Today, more than 90% of new software development companies use Agile. At the same time, more and more companies deliver software as their primary business function. From Amazon to Deutsche Bank, companies offering services more often rely on software to deliver those services.
For pentesters, that translates into a changing client demographics, as organizations change how they need security and why. More organizations are moving to Agile development, are aware of security risks, and are attempting to integrate security into development. This has led to a 30% uptick in DevOps and DevSecOps agile work methods. And, while compliance was the top driver for pentests in 2017, today, more organizations are also seeking out pentests for security-only purposes.
So, how do pentest firms shift to meet the changing needs of customers? And what process changes are required to meet those needs?
More Extensive Pentests, More Often
Companies looking for audit-related pentests normally want one pentest a year, done as quickly as possible. Organizations looking for security integrate pentesting into a schedule, for ongoing awareness. Here, pentesting might be completed on the full environment, on environments before they go live. In most cases, it includes a broader scope, with APIs, microservices, and IoT Devices, and web applications, rather than just the business-critical applications. While pentests of this nature are often combined with red team, scans, and bug bounty programs, the intent is to create a completely secure environment benefiting from every possible type of testing.
What this means for pentesters:
- Clients increasingly want 2-6 pentests a year
- Pentesters have to schedule upcoming pentests as part of workflow
- Maintaining findings libraries is beneficial for both parties for ongoing security
- A PDF pentest report isn’t enough; clients increasingly want advice as well
Responding to this expanding scope and demand can be immensely beneficial to pentesters, who often bottleneck on spending time on client acquisition. For example, integrating pentesting into development teams means pentesters see more frequent work and recurring pentests with the same client.
Clients Want to Fix Findings
The rise of pentesting for security means clients are increasingly likely to want to resolve findings. A vulnerability on a pentest report isn’t something that can be ignored if you can pass an audit anyway, it’s a risk to their business. This means that the traditional outcome of the pentest, the PDF report, is no longer a convenient medium.
Clients want and need ways to quickly parse reports, pull actionable tasks, and put developers to work. That means delivering vulnerability findings in ways that can quickly move to IT and Dev teams, delivering information more quickly, and following up with retests to ensure fixes worked.
Essentially, this means shifting pentest services to:
- Deliver findings as tickets, not just as reports
- Allow devs to communicate with hackers, so they can request the information they need to fix problems
- Add retesting as a service
Digitization is the Norm for Agile Development
Most agile developers are accustomed to working in tools like Jira and Slack. Real-time chat, secure information exchange, and work planning are the norm for most Agile developers. Switching to the workflows offered by most pentesters, with email project planning, Excel project management, and PDF delivery is difficult and inefficient. Catering to Agile development means implementing workflows that fit into digital processes.
Today, Pentest-as-a-Service or PTaaS is one of the only realistically easy ways to solve these problems. Pentest-as-a-Service platforms like Cyver enable pentest firms to deliver a pentesting portal, where clients can onboard teams to access findings and vulnerability information, findings as tickets, and complete threat and vulnerability overviews. These solutions mean developers can integrate Pentesting into Agile IT frameworks by making communication, testing, and scheduling visible, predictable, and schedulable.
Eventually, this benefits both sides. Pentesters benefit from Pentest-as-a-Service by automating manual work like parsing reports and project planning. Clients receive faster, more actionable data, with digital oversights, dashboards, and direct communication with pentesters so they can more quickly understand and resolve vulnerabilities.
Agile teams need the systematic approach to cybersecurity delivered by pentesting. At the same time, pentesting doesn’t yet fit into Agile work methods and planning. Pentest-as-a-Service allows you to meet the needs of digitized processes, while delivering directly actionable information to the client.
If you want to learn more, visit Cyver: Features