We recently sat down with customer Eric Galis, VP of Compliance and Security at Cengage, to hear more about how his team is leveraging Cobalt’s Pentest as a Service (PtaaS) platform, and our conversation is captured below (edited for length and clarity). Cengage is an educational content, technology, and services company for the higher education, K-12, professional, and library markets. The majority of their work is in higher ed in the U.S., and they have relationships with about half of the 20 million learners across that space.
Cobalt: Can you tell us a little bit about your role at Cengage?
Galis: My role spans from how we are looking at different compliance requirements we have, whether those be regulations, laws around the privacy of students, or how we report our financials to our investors, all the way to how we secure the way people work and the way we secure our platforms.
Cobalt: Why is security important to Cengage?
Galis: We work with roughly 10 million learners and take the privacy of those learners very seriously. More and more, they’re not only consuming educational content through text, video, and other rich content, but also using our learning platforms; through those interactions we receive data about them and their learning journey. It is our responsibility to make sure that we are protecting that data and that we’re respecting their privacy. By partnering with Cobalt and other security vendors, we can focus on what we do best: Educate and work with the vendors that can provide best-in-class services to make sure we’re doing the right things for our students.
Our core competency is creating content and helping students with their learning journey. By partnering with Cobalt, we’re able to do that more safely and effectively and focus on what we do best.
Cobalt: What are the drivers for pentesting at Cengage?
Galis: As students move to digital, we’ve started to move our products there, too, offering textbooks, videos, homework, and collaboration platforms virtually. This means we are handling a lot of data that is important to our students. It is extremely important that we protect the privacy and the integrity of that data and ensure that our platforms are available so that students are always able to use them to further their learning in a secure manner.
Cobalt: What are the challenges in finding the right pentest partner?
Galis: The biggest challenge in finding a pentest partner is finding the appropriate balance of speed to execution and quality.
When looking at pentesting, a lot of times there’s a great deal of work in the setup, which can slow things down significantly. When producing new software quickly, it’s extremely important that pentesting can keep pace with development. If it takes a really long time to set up a pentest, you may have already released several new features that you should have tested long before you were able to. Testing apps after they’ve been released oftentimes means that code is no longer fresh in the developers’ minds, which can slow down fixes and requires more time for developers to refresh themselves on that code. This is one reason we chose to work with Cobalt, as they can get a pentest started within 24 hours. The setup process, in general, is easier and more straightforward than we’ve experienced in the past.
Another challenge we face as a learning company that grew up as a publisher is that we have many different platforms with different technology back ends. Having the ability to bring pentesters that have specific skills for each of our different platforms is extremely useful. Instead of having to keep someone who is generally good at testing across multiple platforms, we can have specialized skill sets for each.
“The biggest challenge in finding a pentest partner is finding the appropriate balance of speed to execution and quality”
Cobalt: What does a successful pentest look like?
Galis: A pentest in it of itself is not the value that you’re trying to get. You’re trying to achieve high-quality, secure software. The hallmark of a good pentest is to properly assess the security of your platform, and this is achieved by having good pentesters that can dive deep, provide coverage of the application, and are able to document findings in a way that developers can understand and fix them.
Essentially, a good pentest for us is the right people testing the right things, communicating effectively, and then partnering with our organization in order to actually remediate those vulnerabilities once they’ve been found. Cobalt partners with both our product and development teams in order to make sure that when a pentest is done, our teams understand the risk at the product level so that they can make decisions on what things will be fixed, in tandem with driving new features into our products so that we can meet our customer’s needs.
Cobalt: Who is involved with pentesting, and what has been their experience using Cobalt?
Galis: Application security, like many of the other security areas we’re responsible for at Cengage, is everyone’s responsibility. We work very closely with our technical product managers who spend time with customers to understand their requirements and then bring that back in building the user stories that drive what gets produced in our applications. We work with our engineering teams who write the code. We work with our architectural team to understand how things are being designed and the future vision of what the applications will look like and how they will work together. When it comes to pentesting, Cobalt is working with all these parts of the organization: security, product, engineering, and architecture.
Cobalt: What are the main benefits that you’ve experienced from using Cobalt?
Galis: The main benefits that we get from Cobalt are speed, scalability, and repeatability.
We are able to quickly launch and execute pentests; and beyond that, instead of waiting until the test is complete to get a report, we’re able to see those individual findings as they are identified in real-time and relay them to the engineering team so they can start working on them immediately.
We’re able to scale. Instead of having a stable of pentesters on my team that have to scale up to the point of testing all of our platforms, we’re able to leverage the flexibility of having Cobalt’s pentester community as an extension of our team.
The process is easily repeatable. Using the platform’s Pentest Wizard, we fill out a form with all necessary information about a specific asset and then have pentesters assigned to us based on the scope. We are able to use pentest results from the platform and see how we’re doing year-over-year so we know how we’re progressing as an organization.
Cobalt: How would you describe Cobalt?
Galis: Cobalt is what any of our good security vendors are: a partner, not a transactional vendor. They work with us to understand what our requirements, needs, and problems are and then help us solve them. We have a dedicated Customer Success Manager (CSM) who is our point of contact and acts as the face of Cobalt, who we know and trust.
Anytime we have feedback about how we can work better together, our CSM works closely with our team to bring the force of that pentester community that’s behind every one of the tests that we do.
Cobalt: Has Cobalt changed how your team approaches pentesting?
Galis: Cobalt has allowed us to effectively scale our team. We can get a pentest up and running within 24 hours — regardless of whether we want to launch one test or five simultaneously. It gives us this ability to take the methodology that we want to apply to a pentest and scale it to all the different teams that we have to service so that we can continue to focus on helping learners pursue their educational journey