As a disaster recovery provider for MSPs offering secure cloud, SaaS, and file protection services, Datto places cybersecurity at the heart of its business. To find out more about how a pentesting program fits into Datto’s agile development workflows and what challenges they faced before working with Cobalt, we spoke with Application Security Manager Justin Bacco and Security Engineer Jeremy Galindo.
Initially, the main driver for Datto’s pentesting program was SOC 2 compliance. The company previously worked with a handful of third-party vendors who delivered pentesting services. However, their approach to vulnerability reporting was challenging to integrate with Agile development workflows.
“We were working with companies that use the old-school ‘email-and-PDF’ style of reporting,” Bacco explains. “We would kick off a two-week pentest and then have to wait two more weeks before we finally get the PDF report. Then it would have mistakes, and we’d have to push back on it. There wasn’t much communication, and that created real challenges for us.”
Lacking a channel for real-time communication with pentesters, Datto ran into several problems. Most notably, the company’s engineers weren’t receiving vulnerability reports in a usable format. Not only were they unable to seek clarification where needed, but there were also issues with feeding reports into established engineering sprints. Combined, these issues made it difficult to obtain full value from each pentest.
Over time, Datto wanted to expand its program to support a more rigorous testing approach in line with its commitment to industry-leading cybersecurity. At this point, it became clear the traditional method wasn’t providing the high-quality, full-coverage testing Datto needed. Instead of having the same 2-3 pentesters working on the same assets year after year, Datto needed a more diverse pentesting approach. In 2018, they decided to try Cobalt’s platform, where they could communicate with pentesters in real-time throughout the engagement and use different testers for each pentest, to always have a new perspective on their security.
“Having instant communication with testers is a driving factor in why we chose Cobalt and continue to use them,” explains Bacco. “Talking to the researchers in real-time and getting instant feedback on issues, or answering their questions, just makes for a better quality pentest. If a researcher is stuck on something and we can answer their question within 10 minutes, that really helps dig out vulnerabilities.”
Read the full story of how Datto transformed their pentesting program with Cobalt.