LiquidPlanner delivers predictive project management for the modern business. Their award-winning Project Management platform is used by thousands of companies across 50 countries, and customers include large enterprises such as Linkedin. As a SaaS B2B business keeping sensitive project data for their customers, LiquidPlanner is expected to keep a high level of security.
Not just another vulnerability scan
Both existing and new customers want to see that LiquidPlanner is actively trying to fight off the bad guys. While some traditional providers may be able to produce a report, they often lack quality in the actual security testing. Thus Brett Bender, VP of Engineering at LiquidPlanner, was looking for a modern way to get both effective and actionable assessments of the security and capability to display the results to customers. Brett Bender elaborates:
"We were looking for an alternative to basic vulnerability scanners and overpriced consultancies. Just as LiquidPlanner prides itself on cutting edge technology to help technology teams, we were looking for a cutting edge security solution."
LiquidPlanner was introduced to Cobalt and decided to explore the Cobalt Pen Test service.
Modern Security Testing
LiquidPlanner had previously performed a one-off vulnerability assessment with a consultancy, but was looking for a modern security testing-as-a-service to deliver periodic pen tests. They decided on the Cobalt Pen Test solution.
With this service LiquidPlanner got 2 web application pen tests a year, each including:
- 2 weeks of assessment, penetration testing and analysis from 1 CISSP certified lead pen tester supported by 2 technically skilled security researchers/domain experts
- Coverage of OWASP top 10 + Application logic
- Access to the lead pen tester for questions all year
- Re-test and patch verification of the vulnerabilities found
- Access to Cobalt Central - A SaaS platform to work with individual findings and communicate with the pen testers
- A summary report to display to customers
The Pen Test Process
LiquidPlanner and Brett had their first pen tests up and running in no time.
Through Cobalt Central, they defined the scope of the pen test to be their Ruby on Rails web application and gave detailed information and instructions on user roles, credentials and specific application logic.
After this, Cobalt assigned a pen test team of three top application security professionals skilled in working on Ruby on Rails applications. One of them was a CISSP certified lead pen tester who ensured that a vulnerability assessment was done; the assessment covered the OWASP top 10 list of the most common vulnerabilities in web applications, including Cross Site Scripting and Cross Site Request Forgery attacks. The two other pen testers were domain experts who supported the assessment and also performed deeper penetration testing checking for specific application logic.
From the moment the pen test was kicked off, Brett and his team could follow progress and communicate directly with the security researchers. When the pen test concluded, Brett Bender was delighted by the results and the ROI.
"The security researchers and Cobalt did an outstanding job. They were able to deliver both the coverage of a vulnerability assessment and the depth of a penetration test. Additionally, this was all at a very sensible price point."
Displaying security to customers
A key deliverable of the pen test was the summary report, which could be shared with stakeholders and potential customers. Brett explains:
"We wanted to show our customers that application security is a key priority for us. With the bi-annual summary report we can easily communicate our security posture to both existing and new customers."
The summary report contained:
- An executive summary of the testing done and the results
- A detailed description of what was in scope for the pen test
- The security testing methodology used
- An overall security rating of the web application in scope
- Recommendations on how to mitigate the findings
- Overview of the individual findings and their criticality (Probability of exploit vs. business impact)
With the Cobalt Pen Test, LiquidPlanner has received:
- A modern security testing-as-a-service approach
- A higher ROI compared to traditional services
- A way to show stakeholders and customers their security posture
"I would highly recommend Cobalt security testing services to any B2B SaaS business. Our company is deeply committed to optimizing the success of projects, and I am pleased to say that our enrollment in Cobalt’s pen test program has been a success."
- Getting cost-effective periodic vulnerability assessments / penetration tests to increase the application security level and display the security posture to customers
- Cobalt Pen Test - 2 Penetration tests / year
- A modern SaaS platform to easily work with the researchers and track individual findings
- High ROI - 3 incentivized security researchers per pen test
- A detailed pen test report to share with customers