Q: How does scoping of the pentests work at Cobalt?
A: Scoping a test is a structured process where you can submit information about the target, including platform specifications, objectives, and instructions. Based on this information, Cobalt will create a purpose-built team of researchers with the right skills to test your application.
Q: Does Cobalt do security testing for mobile apps?
A: Yes, due to our diverse talent pool we can cover all mobile platforms. In particular, we perform a lot of testing on iOS and Android apps.
Q: Does Cobalt do security testing for APIs?
A: Yes, we know that many modern SaaS businesses rely heavily on web APIs and therefore we have specialized in delivering great API pentests. Together with being able to test web apps, mobile apps and external networks, we are a great fit for modern online businesses.
Q: Does Cobalt do security testing for networks?
A: Yes, we can cover external network testing. We typically do this for PCI testing or similar use cases.
Q: What kinds of vulnerabilities do the security researchers usually find?
A: Our security researchers find vulnerabilities of all types, but they most commonly report vulnerabilities in your business logic and vulnerabilities that falls into the OWASP Top 10 categories. In 2017, the average number of vulnerabilities found during a 2 week pentest was 14.
Q: Can I get the researchers to test specific scenarios I am particularly worried about?
A: Yes, you will be able to communicate directly with the pentest team to make sure they have the right knowledge to perform a high quality test.
Q: Can I share my credentials (usernames + passwords) with the researchers for authenticated testing?
A: Yes, the majority of the pentests we do are on authenticated parts of a service and we offer a secure way of sharing the user credentials through the platform.
Q: I do not want tests to be run on my production environment. How can I avoid this?
A: In general, testing in production is recommended as it typically has the best data quality. Testing does not normally have any negative impact on the systems. But the best way to avoid testing in a production environment is to set up a staging environment with sample data for security testing.
Q: How many requests will hit my site during testing?
A: When security researchers investigate a site, they may use automatic tools to quickly check for different vectors to ensure that you are being covered across many areas. The amount of traffic and requests from testing will be similar to the traffic and requests you typically see from ordinary site visits by a few users. It may peak at 100Mbps (0.1Gbps) when running brief, intensive scans. However, the overwhelming amount of testing relies on manual techniques that typically use an order of magnitude less.
Q: I want to specify off-peak times for penetration testing so that my production environment does not go down when my users are most active. How can I do this?
A: In general, the testing will not cause any harm to your systems. But if you still want to establish testing times for security researchers, you should include a timeframe in your program description that specifies when security researchers can use your production environment for penetration testing.
Q: Do I need approval from my cloud provider (AWS and others)?
A: It is best practice to notify your cloud provider of any penetration test, but is not required by all. AWS and Heroku require approval prior to testing, but others like Google Cloud, Microsoft Azure, and Rackspace do not.
Cobalt includes the links to all authorization forms and required information within the questionnaire that is available on the platform with each pentest program.