The Challenge
After the healthtech provider acquired three smaller companies, the security team’s time and resources were stretched thin. Along with the newly acquired companies came new applications and infrastructure, which meant more security controls and pentesting would be needed in order to safeguard the increased amount of sensitive data stored in these applications. As their needs and attack surface grew, the security team realized they needed more flexibility and quicker turnaround time for pentests. Their existing vendor could no longer meet these requirements, leading the team to look for a provider that aligned with their need for efficiency and speed.
The Solution
Their search for a pentesting provider led them to Cobalt. They needed the ability to kickoff pentests with minimal lead time, an open line of communication with pentesters, unlimited retesting, and the ability to integrate with their productivity tools such as Jira and Slack. The security team struggled with the lack of structure and communication with their previous provider, where email-based communication caused gaps in information leading to delayed engagements. Cobalt solved this by providing information consolidation and real-time communication with pentesters. Retesting wasn’t always available with their previous providers, and if it was, it required additional costs. According to the Director of Cloud Security, “With Cobalt, we validate our fixes with retesting on our schedule and aligned with our development processes.” This process allowed them to streamline their pentesting program and provide ongoing support and expertise to their development team.
The Results
After partnering with Cobalt, the security team regularly tested six of their web applications along with their mobile versions. These pentests resulted in more high quality findings such as misconfigurations, cross-site scripting, and SQL injection, over the permissions issues or low severity findings from the past, allowing them to focus on the most critical issues they otherwise wouldn’t have the capacity to test for themselves.
The Director of Cloud Security said, “It’s easy to saturate pentest reports with tons of findings, so one thing I appreciate about Cobalt is quality. Our other security tools could overlap pentest findings, but Cobalt’s expert pentesters discover the most critical, exploitable issues.” The detailed analysis from Cobalt also enables architectural discussions between security and development, opening the door for future-proofing and building resilience into their software.
Regular pentesting and fixing critical issues for six applications required an open line of communication between the security team and Cobalt’s pentesters, along with the flexibility to change timelines when needed. Starting a retest with their previous provider took anywhere from 3 to 4 weeks in comparison to 1 to 2 business days with Cobalt. Decreasing their time for retesting also reduced their mean time to resolve (MTTR), empowering the team to quickly remediate vulnerabilities within their applications and continue to keep their customers’ data safe.
In addition to regularly scheduled pentests, they were excited to implement Cobalt’s Dynamic Application Security Testing (DAST). As a small team with a limited budget, being able to add continuous vulnerability scanning with DAST to their security testing cadence means gaining a new level of visibility into application vulnerabilities so they never miss an issue.