Cobalt Crowdsourced Application PentestCobalt Crowdsourced Application PentestCobalt Crowdsourced Application Pentest

pentesting checklist and mobile phone

What is Pentesting?

What is Pentesting?

What is Manual Pentesting?

Manual penetration testing is an approach to security testing that layers human expertise on top of professional penetration testing software and tools, such as automated binary static and automated dynamic analysis. Pentesting software is great at discovering problems with standard vulnerability classes but is unable to detect certain design flaws.

A manual pentest performed by a skilled pentester is required to provide complete coverage including design, business logic and compound flaw risks that can only be detected through manual (human) testing.

Pentest as a Service vs
Traditional pentesting

1— Trusted Talent

When beginning a pentest engagement customers gain access to Cobalt’s large, diverse talent pool. Cobalt matches pentesters to each project based on a pentester skill set and experience with the technology stack of each application or network. So you don’t just get whichever generalists are available, but the pentesters who best match the specific project.

2— Effective Workflows

Cobalt’s collaborative platform allows you to more easily manage all your pentest findings compared to a traditional PDF pentest report. These findings can also be directly integrated into your development lifecycle workflow via bug tracking systems such as JIRA and GitHub.

3— Collaborative Platform

Customers are able to communicate in real-time with the pentester who discovered each vulnerability making the testing and re-testing much faster. You no longer have to wait up to two weeks after testing is completed to receive your pentest report, as you did with traditional pentesting.

4— On-Demand Scheduling

Due to how Cobalt schedules and tracks the availability of our pentesters, scheduling is much faster and typically happens within 48 hours instead of a matter of weeks.

pentesting as a service lifecycle

Pentest as a Service Life Cycle

The Pentesting as a Service model combines data, technology, and talent to resolve security challenges for modern web applications, mobile applications, and APIs. This new approach applies a SaaS security platform to pentesting in order to enhance workflow efficiencies.

Key roles in this new process include:

  • Customer: Security and engineering teams using Cobalt services
  • Cobalt SecOps Team: Schedules, manages, and facilitates the pentest process
  • Cobalt Core Lead: Facilitates conversation between Pentest Team and Customer
  • Cobalt Core Domain Experts: Leverage specialized skill sets which are matched to the Customer’s technology stack
  • Cobalt Customer Success Team: Works closely with the customer to kick-off the test and address feedback

All 6 phases of Pentesting as a Service, as visualized in the infographic above, happen in the cloud on the Cobalt platform and Slack channel.

Phase 1. Preparation

The first step in the Pentesting as a Service Process is to prepare all the parties involved in the engagement. On the Customer side, this involves determining and defining the scope of the test and creating accounts on the Cobalt platform. The Cobalt SecOps Team assigns a Cobalt Core Lead and Domain Experts with skills that match the Customer’s technology stack. A Slack channel is also created to simplify on-demand communication between the Customer and the Pentest Team.

For more information about the Preparation phase, check out 3 Tips for Preparing for a Pentest.

Phase 1: Preparation

Phase 2. Kick Off

The second step is kicking off the pentest. This will typically involve a 30-minute phone call with the Customer and Cobalt Teams. The main purpose of the call is to offer a personal introduction, align on the timeline, and finalize the testing scope.

For more information about this phase, check out 4 Tips to Successfully Kick Off a Pentest.

Phase 2. Kick Off

Phase 3. Testing

The third step is where the pentesting will take place. Steps 1 and 2 are necessary to establish a clear scope, identify the target environment, and set up credentials for the test. Now is the time for the experts to analyze the target for vulnerabilities and security flaws that might be exploited if not properly mitigated.

As the Pentest Team conducts testing, the Cobalt Core Lead ensures depth of coverage and communicates with the Customer as needed via the platform and Slack channel. This is also where the true creative power of the Cobalt Core Domain Experts comes into play.

For more information about this phase, check out 4 Tips for Keeping a Pentest Methodology Successful.

Phase 3. Testing

Phase 4. Reporting

The fourth step is the reporting phase, which is an interactive and on-going process. Individual findings are posted in the platform as they are discovered, and at the end of a test the Cobalt Core Lead reviews all the findings and produces a final summary report. Once the report is complete, it is sent to the customer.

The report is not static; it’s a living document that is updated as changes are made (see Re-Testing in Phase 5).

For more information about this phase, check out 4 Tips for Making the Most of a Pentest Report.

Phase 5. Re-Testing

It’s important to identify vulnerabilities in your applications, but most important is fixing the issues that are found in order to improve the security and quality of the code. Once the Customer is aware of the security issues identified during the pentest, addressing each issue happens over the course of the next few weeks and months. When the Customer marks a finding as “Ready for Re-test” on the platform, the Cobalt Core Lead verifies the fix and the final report is updated.

For more information about this phase, check out Best Practices for Verifying Vuln Fixes.

Phase 5. Re-Testing

Phase 6. Feedback

Once the testing is complete, the report has been sent to the Customer, and remediation is in the works, Cobalt’s Customer Success Team reaches out to the Customer for feedback. Customers initially provide feedback through a five-question survey which allows them to rate the overall process, findings, and full report.

During a scheduled feedback call, Customers dive deeper into their survey responses as needed and align with the Cobalt Customer Success Team on action items and expectations moving forward. This feedback helps the Cobalt team to continue to improve the process for upcoming tests and shape the platform product roadmap moving forward.

For more information about this phase, check out 3 Key Factors for Improving a Pentest.

Phase 6. Feedback

Concluding Remarks

Without applying a lifecycle approach to a Pentest Program, an organization is doomed to treating security as a point-in-time project rather than a continuous function. By its nature, a project has a start and end date. When the project is complete, everyone moves onto the next thing.

It’s important to treat a Pentest Program as an on-going process. Step 6, the Feedback Phase, should always lead into the preparation for the next pentest whether it’s happening the following week, month, quarter, or year.