Cobalt's PtaaS Exchange: Insights You Don't Want to Miss

The Cobalt PtaaS Exchange Roadshow kicks off on September 8th in San Francisco. It’s never too late to sign up for a free event where you can talk shop with local security and development peers, chat with industry leaders, and get a (free) bite to eat!

We have a stellar lineup of speakers for every location. They’ll share insights on how to align security closer to the business, ways to train engineers more effectively on cybersecurity, how attackers view your networks and applications, and more.

As hybrid work keeps adding more complexity and market competition gets more fierce, coming together to talk strategy has never felt more important. We want to give companies the tools they need to face 2023 with confidence.

So here’s a sneak peek at some of the insights we’ll be sharing at the event from our pentesting data, conversations with customers, and industry research

Biggest challenges for cybersecurity in 2023

Remote work, insider threats, security being deprioritized at the leadership table, and a very high demand for talent with a very low supply… in truth, none of these challenges are new, but they feel more pronounced as pressure keeps piling on security teams to be simultaneously enablers and defenders. 

There are many things teams of different sizes and with different budgets can do to face 2023. Take, for example, catching vulnerabilities earlier in their applications. We asked our subject matter experts which flaws they thought companies were most likely to underestimate, and they all said “the basic ones.” 

“Unfortunately, it is the low-hanging fruit. Without leveraging the OWASP Top 10, or SANS Top 20, malicious attackers would not be as successful as they are. Patching and looking for that low-hanging fruit is critical. Instead, organizations are looking for the panacea so they spend on the next new tool that won’t solve the problem.”

- Jay Paz, Senior Director of Delivery at Cobalt

Our own pentesting data backs this up. In 1400 pentests we did in H1 this year, the majority of findings that kept slipping past teams’ defenses were well-known vulnerabilities: 

1. Cross-Site Scripting (XSS): Stored
2. Broken Access Control: Insecure Direct Object References (IDOR)
3. Components with Known Vulnerabilities: Using Outdated Software 
4. Security Misconfiguration: Lack of Security Headers
5. Security Misconfiguration: Insecure TLS/SSL protocols

While these findings look like low-risk issues, they can be chained into more dangerous exploits if left unaddressed. 

The vast majority of organizations still rely on the risk ratings provided to them by their automated vulnerability scanners. Unfortunately that does not factor in things such as chaining multiple attacks together, leaving vulnerabilities that should have been prioritized for remediation, unresolved for long periods of time after being discovered.

- Kevin Gilstrap, Senior Manager Professional Services at Cobalt

Continuous pentesting can help identify this low-hanging fruit and address it permanently. Pentest reports are in fact a great source of learning for developers, with plenty of information on how the flaw manifests in their application, what its impact can be, and how to prevent it. And there are more flexible options available to teams: Cobalt Agile Pentesting can zero in on a specific vulnerability teams know they’re susceptible to.

Focus on Talent

What happens when you have the findings, but don’t have the bandwidth to fix them? This is a prevalent problem in the aftershocks of the Great Resignation, coupled with tech layoffs and other seismic shifts across different industries. We researched the topic in this year’s State of Pentesting report, and found that this is a real challenge for many teams: 

1. 94% of security teams had dealt with labor shortages in the last 12 months, and less than half were able to resolve the problem. 
   
   
2. As a result, a vast majority of teams reported they struggled to maintain high security standards, mostly hurting in the area of compliance, secure development and risk governance.
    
3. Collaboration with engineers also suffers, with nearly 90% citing this as a challenge.

The industry is still largely focused on years of experience as a key hiring requirement and as long as this issue persists organizations will continue to have difficulties recruiting talents. As a result, organizations are turning to Managed Security Service Providers(MSSP) as a way to bridge the talent gap and protect themselves and their customers. Smaller companies can't afford MSSP. The focus in my opinion should be developing cyber security talent through apprenticeship, internship and entry level security positions.

- Andrew Obadiaru, CISO at Cobalt 

Aside from looking for “top” talent, organizations are not allocating enough budget for their security teams. Fighting for more dollars is a tricky situation for many security leaders, so Cobalt managers shared a few tips that have helped them in their careers: 

1. 1. Jay Paz, Senior Director of Delivery at Cobalt: Understand the business first and what levers are available to find additional dollars. Without true knowledge of the business, the financials, margins, and expected growth, a security professional goes in with no knowledge of what is possible and where they can slot in. 
      
      
   2. Caroline Wong, Chief Strategy Officer at Cobalt: Develop a super strong understanding of your organization’s business goals and understand value creation. Remember that security is about protecting value created by a business.
      
      
   3. Kevin Gilstrap, Senior Manager Professional Services at Cobalt: When customers have a really good understanding of their infrastructure and where vulnerabilities live, they can work with their third-party vendors that conduct their penetration testing to make sure those areas are thoroughly covered. This allows their vendor to spend the necessary time in that environment demonstrating the risk to the organization and further backing up their recommendations for an increased budget.

More From Our Speakers

In case you miss our events, but still want to hear from our lineup, check out this collection of content we’ve produced with them in the past:

• Cloud-Native & Pentesting - Caroline Wong, Cobalt - Techstrong TV
• 15 Inspirational And Influential Female Tech Leaders Who Set An Example For All Professionals (Caroline Wong)
• Caroline’s Forbes Tech Council
• How Security Resignations Affect Developers’ Workloads by Jay Paz 
• The Evolution of Threat Detection: From Pentesting to PtaaS - Security Boulevard by Jay Paz
• Jay’s Full Hackernoon Series on Quality in Pentesting
• Episode 71: Deep Dive Into the BISO Role with Nicole Dove
• Episode 50 Larkin Ryder: Slack’s Inimitable Defender
• Episode 56 Jack Roehrig: The Educational Journey of Turnitin's CISO
• Emerging Voices: Vanessa Sauter
• Episode 42 Ray Espinoza: The Blue Team Commander