Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

<
Back to Main

How KUBRA Scaled Pentesting from PCI Compliance to a Continuous Pentest Program

Cobalt
Sep 7, 2020

KUBRA is a technology company that provides customer experience solutions for some of the largest utility, insurance, and government organizations in North America. Their portfolio includes a variety of services, including billing and payments, alerts and preference management, mobile apps, and utility mapping solutions.

As the VP of Information Security and Risk Management, Tushar Chandgothia is in charge of maintaining security on a multitude of levels from information security to privacy to some elements of physical security. KUBRA’s security team aims to build security processes and programs that grow with the organization. To do this Tushar and his team work closely with product development, IT operations, client implementation, and many other parts of the organization to ensure they are building secure applications.

KUBRA manages more than 1.5 billion transactions annually, making it critical to ensure their data remains protected.

The Challenges

  • It can be expensive and difficult to retain internal pentesters

  • Traditional penetration testing yields inconsistent quality of findings and reporting

  • Inconsistency and constant turnover makes budgeting difficult

Retaining full-time internal pentesters can be costly and competitive so KUBRA often outsources their security testing needs. However, when they worked with traditional third-party penetration testing companies, KUBRA found that there was too much variation in quality. In addition, each pentester had a different way of structuring the test and reporting on issues. This gave them additional work to gather and store this data consistently, which made it hard to track trends over time and didn’t help them budget accordingly.

Tushar and his team were looking for a reliable pentest partner that would give them access to top pentester talent and provide them with quality reporting that would help them more effectively track improvements and properly budget.

The Solution

  • Access to a global pool of nearly 300 pentesters with a variety of tester backgrounds and expertise

  • Comprehensive, consistent, and standardized documentation and reporting

  • Real-time pentest findings accessible through a interactive platform

KUBRA’s pentest program was originally driven by PCI compliance requirements, which say you need to do at least one pentest a year. However, as the organization grew, they wanted to scale and conduct pentesting on a more continuous basis; especially for their public-facing web applications.

Cobalt makes it easy for KUBRA to build out their pentest program with an easy setup, consistent real-time reporting of results, and access to nearly 300 pentesters. Gaining access to a large and diverse pool of pentesters has yielded higher quality results that are more relevant and impactful to KUBRA’s business. With Cobalt, they can also choose to add new pentesters to engagements, offering fresh and diverse perspectives while maintaining consistency in quality and reporting structure. Consistent and standardized reporting has made budgeting easier for KUBRA and has allowed them to better track trends over time.

Cobalt’s PtaaS platform gives Tushar and his team the ability to see and act upon findings in real-time. This means they can start fixing issues as they arise instead of waiting until the test is complete. Once testing is done, there are a variety of reporting options: Customer Letter, Attestation, Full Report, or Full Report + Finding Details. This makes sharing different information with various stakeholders as easy as clicking a button.

KUBRA came to Cobalt for a single pentest but quickly realized the potential to nurture and expand their entire security testing program. As a result, they’ve hardened their security posture with a security chaos engineering mentality of frequent testing that builds resilience.

“When we first went with Cobalt it was purely for PCI requirements but we were looking to scale our program and pentest on a more continuous basis. Cobalt gave us the ability to pentest on a frequent basis with minimum effort from our teams. Saving us time and providing us quality results on a consistent basis.” ~Tushar Chandgothia, VP of Information Security and Risk Management at KUBRA

Interested in learning how Cobalt’s Pentest as a Service Platform could help you budget and scale your security testing program? Schedule a demo today.