Today, cybersecurity risks are becoming prominent, growing year by year,
affecting large numbers of organizations. Many of them have not
maintained basic security principles in favor of their systems.
Sometimes only using point in time testing, which is not proving
effective enough. However, it is also worth noting that in recent years
many companies have committed to increasing their budgets in
cybersecurity.

We can think about the security of the systems of the organizations that
are really committed to their own information and that of their users
(and following Reynolds in his approaches). According to that, we can
highlight an ideal state in cybersecurity that includes an improved,
very detailed report of the findings in the tests (threats or
vulnerabilities), and accelerated remediation of them.

Not only that, but also a personalized experience for clients. They
could easily and quickly interact or communicate with the system
penetration testers. And also understand without problem the available,
updated, and continuously accessible reports. So that based on them,
they could act diligently and promptly achieve the requested remediation
of issues.

While the above can significantly improve the relationship between
vendor and client. It is still common to see companies that maintain a
process that Reynolds calls “traditional” in their pentesting work. That
is, point in time pentesting. Here, the client delivers, for example, a
URL address, and then the vendor simply tells him that in about three
weeks, he will provide the results.

As the author shares with us, it is a rather static and serialized
process with the following components: Presales – Kickoff –
Execution – Delivery – Remediation.

The results that are usually delivered in this traditional pentesting
process are accompanied by remediation instructions in a PDF report.
This ends up being something like (Reynolds says): “use your data, good
luck, see you next year.”

It is then suggested that an excellent pentesting partner accompanies
his client throughout the entire process. And thus facilitates his or
her understanding of the findings and their remediation.

This is where the need arises to use a platform,
as a product for the client,
to assist the Penetration Testing
as a Service
(PTaaS).

Vulnerabilities management platform

But then, what elements should that platform have?

As mentioned above, such a platform should allow the pentesting user to
communicate immediately with the team of cybersecurity experts involved.
At the same time, the platform must show the reports of the findings or
vulnerabilities in real-time. It must suggest their prioritization, and
clear enough instructions to achieve their remediation. All of this is
intended to keep clients continuously active in the process. Preferably,
with the necessary information at hand and sufficient control.

More specifically, on a vulnerabilities management platform, the user
must have access to different project details, such as activities and
comments, and above all, to the findings. These should be displayed in
order of severity and dates of discovery and closure (if such was the
case). Also with description, business impact information, and
remediation instructions (step-by-step). A particular vulnerability
should be accompanied in its presentation by the affected source,
affected address, attack parameter, and, of course, its state of
remediation.

The platform should offer illustrative and straightforward graphics on
the evolution of the project. Having multiple possibilities of filtering
by different variables (e.g., dates and status). The users must be able
to distinguish which structures of their systems have been evaluated
(e.g., web apps, external networks, clouds), and who has been in charge.
Besides, the users should be allowed to make new requests for evaluation
and to obtain sufficient information for the understanding of the
penetration tests.

It is also recommended that a platform contains a section for verifying
the findings. In which the customer is allowed to observe a step-by-step
reproduction of the results. The aim is to understand, with texts,
videos, or other material, what had to be done and introduced within a
particular structure to obtain specific answers translated into
vulnerabilities.

At this point, it should be noted that within Fluid Attacks we have a
platform similar to that described, an Attack Resistance Management
platform (ARM). ARM facilitates the management of vulnerabilities.
These vulnerabilities are stored in ARM.
Access to their evidence is provided there at different
stages of the process and in real-time. With ARM, our client can
classify and prioritize vulnerabilities, define their treatment, and
maintain a constant check of their status and remediation progress.

But, well, closing with what we could get from the webinar (which you
can find
here).
As an essential and summarizing idea, the author highlighted the
necessity to make pentesting processes more transparent, and yes,
more friendly to customers. That’s something we’re also looking
for!

PD. Don’t forget that at Fluid Attacks, in addition to
infrastructure and applications, we also evaluate source code. Besides,
we provide black box, gray box, and white box testing. Contact
us, and we will give you more information.

Recent Articles By Author

• Wake-up Call For GitHub Actions!
• ¡Llamada de atención para GitHub Actions!
• ¿Qué es el EPSS?

More from Felipe Ruiz

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Ruiz. Read the original post at: https://fluidattacks.com/blog/ptaas-netspi/