LiquidPlanner delivers predictive project management for the modern business. Their award-winning Project Management platform is used by thousands of companies across 50 countries, and customers include large enterprises such as Linkedin. As a SaaS B2B business keeping sensitive project data for their customers, LiquidPlanner is expected to keep a high level of security.
Not just another vulnerability scan
Both existing and new customers want to see that LiquidPlanner is actively trying to fight off the bad guys. While some traditional providers may be able to produce a report, they often lack quality in the actual security testing. Thus Brett Bender, VP of Engineering at LiquidPlanner, was looking for a modern way to get both effective and actionable assessments of the security and capability to display the results to customers. Brett Bender elaborates:
"We were looking for an alternative to basic vulnerability scanners and overpriced consultancies. Just as LiquidPlanner prides itself on cutting edge technology to help technology teams, we were looking for a cutting edge security solution."
LiquidPlanner was introduced to Cobalt and decided to explore the Cobalt Pentest service.
Modern Security Testing
LiquidPlanner had previously performed a one-off vulnerability assessment with a consultancy, but was looking for a modern security testing-as-a-service to deliver periodic pentests. They decided on the Cobalt Pentest solution.
With this service LiquidPlanner got 2 web application pentests a year, each including:
- 2 weeks of assessment, penetration testing and analysis from 1 CISSP certified lead pentester supported by 2 technically skilled security researchers/domain experts
- Coverage of OWASP top 10 + Application logic
- Access to the lead pentester for questions all year
- Re-test and patch verification of the vulnerabilities found
- Access to Cobalt Central - A SaaS platform to work with individual findings and communicate with the pentesters
- A summary report to display to customers
The Pentest Process
LiquidPlanner and Brett had their first pentests up and running in no time.
Through Cobalt Central, they defined the scope of the pentest to be their Ruby on Rails web application and gave detailed information and instructions on user roles, credentials and specific application logic.
After this, Cobalt assigned a pentest team of three top application security professionals skilled in working on Ruby on Rails applications. One of them was a CISSP certified lead pentester who ensured that a vulnerability assessment was done; the assessment covered the OWASP top 10 list of the most common vulnerabilities in web applications, including Cross Site Scripting and Cross Site Request Forgery attacks. The two other pentesters were domain experts who supported the assessment and also performed deeper penetration testing checking for specific application logic.
From the moment the pentest was kicked off, Brett and his team could follow progress and communicate directly with the security researchers. When the pentest concluded, Brett Bender was delighted by the results and the ROI.
"The security researchers and Cobalt did an outstanding job. They were able to deliver both the coverage of a vulnerability assessment and the depth of a penetration test. Additionally, this was all at a very sensible price point."
Displaying security to customers
A key deliverable of the pentest was the summary report, which could be shared with stakeholders and potential customers. Brett explains:
"We wanted to show our customers that application security is a key priority for us. With the bi-annual summary report we can easily communicate our security posture to both existing and new customers."
The summary report contained:
- An executive summary of the testing done and the results
- A detailed description of what was in scope for the pentest
- The security testing methodology used
- An overall security rating of the web application in scope
- Recommendations on how to mitigate the findings
- Overview of the individual findings and their criticality (Probability of exploit vs. business impact)
With the Cobalt Pentest, LiquidPlanner has received:
- A modern security testing-as-a-service approach
- A higher ROI compared to traditional services
- A way to show stakeholders and customers their security posture
"I would highly recommend Cobalt security testing services to any B2B SaaS business. Our company is deeply committed to optimizing the success of projects, and I am pleased to say that our enrollment in Cobalt’s pentest program has been a success."
- Getting cost-effective periodic vulnerability assessments / penetration tests to increase the application security level and display the security posture to customers
- Cobalt Pentest - 2 Penetration tests / year
- A modern SaaS platform to easily work with the researchers and track individual findings
- High ROI - 3 incentivized security researchers per pentest
- A detailed pentest report to share with customers