a compliance officer. The CO takes that report and either sends it to the IT department or breaks it down herself. This means:
- Deciding who is responsible for what patches, processes, or maintenance
- Deciding what is priority and what needs to be remediated first
- Reaching out to process owners of affected systems
- Submitting a Request for Change to every affected system
- Getting approval from process owners (Network heads, security system owners, etc.)
- Those process owners then delegate work to their teams
All of this requires significant time, effort, and red tape. Rather than affected teams seeing work directly, they have to wait for it to filter through multiple stages of approval – despite the fact that they have to do the work anyway. From there, delegation can take months. The result is slow fixes – or, as is the case with many vulnerabilities, no fixes at all.
And, when vulnerabilities are fixed, the average time-to-remediate is 205 days according to ZDnet.
Switching to Pentest-as-a-Service
While part of the problem of slow or no remediation lies in the hands of the client, part of it is also in how work is delivered. When pentesters deliver a massive PDF report, sometimes containing privileged information that not every team can have, they force a slower, more bureaucratic remediation process.
At the same time, most teams are already accustomed to working with scanners. These tools are either external (Accunetix, etc.) or integrated into tooling (Google’s Web Security Scanner). Most importantly, they deliver vulnerability findings as tickets, which teams can immediately roll into their workload and remediate.
Pentest-as-a-Service allows pentesters to deliver work in much the same way. Using traditional, manual methods doesn’t make this feasible. It’s enough work to put together a report without having to manually create dozens or even hundreds of tickets. But, pentest management platforms like Cyver Core automate the process – you import directly from tooling or add manual data depending on which part of the pentest you’re uploading. You can also add your vulnerability library, use templates, and greatly speed up the process. But, the dev teams get tickets, which they can use to directly distribute work to affected teams.
Pentest-as-a-Service platforms like Cyver Core mean:
- Stakeholders like IT staff and asset owners are onboarded to the platform
- Findings are delivered as tickets, which can be exported to tooling like Jira
- Stakeholders can directly communicate with pentesters to ask questions
- Data, like Time to Fix metrics, is integrated into the platform, offering reminders to fix
- Scheduling new pentests is integrated into the process, so that you can more easily ensure the client completes their next pentest on time
Eventually, pentest-as-a-service allows you to deliver pentesting in an Agile way. If affected teams receive alerts when findings are available, they can respond to them just like they do with scanners. Someone picks up the work, makes sure it’s remediated, and then possibly even asks the pentester to check that the vulnerability is gone. That empowers developers and IT staff, improves overall organizational cybersecurity, and allows you to deliver more value to the client.