If you want to know whether your code is truly secure, it needs to be penetration (pen) tested. White hat pentesters can identify application vulnerabilities before bad actors exploit them, leaving you to remediate bugs proactively. Traditionally, developers and pentesters have both suffered from a lack of direct communication because, among things, pentesting is too slow for the fast-moving world of DevOps. Cybersecurity startup Cobalt bridges the gap with a “pentesting as a service” (PtaaS) platform and talent community that connects developers directly with pentesters. And, the platform integrates seamlessly with Jira, Github and Slack so developers can get the information from familiar tools.
“Penetration testing is used as a gate by Waterfall teams. With DevOps, gating doesn’t work because it would disrupt the delivery cycle when delivery cycles are accelerating,” said Caroline Wong, chief strategy officer at Cobalt. “You need to integrate pentesting into the DevOps workflow.”
Although today’s organizations are automating as much security testing as possible, there are entire classes of security vulnerabilities that go undetected when using automated methods alone, such as business logic bypasses, race conditions and change exploits. With Cobalt, pentesting becomes part of the DevOps pipeline. Better still, highly skilled pentesters are available on demand.
Cobalt Helps Secure Code
Traditionally, when a pentest is completed, the testers provide a PDF report. The security team forwards the PDF to the engineering teams, usually without providing guidance or prioritizing the findings.
“If developers are just getting a piece of paper with a bunch of problems and told to go fix them, you can’t blame them for ignoring the email altogether,” said Wong. “Security teams haven’t attempted to learn about the engineering workflows, let alone integrate security requests with those workflows. So, there’s no obvious channel for developers to ask security or pentesters how to resolve issues or even to clarify what the issues are.”
Also, in a traditional workflow, pentests tend to be a oneoff engagement with little-to-no collaboration between developers and testers. In today’s increasingly digital world, DevOps and DevSecOps teams can’t afford to sacrifice security for application delivery speed.
“DevOps and DevSecOps both rely on collaboration and communication. Developers should be able to collaborate with security and pentesters as easily as they communicate with IT ops,” said Wong. “When that happens, pentesters can better understand the context, such as the application’s use cases. Conversely, developers can ask questions about the found vulnerabilities.”
With Cobalt, developers can engage pentesters directly, on demand. That way, developers can ensure the timely retesting of their code and they deliver the code into production with a higher level of confidence because they know that the vulnerabilities have been remediated. Similarly, developers can use Cobalt to get guidance from the security team about how the vulnerabilities should be prioritized.
A Dynamic PtaaS Approach
Jira, Github and Slack are staples for Agile and DevOps teams. Cobalt integrates with all three so developers can get the information they need without launching yet another environment or application. Cobalt now also includes data analytics, which provide additional insights about what’s causing vulnerabilities and whether they were successfully remediated.
“If you’re still relying on PDFs, there’s no way to bring the metadata together to gain insights and learnings,” said Wong. “With Cobalt, you can compare your approach and results with what others have done or see how one pentest compares to the other tests in your pentest program.”
The Cobalt platform includes a SaaS-enabled global marketplace that connects pentest talent with DevOps and DevSecOps teams on demand. That way, more vulnerabilities can be identified, prioritized and remediated faster.
“Pentesters and developers don’t always have the full picture, so what might look like a high-severity risk to a pentester may be a lower priority to the business because they lack context,” said Wong. “By communicating with security and engineering teams, pentesters are able to assign a more appropriate risk rating and level of criticality.”
DevOps and DevSecOps teams can leverage Cobalt and its marketplace using a single account simply by sharing credits. Yet each team can get access to pentesters as needed without waiting for an intermediary.
Learn more at Cobalt.io.