With the most important aspect of a pentest coming after the test itself, via remediation, Engineering and Security teams must collaborate to deliver robust and safe applications.
Throughout this collaborative effort, many vital aspects of a pentest report’s findings can be lost in translation. To help prevent this, companies prioritizing their security should aim to create a cohesive process between the two disciplines of development and security.
Yet, with deadlines and important go-to-market dates to be achieved, engineers often face a challenge to balance security and speed. With this in mind, many engineers will question the need for their time to be spent on security- especially if the security and engineering process lacks cohesion.
To alleviate this, a Pentest as a Service (PtaaS) platform consolidates pentest findings into an integrated system benefiting both teams. Through a PtaaS platform, this collaboration becomes second nature.
To highlight this, and specifically, the benefits a PtaaS platform offers engineers, today we will interview Sarah Ridge, a Senior Software Engineer at Cobalt. Through this discussion, we’ll highlight the benefits engineering teams see from operating with the security support of the development process.
1. When using Cobalt’s PtaaS platform as an engineer, does it require any previous pentesting training?
Not at all, I haven’t worked for a pentest company before or a security company prior to Cobalt. We have embraced certain resources as a company internally such as how to write secure code. We’ve utilized some other types of platforms such as Secure Code Warrior where you hold tournaments to see security examples from the programming languages that we’re familiar with. That said, no, using the Cobalt PtaaS platform doesn't require you to know anything about pentesting.
2. Could you describe how you use the Cobalt platform to fix vulnerabilities?
Yeah, that’s a great question. Again, you don’t need any prior experiences. Everything falls into our standard workflow seamlessly. For example, we use a custom Jira integration available to the public to push vulnerability findings from the Cobalt platform directly into Jira.
Findings go directly into our workflow based on the cadence of testing. To me, this is honestly amazing. I can keep everything in one spot, centralized, and we can see vulnerabilities right away to prioritize and take action.
As tests occur, I see live results. This is important because it allows our team to see if we’re introducing new issues that perhaps we could have caught during code review or maybe it was secure 6-months ago but we introduced something new—whoops—that could cause a vulnerability.
With Cobalt running pentests multiple times per year, it’s crucial because seeing this data on a more regular basis helps identify if engineers are adding in more security bugs throughout their development process.
Another important benefit comes from increased visibility into vulnerabilities. As a developer, it can be difficult to understand a reported vulnerability, let alone how to expose or reproduce it. So, with the Cobalt Pentest as a Service platform, we receive diligently outlined examples on what pentesters found, and how to reproduce it with screenshots and videos. This empowers engineers to see how the testers exposed a vulnerability and develop a remediation plan faster.
3. Have you ever had to remediate findings that were uncovered during a traditional pentesting experience? If so, how would you compare your experience working from a Traditional Penetration Test versus using PtaaS?
No, prior to Cobalt, I haven’t, but in conversation with other developers, I’m really in shock when others describe their pentest experience which often starts and ends with, “We ran a pentest.” and that’s it.
As I ask more questions, the general response has been short and without much context which is surprising to me because, as mentioned, here at Cobalt our vulnerability findings are reported in a very immediate fashion.
The difference between traditional pentesting and Pentest as a Service feels immediate. Action for fixed vulnerabilities is communicated back to the Cobalt platform so that pentesters can retest after remediation. This has been so crucial for me because I am delighted by the diligence of our pentesters.
For example, there was a time when a vulnerability came up. I felt really confident about the code I wrote to fix this vulnerability. I wrote some unit tests, integration tests, and it turns out I only fixed half the issue. The pentesters came back after retesting to explain the vulnerability was fixed for one scenario but not fixed for another scenario.
This was amazing; it forced me to rework the fix for the second scenario and the testers were able to test this again after the second patch. With this, it made me realize not only do we need to write tests to ensure new features work but also write tests to validate features are secure with consideration of different attack scenarios.
With this experience in mind and asking other developers about their experience, they really don't have anything to say. There’s a gap here completely between traditional testing and the retesting process, Pentest as a Service helps solve this.
4. What’s the biggest benefit of using the Cobalt platform for your remediation work?
There are many benefits. The main one for me are the learnings from each vulnerability finding.
The all-inclusive situational context helps illuminate different approaches to writing and reviewing code. Through these insights, something I learned to ask myself after working with Cobalt’s PtaaS platform was “What would a pentester say about my code?” It’s almost a game of Where's Waldo in which I ask, “Where’s the vulnerability?”
These security insights have helped me grow so much as a developer towards the next step of being more thoughtful with writing tests for new features. Now when a feature launches, I can say, “Yes, this feature works and it’s secure.”
5. As a developer, are there certain data points being captured in the Cobalt platform that are helpful for you to look at?
All the data points matter to me. With a vulnerability, regardless of risk whether it’s high or low, it needs to be resolved.
If one person can expose it, anyone could exploit this and it needs to be remediated.
If I notice a lot of vulnerabilities categorized as business logic, that will catch my attention. If there’s a lot of business logic vulnerabilities, this suggests areas of the code that are too complex or not written clearly enough and thus, creating many other vulnerabilities. Identifying an underlying code inefficiency helps save time in the future by stopping vulnerabilities before they appear.
6. How do you prioritize vulnerability remediation?
Any vulnerability regardless of high or low severity needs to be fixed.
Factors such as time and resources necessary to fix help determine the priority. Thankfully, vulnerabilities are worked directly into our normal workflows in Jira. Then, we prioritize vulnerability remediation in our work planning cycles to align alongside our product development work.
There are also times where a glaring bug exists such as customers being unable to log in to the platform. When cases like this arise, these quickly become a priority for remediation.
Other times, we look for lower hanging fruit in the vulnerabilities which provide the team an added benefit of being an easy win when it comes to implementing a fix to the code. There’s something to be said about the momentum low-hanging fruit solutions can add to the team’s morale to help propel progress towards more challenging vulnerabilities.
Balancing these different scenarios becomes easier with the cross-platform communication offered between the Cobalt platform and our workflow tools.
7. How do you see PtaaS evolving in the future?
I hope to see a step towards standardization. This is how developers are aware of pentesting, but even today, it’s shocking when developers don’t know anything about pentesting. So, through standardization, I hope to see increased awareness.
The Cobalt platform brings more awareness. There may be different platforms and processes but Cobalt is setting the standard of how pentesting should and can work. Integrating security into the development process shouldn’t be complex. For example, look at how GitHub easily integrates into other toolsets for easy use solutions.
Finally, I’m also excited about the evolution process PtaaS represents to the wider pentesting sector. I’m not aware of another company working towards this change to the decades-old pentesting industry. It’s refreshing to see a dynamic approach as other solutions seem to be very static.
Cobalt’s progression takes on what anyone would expect from a modern-day application, being very easy to use and intuitive with their pentesting platform.
In closing, remember the benefits of a PtaaS platform expand beyond security teams. This spillover of benefits leads to faster remediation and in the end, a more secure code base to deploy.
If you’d like to learn more about how Cobalt’s Pentest as a Service Platform can empower your security posture, schedule a demo with our team today.