Weebly is a global platform that gives people an easy and affordable way to create a website that is as unique as they are. Over 20 million people around the world have started a site on Weebly, and Weebly sites receive over 200 million unique visitors each month.
With multiple features, the popular Weebly service needs to keep its website, API and mobile apps secure for all its users.
Weebly was looking for ways to enhance the security review of their applications in a cost-effective, efficient and scalable way. Chris Fanini, CTO and founder of Weebly had heard about Cobalt as an alternative to more traditional services.
"We were looking for an agile and effective security testing service that fit our development lifecycle and multi-app landscape. Cobalt’s innovative approach seemed to match our needs."
After a short evaluation, Weebly decided to move forward with Cobalt’s modern penetration testing services.
An Agile Penetration Testing Setup
Cobalt supported Weebly in setting up an application security testing program, with periodic penetration testing from the best researchers in Cobalt’s core community. Each individual test included:
- 2 weeks of focused testing performed by a CISSP certified curator and 2-3 technically skilled researchers sourced from Cobalt’s global talent pool
- Coverage of OWASP best practices as well as specific application logic
- Gamified setup to incentivize researchers to go both deep and broad
The program was set up so that for each application, Weebly selected a yearly number of tests based on how often the given application changes. For example, for the main web application, more frequent testing was selected as compared to the API. Chris explains:
"It was important that we could customize the program according to our specific testing needs. Cobalt was very helpful in this process and guided us to a great structure."
With Cobalt’s agile approach, individual tests do not need to be planned far ahead. Weebly can request a test of a specific application any time they want, and Cobalt will always have skilled security researchers ready to support the testing.
Dipping into the Global Talent Pool
One of the greatest strengths of the Cobalt platform is the global talent pool. Thousands of researchers have applied to become part of Cobalt’s Core community, where only the top 5% get accepted. Sourcing globally results in attracting a large group of highly vetted and skilled researchers.
Having access to this large pool of talent enables Weebly to get access to security experts in web, iOS, Android and APIs. Furthermore, Weebly can rotate researchers for each test to get a fresh perspective on their applications. Chris clarifies:
"With Cobalt, we can gather the best researchers on a specific application and also ensure that we cover our security testing from as many angles as possible."
Before launching the program with Cobalt, Weebly had worked with a consultancy on checking their security through traditional pentests. In these pentests the findings were very limited and the findings were managed in an unstructured way via encrypted e-mails and PDF reports.
When Weebly launched their program with Cobalt, Chris and Weebly were immediately impressed by the testing and overall quality of the findings from the Cobalt Core security researchers. The return on investment was evident with approx. 5 times as many findings than the traditional pentests. Furthermore everything was managed through Cobalt Central making it easy to work with the findings and communicate with the researchers in a structured way. Chris clarifies:
"It’s hard to beat the value, coverage and findings delivered by Cobalt. We’re very satisfied."
Making security a part of the development lifecycle
Security is a multi-step process that needs to be managed with expert care. Identifying existing vulnerabilities is only the first step of a great application security program. The next step is to fix the findings. After that, the last step is to ensure that the same mistakes do not happen again.
To support businesses on this process, Cobalt vulnerability reports always contain a suggested fix. The curator leading the testing supports Weebly with re-testing of patched vulnerabilities and is readily available to answer any questions about specific findings.
Chris and Weebly have been delighted by this curated approach:
"We have been very happy with the Cobalt model. It is difficult to find and hire skilled security engineers, but with Cobalt we have access to an extended security team to assist us with both testing and advice. The expert support has been incredibly valuable."
Using Cobalt’s security testing solution, Chris and his team have been able to:
- Get access to a global talent pool of the best security researchers
- Get a testing setup which fits with their development lifecycle
- Easily manage individual findings through Cobalt Central
- Collaborate directly with security researchers to quickly fix any bugs
"Building a strong application security program is extremely important for our business. Cobalt has helped us assemble the right program to fit our needs."
- Keep the security of their applications at the highest level possible
- Making security a structured part of the SDLC
- Deploy Cobalt’s Agile Penetration Testing Solution
- Clear structure for testing and incoming vulnerability reports
- A global talent pool of security professionals specialized in web, mobile and APIs
- Testing fitting to the SDLC