RealtyShares is the leading online marketplace for real estate investing. It brings together investors and real estate operators, and allows the entire investing process to take place through its website. As a fintech company, it requires dependable and innovative security measures to make sure that sensitive data stays protected.
When Good is Just Not Good Enough
Like many online businesses, RealtyShares had become accustomed to using its own engineers and local security consultants to assess application security. However, they weren’t getting the full spectrum of diverse testing techniques, varying skill sets, and full test coverage they desired.
Data breaches are on the rise in the financial industry with web application attacks being the most common vulnerability, accounting for nearly half of all security breaches. The Verizon 2016 Data Breach Investigations Report showed that in 2015 there were 1,368 incidents of compromised online security across 82 countries.
RealtyShares wanted the peace-of-mind that its platform and customer information was as secure as possible. That’s when CTO, Gene Linetsky, decided they needed something better.
“The individual freelance consultants we were hiring were good, but they just weren’t good enough. They provided us a glimpse of the security threats we were facing, but we needed more. Better coverage, out-of-the-box techniques, more diverse skill sets, and a motivated team of security experts were just a few of the improvements we were looking for.”
On his search for a cost-effective and quality testing alternative, Gene discovered Cobalt’s new approach to penetration testing.
Crowdfunding Real Estate Meets Crowdsourced Pen Testing
RealtyShares decided on Cobalt’s semi-annual crowdsourced pen tests to help take their application’s security to the next step.
With this service RealtyShares receives two web application pen tests a year, each including:
- 2 weeks of assessment, penetration testing and analysis from 1 CISSP certified lead pen tester supported by 2 technically skilled security researchers/domain experts
- Coverage of OWASP top 10 + Application logic
- Access to the lead pen tester for questions all year
- Re-test and patch verification of the vulnerabilities found
- Access to Cobalt Central - A SaaS platform to work with individual findings and communicate with the pen testers
- A summary report to display to customers
A Diverse Group of Qualified Researchers
RealtyShares and Gene had their first Cobalt pen test up-and-running in no time.
In comparison to working with one consultant, now with Cobalt, they had access to a whole team of security researchers with expertise in the areas that matter most to their business.
They say two heads are better than one, and in security three experts are definitely better than one when it comes to testing. The crowdsourced capabilities also allowed RealtyShares to source the best domain experts from around the world. Furthermore giving them the depth, creativity, and expertise they were looking for from a penetration test.
A Platform that Fosters Collaboration
Even though Cobalt’s researchers are sourced from all over the world, they are able to communicate effortlessly with fellow researchers and customers over Cobalt Central. Cobalt’s secure, collaborative, and intelligent online workspace for researchers and companies alike.
Over the course of the first penetration test, RealtyShares was able to build relationships with the Cobalt Core researchers through Cobalt Central. Researchers are able to post their finding right onto the platform where customers are able to process and compare findings instantly. RealtyShares doesn’t have to wait around for weeks to start looking at and fixing the problems. They can do it instantaneously. The sooner an organization becomes aware of its issues, the sooner these issues can be addressed.
The connections that RealtyShares has made with its researchers has even prompted mini-testing projects. When Gene and his team were about to roll out a few new features on their platform they trusted the Cobalt Core to test it out first. Researchers were able to take a look at these additions from a security perspective and give feedback before RealtyShares rolled it out to their customers.
“Working with the researchers on a collaborative platform has helped bolster our relationships with those who are testing our application. We love the work that the Cobalt researchers have done so far. So it was a no-brainer to have them take a look at new features we were applying to our web application.”
Another collaborative aspect that RealtyShares has taken full advantage of is Cobalt’s integration with GitHub. Companies are able to send vulnerability reports straight from the reports dashboard to Github. For companies who use Github, like RealtyShares, this saves time and reduces the amount of work that is required for patching vulnerabilities. The Github integration helps speed along the vulnerability patching process and takes away some of the annoyances that developers may deal with in other testing options.
With the Cobalt Pen Test, RealtyShares has received:
- A modern security testing-as-a-service approach
- Access to an interactive reporting platform
- A diverse group of quality researchers
- A higher ROI compared to traditional services
“Security is something that is extremely important to us at RealtyShares, but it’s something that should be important to all Fintech companies out there. For companies interested in a comprehensive way of testing I highly recommend giving the crowdsourced pen tests a try.”
- Find a more comprehensive penetration testing service to make sure their online platform is not susceptible to online vulnerabilities
- Semi-annual Cobalt penetration tests
- Security reviews and recommendations for planned new features
- Deep and focused 2-week testing period for each penetration test
- Access to quality domain experts matched to RealtyShares application stack
- A modern SaaS platform to easily communicate with researchers and track individual findings