A: Scoping a test is a structured process where you can submit information about the target, including platform specifications, objectives, and instructions. Based on this information, Cobalt will create a purpose-built team of pentesters with the right skills to test your application.
A: Yes, due to our diverse talent pool we can cover all mobile platforms. In particular, we perform a lot of testing on iOS and Android apps.
A: Yes, we know that many modern SaaS businesses rely heavily on web APIs and therefore we have specialized in delivering great API pentests. Together with being able to test web apps, mobile apps and external networks, we are a great fit for modern online businesses.
A: Yes, we can cover external network testing. We typically do this for PCI testing or similar use cases.
A: Our pentesters find vulnerabilities of all types, but they most commonly report vulnerabilities in your business logic and vulnerabilities that falls into the OWASP Top 10 categories. In 2017, the average number of vulnerabilities found during a 2 week pentest was 14.
A: Yes, you will be able to communicate directly with the pentest team to make sure they have the right knowledge to perform a high quality test.
A: Yes, the majority of the pentests we do are on authenticated parts of a service and we offer a secure way of sharing the user credentials through the platform.
A: In general, testing in production is recommended as it typically has the best data quality. Testing does not normally have any negative impact on the systems. But the best way to avoid testing in a production environment is to set up a staging environment with sample data for security testing.
A: When pentesters investigate a site, they may use automatic tools to quickly check for different vectors to ensure that you are being covered across many areas. The amount of traffic and requests from testing will be similar to the traffic and requests you typically see from ordinary site visits by a few users. It may peak at 100Mbps (0.1Gbps) when running brief, intensive scans. However, the overwhelming amount of testing relies on manual techniques that typically use an order of magnitude less.
A: In general, the testing will not cause any harm to your systems. But if you still want to establish testing times for pentesters, you should include a timeframe in your program description that specifies when pentesters can use your production environment for penetration testing.
A: The big cloud providers (AWS, Azure, GCP) do not require prior notification of normal penetration testing. But if you are using a smaller provider you should check with them and Cobalt can help provide info.