Penetration Testing as a Service

Today, cybersecurity risks are becoming prominent, growing year by year, affecting large numbers of organizations. Many of them have not maintained basic security principles in favor of their systems. Sometimes only using point in time testing, which is not proving effective enough. However, it is also worth noting that in recent years many companies have committed to increasing their budgets in cybersecurity.

We can think about the security of the systems of the organizations that are really committed to their own information and that of their users (and following Reynolds in his approaches). According to that, we can highlight an ideal state in cybersecurity that includes an improved, very detailed report of the findings in the tests (threats or vulnerabilities), and accelerated remediation of them.

While the above can significantly improve the relationship between vendor and client. It is still common to see companies that maintain a process that Reynolds calls "traditional" in their pentesting work. That is, point in time pentesting. Here, the client delivers, for example, a URL address, and then the vendor simply tells him that in about three weeks, he will provide the results.

The results that are usually delivered in this traditional pentesting process are accompanied by remediation instructions in a PDF report. This ends up being something like (Reynolds says): "use your data, good luck, see you next year."

It is then suggested that an excellent pentesting partner accompanies his client throughout the entire process. And thus facilitates his or her understanding of the findings and their remediation.

But then, what elements should that platform have?

As mentioned above, such a platform should allow the pentesting user to communicate immediately with the team of cybersecurity experts involved. At the same time, the platform must show the reports of the findings or vulnerabilities in real-time. It must suggest their prioritization, and clear enough instructions to achieve their remediation. All of this is intended to keep clients continuously active in the process. Preferably, with the necessary information at hand and sufficient control.

More specifically, on a vulnerabilities management platform, the user must have access to different project details, such as activities and comments, and above all, to the findings. These should be displayed in order of severity and dates of discovery and closure (if such was the case). Also with description, business impact information, and remediation instructions (step-by-step). A particular vulnerability should be accompanied in its presentation by the affected source, affected address, attack parameter, and, of course, its state of remediation.

The platform should offer illustrative and straightforward graphics on the evolution of the project. Having multiple possibilities of filtering by different variables (e.g., dates and status). The users must be able to distinguish which structures of their systems have been evaluated (e.g., web apps, external networks, clouds), and who has been in charge. Besides, the users should be allowed to make new requests for evaluation and to obtain sufficient information for the understanding of the penetration tests.

It is also recommended that a platform contains a section for verifying the findings. In which the customer is allowed to observe a step-by-step reproduction of the results. The aim is to understand, with texts, videos, or other material, what had to be done and introduced within a particular structure to obtain specific answers translated into vulnerabilities.

At this point, it should be noted that within Fluid Attacks we have a platform similar to that described. Our platform facilitates the management of vulnerabilities. These vulnerabilities are stored in our platform. Access to their evidence is provided there at different stages of the process and in real-time. With our platform, our client can classify and prioritize vulnerabilities, define their treatment and maintain a constant check of their status and remediation progress.