Technology unicorn Pendo needed thorough, actionable pentest findings to fit its fast-moving development sprints.
How Pendo Manages Cyber Risk with Cobalt’s Pentest as a Service Platform
Pendo is a product adoption solution that helps organizations understand which features users embrace and ignore, and provides tools for accelerating adoption of those features. The company’s goal is to give product teams the information they need to make faster and more informed decisions.
Pendo’s CISO, Chuck Kesler is responsible for both the technical and business-side of security. As he explains, pentesting plays an essential and strategic role within the company:
“Customer trust is key to Pendo’s success, and we have invested heavily in building our security and privacy programs. One of my goals is to ensure we have taken every measure we can to produce secure code and then pentest to make sure that we haven't missed something.”
In addition to managing risk, Pendo has a series of regulatory and contractual obligations that require pentesting. The company also recognizes the disconnect between the speed of traditional pentests and the rate of release for new features. Kesler explains:
“Many organizations only do one pentest a year, which seems to be a holdover from the days when software release cycles were measured in months. But with Agile and DevOps processes driving organizations to do release multiple releases per week, we’ve had to adapt our SDLC processes to keep up with this pace. We’ve “shifted left” by including things like threat modeling and static and dynamic application vulnerability scanning tools as part of our SDLC and training our developers to write more secure code. But pentesting will always be a critical backstop for finding issues that other processes have missed, so doing them more frequently is ideal. For that to be possible, pentesting service providers need to make the process as frictionless as possible, and of course, they need to be budget-friendly.”
Where does this added security benefit come from? For Pendo, one of the most important pentest outcomes is improving the Software Development Lifecycle (SDLC).
If a class of vulnerabilities appears regularly, the engineering team at Pendo uses that information to improve its SDLC. For example, if they consistently see vulnerabilities relating to cross-site scripting, they make improvements to existing controls to weed out those issues from future code. For this, the company needs a pentest provider that can deliver thorough, full-coverage pentests with detailed vulnerability reports. This is only possible if tests are conducted by talented pentesters with a broad range of skills and experience.
As a longtime infosec leader who has worked with several traditional pentest providers, Kesler was keen to try a different approach.
“What made my decision for me was the positive feedback I'd heard about Cobalt in my CISO network. I was also very impressed with the pricing model. I have a lot of experience with pentests from both sides because I ran pentest teams in the past, so I have scoped, priced, and sold them myself.”
Kesler and his team immediately noticed a huge difference in the communication between their internal security and engineering teams and Cobalt’s pentesters. In particular, the ability to communicate in real-time using Slack was a game-changer.
The team at Pendo used Slack to engage with testers during the pentest, answering questions as they arose and clarifying issues.
Compared to previous pentests, this PtaaS approach provided two clear benefits:
Time savings: With previous pentests, Pendo received results in PDF format only after the engagement was complete. If the team had questions about reported vulnerabilities it could take weeks to receive a response, as their pentesters would already be working on another engagement. Being able to interact with the pentest team in real-time during the engagement completely side-stepped this issue.
High-quality results: Real-time communication between Pendo and the pentest team made it easy for both sides to discuss the testing process. Cobalt’s pentesters could ask questions about the assets they were testing, and Pendo’s teams could request clarification about reported issues — for example, how to recreate them. This real-time communication enabled Pendo to gain maximum security value from the pentest engagement.
Kesler also notes the value added by Cobalt’s platform-approach to providing pentest results. The engineering team has found engaging with findings directly via the platform significantly more efficient than the more cumbersome ‘email-and-PDF’ style of pentest reports.
“Being able to interact with findings in the platform and discuss them through Slack makes for a much more efficient process. We’ve been able to get into it and engage with the findings there, which is a big improvement on the old process. When we can deal with each finding in real-time and start working on them right away, we have much better use of resources.”
While initially skeptical, Kesler quickly saw that Cobalt’s promise of high-quality findings was well-founded. “I looked at the numbers for Cobalt and thought, ‘If they're able to deliver what they're saying at this cost, it's close to twice the value I would expect from a traditional pentest.’ And it turned out that way. The Cobalt team did excellent work and delivered the value that they promised.” In particular, Kesler was impressed by the pentest team’s range and depth of skills: “Pendo is a complicated product. It takes time to wrap your mind around how it works. But the quality of the results we got from Cobalt was greater than what I had seen in comparable pentests. I felt like they were digging deep, and that’s not something I’ve always seen in the past. Where previously I might have expected two consultants to be assigned to a project, Cobalt brought five pentesters, each with different skills that complemented each other.”
Of course, the quality of findings is only half the battle. To add real value for Pendo, vulnerability findings needed to be actionable. On top of easy two-way communication via the Slack channel, the team at Pendo also benefited from the ease of retesting facilitated by the Cobalt platform. Once Pendo’s engineering team had resolved a vulnerability, they used the platform to request a retest straight away. From there, the pentester who identified that vulnerability would retest to ensure it had been resolved and update the portal accordingly.
What’s Next for Pendo?
Having seen the value added by Cobalt’s PtaaS platform, Kesler sees Pendo continuing to increase the number of pentests that it does each year.
“I’ve built internal teams in the past to do continuous pentesting but staffing these highly specialized roles can be challenging. I think having a trusted pentest service provider that delivers high-quality results at a cost-effective price point can enable us to increase the frequency of our pentests in a more efficient manner.”
- Pendo is a complex, cloud-based solution that requires a high degree of skill to pentest thoroughly.
- Fitting pentest results into Pendo’s fast-moving development sprints had been a challenge for their previous pentest providers.
- Due to data sensitivity, it is imperative that Pendo identifies and fixes vulnerabilities quickly.
- Pendo saw better results from Cobalt than traditional pentests, and at a much lower cost.
- Cobalt’s Slack channel allows real-time interaction between engineers, security teams, and testers.
- Engaging with pentest findings in the Cobalt platform is more efficient than with PDF reports.
- Cobalt makes requesting retests efficient and straightforward, unlike with traditional pentests, which allows Pendo to drive continuous coverage as part of an ongoing pentest program.