In traditional pen testing models, the final report consists of a pdf summary of the findings emailed to you at the end of a testing period. All communication around individual vulnerabilities usually happens in a one-hour readout call, then you’re on your own. This old-fashioned way of reporting works for compliance purposes, but for the developers who actually need to fix the findings, it’s not the best delivery method.
With Cobalt’s Pen Testing as a Service model, reporting is an interactive and ongoing process. Individual findings are posted on the platform as they are found, and at the end of a test the pen test lead reviews all the findings and produces a final summary report. Once complete, the lead passes it on to the customer. The final report that is sent over at the end of a test isn’t static, it’s a living document and reflects the changes and input made. For example, when vulnerabilities are marked ready for re-test on the platform, the researcher will verify the fix and update the state which is then automatically reflected on the full report.
Here are 4 tips to get the most out of a pen test report:
1. Get Involved in the Risk Assessment
The Cobalt researchers are experts in pen testing and have strong experience in assessing risk from a technical standpoint — but they don’t know your business as well as you, and sometimes it can be challenging for a third party to assess the actual business impact of a vulnerability. The pen test lead will always have the final say in the risk assessment, but relevant information is key for good decisions. Therefore, we encourage business teams to get involved in the risk assessment process by providing business related insights to the pen test lead so the assigned risk is aligned with the real world. You can do this by providing comments directly in the platform for each individual finding as it is reported.
2. Show Progress to Stakeholders
During a pen test there are many stakeholders that may be interested in the findings and success of a test. This may be members of your security team, engineering, product, etc. You want to show stakeholders that the test was successful, that you are fixing vulnerabilities, and that you are more secure. You can do this by providing them with most up-to-date information. With traditional pen testing this would mean you are updating the final report you were given. With Cobalt, the status of findings are automatically updated as they are fixed. This gives you the ability to download the most up-to-date report at anytime. The pen testing is a point in time, but the final report is a living document that shows the fixes overall.
3. Use Different Report Views
After testing is done, you want to be able to share the results with key stakeholders. However, the amount of information you want to share with each individual can differ. This is where having different versions of you full report can help summarize only certain information to different stakeholders. With Cobalt, we make this easy by offering three different levels: Attestation, Full Report, and Full Report + Findings Details. No need to go in cut, copy, and paste. Have it ready with a click of a button.
4. Facilitate Direct Communication with Developers
While a full pen test summary report is great for compliance and stakeholder management, reporting to the developers needs to be more detailed. It’s important that the communication channel between security and Development teams is as seamless as possible. The easier it is to communicate, the more likely it is that findings will get fixed. Traditionally, this finding communication is done via email, but with Cobalt this can be done by either inviting the developers into the platform for direct communication and/or setting up integrations enabling you to push the findings over to your JIRA or GitHub project with the click of a button.
Hope these tips offer some guidance as you manage your pen test reports. Feel free to comment or reach out with feedback or additional tips.
In case you missed the previous step in the pen testing process. Here are 4 Tips for Keeping a Pen Test Methodology Successful: https://cobalt.io/blog/4-tips-for-keeping-a-pen-test-methodology-successful