How OWASP Top 10 Dashboards Improve Pentesting
OWASP Top 10 remains one of the most standard and most value-added standards for pentests, giving organizations quick insight into high risk vulnerabilities. Today, more and more organizations are turning away from pentesters and compliance firms and moving to automated vulnerability scanners, citing convenience, reduced cost, and findings delivered in the cloud, in easily manageable dashboards.
Of course, manual OWASP Top 10 isn’t going anywhere anytime soon. With relatively in-depth results, manual OWASP Top 10 delivers value for organizations, even for those who don’t need it for ISO and ISAE compliance, or an ASVS level compliance, and it’s difficult to replace human insight and teamwork with any amount of automation. But, the shift away from reliance on pentesters and towards reliance on vulnerability scanners highlights a gap between customer expectation and pentests in the form of customer experience, communication, and deliverables.
This is especially true in light of shifts towards agile development cycles, where developers take on more ownership and control of the product.
What’s Wrong with the Current Process?
Most organizations have to perform an OWASP10 anywhere from 1-2 times per year. Normally, when the need arises, such as when seeking a compliance certificate, the organization will search for a pentester, move through the interview and hiring process, and choose an organization. The organization delivers everything you need, after which you go through testing. Once finished, you manually compile a PDF report, which can be 30 or more pages long, and deliver it to the customer in an email.
This process is problematic for several reasons:
- Email and phone communication are slow and difficult to link to specific problems or features
- PDF reports are lengthy, unwieldy, and difficult to break into actionable items
- Customers have to connect results to specific elements of the OWASP10 and to assets themselves
Delivering a Better Experience with an OWASP 10 Dashboard
Today, nearly everyone uses some form of process digitization. You use tools like Jira, Slack, and Github to digitize existing processes, speeding up work and improving your own experience. Delivering OWASP Top 10 in a dashboard, rather than a PDF report, adds that same value to the pentest, creating a better customer experience and streamlining the process. It also works to solve direct problems created by “traditional” reporting. For example, by delivering data on findings and vulnerabilities directly to developers, they can work solutions directly into the next sprint. And, by creating actionable tickets, rather than lengthy reports, that work begins quickly and seamlessly.
Cyver.io is a pentest-as-a-service platform, offering a pentest dashboard complete with pentest norms for OWASP10, PCI, HIPAA, ISO2701, ISAE3402 and SOC-2 and other popular compliance frameworks. The platform directly integrates your tooling to automate data import, delivering automated reporting in a dashboard. This allows you to deliver OWASP Top 10 reports as actionable findings, complete with risk analysis, remediation recommendations, and with real-time collaboration with client developers.
Cloud-Based Communication – Cloud communication delivers real-time updates, pushed directly to stakeholders and developers, with encrypted communication, file-sharing, and finding categorization. With real-time communication, real collaboration becomes easier, allowing developers to make changes, request rechecks, and update finding status.
The OWASP 10 Dashboard – PDF and email communication have their place, but they are – at best – unwieldy tools for communicating around a test. While PDF reports offer some value for delivering a complete overview of all systems tested, they’re largely outdated. Cloud dashboards present the same data in easily digestible overviews, categories, and cards, so clients can view their environment as a whole, based on impact, threat risk, or asset, or categorized based on check, to see what’s found or missing per check.
- Overviews with threat analysis and dashboard
- Segmentation to view threats and risks by category
- Findings can be divided into the 10 categories to give an in-depth overview
The result is that all Findings are directly linked to assets and directly tied into which type of vulnerability they are. Customers can use the OWASP10 dashboard to view risk and problem areas, to highlight environment-wide weaknesses, and to create a simpler overview of the organization’s vulnerabilities. That adds immense value over a report.
Ongoing Testing – While pentesting is not cheap, and it shouldn’t be, organizations can save considerably on the cost of finding and interviewing pentesters by simply establishing long-term relationships with one organization. Cyver.io offers pentest-as-a-service, where you schedule the next pentest as part of the current one, creating a continuous process. Each OWASP10 report is delivered when it’s next needed for compliance, with the added benefit of data and threat dashboards from the previous pentest remaining in place.
Modernizing the OWASP Top 10 process with dashboards, automation, and cloud-based communication will deliver a better customer experience and more value to the customer. That’s important as customers increasingly move to vulnerability scanners, but also important for your organization in terms of increased customer lifetime value, improved customer relationships, and easier collaborations.
Cyver.io is a new pentest-as-a-service platform, delivering cloud tooling, automation, and dashboards for OWASP Top 10 and other popular frameworks. Contact us now to book a demo and see how it works.