3 PEAT
GigaOm Names Cobalt an “Outperformer” for Third Consecutive Year in Annual Radar Report for PTaaS.
3 PEAT
GigaOm Names Cobalt an “Outperformer” for Third Consecutive Year in Annual Radar Report for PTaaS.

Cobalt’s Pentest Maturity Model: Which Level Are You?

With a proper understanding of where on the cybersecurity maturity model your company lives, firms can better protect their digital assets based upon the business vulnerabilities unique to your industry and company.

The modern business world constantly faces digital threats. With companies facing these continuous threats, understanding a business’ cybersecurity maturity level can empower better decision-making and ensure the proper tools, processes, and people are in place to be best protect against a cyberattack.

Introduction to Cybersecurity Maturity Assessment

With a proper understanding of where on the cybersecurity maturity model your company lives, firms can better protect their digital assets based upon the business vulnerabilities unique to your industry and company.

Other benefits of a cybersecurity maturity assessment (CSMA) include:

  • Better understand your security coverage and identify potential areas of improvement
  • Pentesting can be continuously improved to become a strategic, data-driven, and seamlessly integrated activity
  • The result is that pentests not only appropriately mirror the company’s DevSecOps maturity, but they also support its further progress through reliable analytics, standardized processes, and improved cross-departmental communication

Defining a Cybersecurity Maturity Model

Improving the output of your pentests requires incremental improvements over time. Cobalt has worked with organizations of varying industries, sizes, and DevSecOps maturity. What we’ve seen as a progression that they go through can be broken down into these 5 levels.

An important note about the cybersecurity maturity model, while the different levels include a variety of components, each individual component is not a requirement for every company. Depending upon the exact sector and business service offering, different aspects of each level should be prioritized and considered as relevant to your specific business.

Level 1

  • Testing and remediation happen ad hoc according to a random need, no defined structure
  • Only a specific asset is tested
  • Communication overhead between engineering and security - little to no alignment on who does what, when, and how
  • No process for standardizing pentests, which makes it difficult to compare results over time
  • Manual and time-consuming information collection process for when a new test needs to be scheduled or retests of the same asset

Leveling Up to Level 2: Introduce Structure

  • Implement regular pentests on high priority assets
  • Collect and maintain pentest information in one centralized location
  • Address silos between engineering and security teams with regular communication

Level 2

  • Testing and remediation at the minimum required level only on most critical assets for compliance or policy reasons
  • Challenges to pre-plan pentests and commitment to running pentests such as limited flexibility when responding to changes in engineering roadmaps
  • Remediation for low priority assets takes place only if there is a critical vulnerability
  • Security and engineering teams try to align, but remediation is still a largely manual and time-consuming process that doesn’t align with DevSecOps

Leveling Up to Level 3: Improve Efficiency

  • Automate repetitive manual tasks, like findings delivery and status updates on bug fixes, with integrations between technology stacks
  • Introduce smaller and more frequent pentests to stay on top of new code releases
  • Start collecting data from pentesting reports to assess the performance

Level 3

  • Testing and remediation occur at a minimum required level on most critical assets based upon compliance or policy requirements
  • Pentests follow a standard methodology, with ample planning and structure to deliver a consistent stream of data for analytics — this helps with performance assessments over time
  • Integrations send findings straight to engineering’s ticketing system to be fixed based upon risk analysis and service level agreement (SLA)
  • Efficient processes and data-driven decisions free up resources for medium priority assets but low priority assets take place only if a critical vulnerability exists

Leveling Up to Level 4: Strategize & Educate

  • Leverage analytics and statistics to guide secure development and define future strategy
  • Align pentesting plans with other departments’ roadmaps

Level 4

  • The organization has a strategic series of pentest with alignment between both compliance and engineering roadmaps
  • Company has a clear vision for compliance testing and good workflow and structure in place for handling ad hoc requests, driven by strategic decisions
  • Integrations between vendors and the organization’s technology stack empower pentesting to scale with the company
  • Streamlined pentesting processes enable engineers in real-time and automatically trigger retests alongside status changes

Leveling Up to Level 5: Leveraging Analytics to Empower Strategy

  • Further strategic alignment exists between engineering and compliance roadmaps
  • Integrations trigger a retest of assets after engineers process updates
  • Further development of pentesting scalability through a dedicated process to plan, structure, and standardize a continuous pentest approach of upcoming assets and application updates

Level 5

  • A highly strategic pentest program exists with alignment between both engineering and compliance roadmaps
  • Analytics utilized to inform decisions across different ancillary departments to security and engineering such as training and budgeting
  • Integrations between pentesting vendors’ and organizations’ technology stack to automatically send findings directly to engineers in real-time and trigger retests once updates have been made
  • Pentesting scalability unlocked within the company which includes a process to plan, structure, and standardize a continuous pentest approach for new assets and major releases

Key Aspects to Improve DevSecOps Maturity: Frequent and Consistent Pentesting

It’s important to remember that random one-off pentests don’t bring enough structure or data for teams to achieve this progression towards cybersecurity maturity. To push for continuous improvement, companies at levels 3 and 4 should opt for long-term programs that include smaller, more frequent pentests and retesting of assets after engineers deploy changes.

If you’d like to learn more about pentest programs, we’ve covered the topic from A to Z, with resources on:

New call-to-action

Back to Blog
About Caroline Wong
Caroline Wong is an infosec community advocate who has authored two cybersecurity books including Security Metrics: A Beginner’s Guide and The PtaaS Book. When she isn’t hosting the Humans of Infosec podcast, speaking at dozens of infosec conferences each year, working on her LinkedIn Learning coursework, and of course evangelizing Pentesting as a Service for the masses or pushing for more women in tech, Caroline focuses on her role as Chief Strategy Officer at Cobalt, a fully remote cybersecurity company with a mission to modernize traditional pentesting via a SaaS platform coupled with an exclusive community of vetted, highly skilled testers. More By Caroline Wong