NEW FEATURE
Cobalt PtaaS + DAST combines manual pentests and automated scanning for comprehensive applications security.
NEW FEATURE
Cobalt PtaaS + DAST combines manual pentests and automated scanning for comprehensive applications security.

Global IT & Data Security Provider ensures world-class product security with Cobalt's on-demand pentesting

As a security provider to MSPs, their security team needed a pentest partner that could support its goal of delivering world-class security to its customers.

This case focuses on a Global IT & Data Security Provider and their needs as a cybersecurity, business continuity, and disaster recovery provider for IT Managed Service Providers (MSPs). The company’s integrated, world-class products and services provide MSPs with a comprehensive toolkit to manage their business, drive efficiency and growth, and expertly protect their customers. As a provider of secure cloud, SaaS, and file protection services, they  place security at the heart of its business.

Initially, the main driver for pentesting program was SOC 2 compliance. The company previously worked with a handful of third-party vendors who delivered pentesting services, but their approach to to vulnerability reporting did not integrate with their Agile development workflows. As a customer since 2018, they have taken advantage of additional pentest use cases with Cobalt, including use of Agile Pentesting, more targeted engagements that focus on a specific area of an asset, while continuing to comprehensively pentest for compliance.

 

Challenges

Slow, static vulnerability reporting

‘Email-and-PDF’ vulnerability reporting is too slow and cumbersome for their Agile development.

Limited pentester communication leads to slow remediation

Lack of communication between engineers and pentesters with past pentest providers slowed down their the remediation process

Diminishing returns on pentest findings

Their team found that having assets tested repeatedly by the same testers leads to diminishing returns

Results

Integration of pentest findings into Slack and Jira workflows

With Cobalt’s integrations, confirmed vulnerabilities go directly to their Slack and Jira workflows.

Fast, free retesting

Having vulnerabilities retested takes minutes, not weeks with Cobalt

Diverse range of pentesters to avoid diminishing returns

Their team can switch existing testers or request new ones for every pentest, allowing the team to conduct periodic testing as part of a comprehensive pentest program.

Their initial driver for its pentesting program was SOC 2 compliance. The company previously worked with a handful of third-party vendors who delivered pentesting services. However, their approach to vulnerability reporting was challenging to integrate with their Agile development workflows.

Lacking a channel for real-time communication with pentesters, their team ran into several problems. Most notably, the company’s engineers weren’t receiving vulnerability reports in a usable format. Not only were they unable to seek clarification where needed, there were also issues with feeding reports into established engineering sprints. Combined, these issues made it difficult to obtain full value from each pentest.

Over time, their team wanted to expand its program to support a more rigorous testing approach in line with its commitment to industry-leading cybersecurity. At this point, it became clear the traditional method wasn’t providing the high-quality, full-coverage testing they needed. Instead of having the same 2-3 pentesters working on the same assets year after year, they needed a more diverse pentesting approach.

"With Cobalt, we can see every specific spot that the testers looked at and the different types of attacks they've tested. That makes us comfortable knowing that even if nothing was found, we know we got good coverage of the application and this approach feels very thorough. If you compare it to the alternative, where you get a PDF report that says there were no findings, but you don’t know how much of the application was covered, there’s no comparison. With Cobalt pentesters, we know exactly what they’ve looked at and which attacks they have tested."

JEREMY GALINDO

Cobalt’s platform made it easy for their team to expand its testing program and focus on delivering world-class security. In addition to essential real-time communication, Cobalt’s community approach to pentesting -- in which vetted, seasoned testers are matched to client engagements based on expertise -- gave their team access to a broad range of testing skills. Executing a comprehensive pentest program on an annual cycle allowed their team to flexibly switch pentesters between engagements, or request new testers and ensure full coverage for critical and frequently updated assets. When it came time to deliver pentest findings to engineering, the Cobalt platform came through again.

It was clear from the outset that Cobalt’s PtaaS platform was far better suited to their security team's needs than the traditional approach. The Cobalt platform simplifies the process of involving their developers early in vulnerability management. This ‘shift left’ helps the company to action pentest findings more quickly and enables developers to play a more proactive security role than they could in the past. 

Almost immediately, the company took the opportunity to expand its pentesting program from fulfilling SOC2 compliance requirements to a larger scope. One notable evolution of their program was marked by the introduction of Cobalt’s Agile Pentesting, which allows for a more targeted engagement which focuses on a specific area of an asset, or a specific vulnerability across an asset. Their security primarily leverages Agile Pentesting in running Delta feature tests. 

"Our pentesting program is evolving by using Agile Pentesting, as we’re able to schedule more pentests and allow ourselves to only look at the delta between the last pentest that was run and the newer pentest that would then occur. This gives us a better idea of what has already been tested and only focuses on the newer portions instead of always going to the same parts of the product that may not have changed over the course of a year, six months, or three months."

JEREMY GALINDO

Ultimately, the quality of a pentest comes down to its results. With Cobalt, their team not only receives a more reliable stream of confirmed vulnerabilities, they also have a more detailed understanding of the coverage they receive from each pentest. After seeing first-hand the value Cobalt’s platform adds to their company's security mission, the team has outsourced their compliance testing and Agile Delta feature testing to Cobalt so that their internal team can focus on other aspects of offensive security.

"We needed to understand the overall security posture of the company and drive changes in the business based on our findings. Working with Cobalt allowed us to drive more investment in the product team and just overall start building things more securely."