Cybersecurity Security Boulevard (Original) 

The PtaaS Book – Techstrong TV

Avatar photo by Alan Shimel on March 1, 2022

Alan and Caroline talk about her new book, “The PtaaS Book – The A to Z of Pentest as a Service”. It explores everything you need to know about Pentest as a Service (PtaaS) in today’s cybersecurity threat landscape. The video and a transcript of the conversation are below.

Recorded Voice:         This is Digital Anarchist.

 

Alan:                           Hey, everyone. Welcome to another Techstrong TV segment. I’m so happy to have my friend Caroline Wong back with us on Techstrong TV. It’s been too long since I had a chance to speak with her here. Caroline, welcome to Techstrong TV. It’s great to see you.

 

Caroline Wong:          Thank you. I am thrilled as always to be here.

 

Alan:                           Oh, it’s our pleasure. So, I think most of our audience knows, but let me just lay it out there. Caroline is a CSO at cobalt.io. And cobalt.io is the world leader in pentest as a service.

 

Caroline Wong:          That’s right.

 

Alan:                           Is that fair?

 

Caroline Wong:          That’s right.

 

Alan:                           Did I get the branding and marketing spiel right or –

 

Caroline Wong:          You got it right. You got it right. We are the PTaaS Company and I’m our chief strategy officer.

 

Alan:                           Absolutely. I said CSO. I keep seeing you guys hiring. You’re always hiring more people. Every time I logged on LinkedIn, it seems, “We’re hiring, we’re hiring.”

 

Caroline Wong:          We’re growing like mad. We’re growing like mad. Last year we had more than 50 percent ARR growth. And when I look at the number of organizations, if you go and Google PTaaS right now, cobalt is not the only company that comes up, you’ll find like –

 

Alan:                           Really?

 

Caroline Wong:          – 30 companies finding what they call –

 

Alan:                           Really?

 

Caroline Wong:          – what they do, they’re calling it PTaaS, and we’re thrilled, right? This is a revolution.

 

Alan:                           That’s a good thing. When you name the market you’re in, the category, that’s a good thing.

 

Caroline Wong:          It’s very exciting. It’s super exciting. And I think for me, what’s most exciting about it is I feel like we’re making a real impact on the industry. So Alan, you and I, we have these views into DevOps and security. If I look at DevOps over the past 10 years, things have changed so dramatically and we know how to do DevOps, we know how to do it well, we know that organizations who do DevOps have stronger performance.

Now, if you look at security, security’s not doing so well. In the ’90s, a group of hackers went and testified to the United States Senate. They went back 20 years later and they said, nothing’s changed. We got a new OWASP top 10 last year, OWASP top 10, 2021. If I put it right next to 2003 –

 

Alan:                           Three things are different.

 

Caroline Wong:          It’s the same thing. And that says, we are not making progress. Why are we not making progress? And then I look at something like, if I look over and I look over at DevOps, they’re really doing something right. What can we do to be like DevOps, ’cause they’ve got this right.

And if I look at on-prem versus cloud, on-prem is expensive, cloud is less expensive. On-prem is not very flexible, cloud is super flexible. On-prem is not very on demand. Cloud is on demand. On-prem doesn’t have redundancy, Cloud is redundant, et cetera, et cetera.

And so for us, I look at old school pentesting as Onprem and PTaaS, pentest as a service as taking all of the advantages of cloud with it, including on demand, start a manual pentest in 24 hours. And I’ll tell you what else, Alan, when I worked for Cigital, Cigital got acquired by Synopsys.

But when I worked for Cigital, between 2013 and 2016, I, I flew around the world. I was living that glamorous high flying lifestyle and I did more than three dozen BSIMM assessments. Now the thing about BSIMM assessments, the folks who choose to do this, they’re pretty good at software security ’cause spending five figures to pay a company to evaluate them.

And at that point in time, in 2013, I found out that your average enterprise with a hundred applications was only pentesting 10 of them. If they had a thousand applications, they were only pentesting 100.

 

Alan:                           True.

 

Caroline Wong:          ‘Cause it was hard. It’s hard to do pentesting. It’s slow –

 

Alan:                           It takes time. Yeah.

 

Caroline Wong:          – it’s expensive. There are all sorts of reasons why enterprises, some of the strongest enterprises at software security in the world were only pentesting 10 percent of their application portfolio. Last year, Cobalt did a survey. Now that’s up to 63 percent, from 10 percent to 63 percent.

 

Alan:                           Huge.

 

Caroline Wong:          That’s better, that’s better, but we still have a long ways to go.

 

Alan:                           That’s like someone once told me on TechStrong here, someone once said, “75 percent of applications are now being scanned before they’re deployed.” And that’s up also same kind of thing from [Crosstalk]

 

Caroline Wong:          Yeah, better than before. Yep.

 

Alan:                           Yeah. But you gotta ask yourself, “Who are the other 25 percent? Who’s not scanning stuff before they put it out?” Same thing here. Who’s not pentesting or who’s not pentesting all their apps? I mean, what’s the logic? It’s too expensive. Okay.

 

Caroline Wong:          That’s the logic. That’s the logic. We don’t have the budget for it and we can’t get it to happen fast enough.

 

Alan:                           But what’s the budget when that app gets hacked?

 

Caroline Wong:          That’s right. Every single time it’s a roll of the dice, because vulnerable software gets hacked. In 2021, ransomware was all the rage, and that’s not changing any time in 2022. It’s just gonna get worse and worse and worse ’cause it works. Those cyber criminals are making tons of cash. They’re gonna –

 

Alan:                           Absolutely.

 

Caroline Wong:          – keep doing it. And it’s easy because software is vulnerable, but ransomware should not be so scary ’cause we know how to prevent ransomware. The first ransomware attack happened in 1989. I was six years old. And in 2021, it’s as though we don’t know what to do, but we do know what to do. We’re just not doing it.

And part of the reason we’re not doing it is it hasn’t been easy. It hasn’t been fun. But if we can cloudify, if we can, as a servicefy these things, then I think we have an opportunity to make real lasting change.

 

Alan:                           So, I think when I hear you talk, what you’re saying, Caroline, so you can’t blame the people who are not scanning all their applications ’cause it’s too expensive. One could look at this as an economic student and say, ‘Well, if there’s a real need in the market, it behooves the providers to do something to be more efficient, to allow the cost to stop being prohibitive to getting the job done.”

So there has to be an equilibrium between the cost of prevention and the cost of not prevention, the cost of an incident. And that equilibrium should continue to be lowered as we become more efficient in doing this kinds of things. It’s like market. That’s just the law of the market.

Probably pen testing as a service is one of the biggest kind of market driven reactions we’ve seen to bringing this down for the masses, to making it more available. Like you, I knew plenty of friends who did jump around the world doing pentesting in a little social engineering and living that life.

But in today’s world, when most apps are in the cloud anyway, why wouldn’t you do it as a service remotely like this? And it makes it affordable or much more affordable than it was before.

 

Caroline Wong:          Absolutely. You start way faster. A lot of organizations, it used to be so expensive and it used to take so much time because cost involves both money as well as time. And it used to take so long to get a pentest started that you could have, for simplicity sake, we’ll say, your old school pentest cost 10 bucks and you did it once a year, ’cause it also took you two months to plan.

And now you can take that $10 and you can do 10 little ones throughout a year with a snap of your fingers. You can get started in 24 hours when you need to, ’cause that’s how software development goes. It’s rapid, it’s iterative. Our pentesting should be rapid and iterative as well.

 

Alan:                           All right. Let’s hold that book back up again if we can Caroline though. Okay. So here it is. So, first time you mentioned, this isn’t your first book?

 

Caroline Wong:          That is correct. My laptop’s actually sitting on my desk copy of my first book, which is Security Metrics, A Beginner’s Guide by McGraw Hill, which came out a decade before the PTaaS book. And we’re super excited about this. You can go to the Cobalt website and download it for free. It has all sorts of cube and funny cartoons.

This is a book that we want folks to read and we tried to make it really interesting and really engaging and really just not boring. I don’t think it’s a boring topic. And so yeah, we’re really excited about it. You know, if you wanna learn how to scale your pentesting program, this book will tell you exactly how to do it.

 

Alan:                           Very cool. So it’s available for free download, but you’re obviously holding a hard copy for someone who, like me, I like hard copies. How could they get the hard copy?

 

Caroline Wong:          You should send me a message and I will figure out a way to get you a hard copy.

 

Alan:                           Well, not just me. I mean, anyone watching this.

 

Caroline Wong:          I don’t think there’s a real way, we’re working on that. We’re working on that.

 

Alan:                           Oh, we’re working on it. Okay, that’s cool.

 

Caroline Wong:          What I wanna do is, I wanna get these – So you can actually buy them off Amazon. How do we buy books? Off Amazon. So we’re working on that.

 

Alan:                           You should talk.

 

Caroline Wong:          Okay. I would love that. The other thing that we’ve been thinking about, although it is not set in stone, is we’re thinking about maybe doing a PTaaS conference in San Francisco in September. So, we will see.

 

Alan:                           Oh, that would be cool.

 

Caroline Wong:          Details to be determined. Would be really cool.

 

Alan:                           TBA, TBD.

 

Caroline Wong:          TBD.

 

Alan:                           It’s actually TBA. Well, TBD –

 

Caroline Wong:          Could be nice.

 

Alan:                           – then TBA. But that would be very cool. That would be something we’d definitely be interested. We’ll talk about it.

 

Caroline Wong:          Sure.

 

Alan:                           So Carol, people read the book, we get what Cobalt does with all this. At some point, rubber meets the road. And so if I’m – make believe I’m the CFO now. I’m not a security person. And I say, well, you want me to update my spend on pentesting from 63 percent of my apps to 99.9 percent of my apps.Where are the metrics that shows I get a return on my money there? All right, you could go.

 

Caroline Wong:          Here’s where it is. Here’s where it is.

 

Alan:                           Go.

 

Caroline Wong:          It’s in the fixes. Here’s a weird thing about security frameworks and paradigms. You go to NIST 800-53, you go to whatever, 50, 100 page security guidance guidebook. And they always say, “Do a pen test.” They always say, “Scan your apps.” What they don’t say is they don’t say, “And then fix those vulnerabilities.”

Now PtaaS is not only about defect discovery. It’s not only about finding vulnerabilities. PtaaS is also about getting the right information front of the right people so those vulnerabilities can be fixed. PtaaS happens in slack, PtaaS happens in the platform. We have an API so that you can push stuff to Jira, you can push stuff to GitHub. We are getting the pentest data in the chunks that it needs to be in front of the developers.

We are getting the pentesters and the security team and the engineers to talk together, ’cause that’s how fixes happen. And when someone completes the remediation of a pentest finding, we also include validation. So the pentester who found that problem in the first place will go and check and say, “Yeah, this has been fixed correctly.” And we’ll update that in your report.

That’s how folks can measure, because the goal of pentesting is not just to find vulnerabilities. The goal of pentesting is to manage that at risk is to find the vulnerabilities and get them fixed, and maybe even prevent them.

 

Alan:                           Absolutely.

 

Caroline Wong:          And people need the data. People need data to be able to see, am I even getting better? And the platform will give you data.

 

Alan:                           And that is so important. And you’re right, for so much, for so long, rather pentesting, even vulnerability scanning in general, the emphasis was on, what did I find, not what did I fix? And what they didn’t realize is that the people who do the fixing are not often the security people, it’s the help desk people, it’s the developer for the apps, it’s the DevOps or the SRE team. They’re not necessarily security pros, but the burden of the fix falls on them. And in many ways, the fix is harder than the find.

 

Caroline Wong:          It is way harder. It is getting other people to do, stuff is hard.

 

Alan:                           Yeah, no doubt.

 

Caroline Wong:          And the old way does not work. If I get a 50 page PDF in my email and I forward it to an engineering manager and I say, “Here are the results from our recent pentest, please work with your teams to get the findings remediated.” That’s not gonna work. The person opens the email, they get stressed out, cortisol flows to their body. And that’s not the way you get these things fixed.

Now in a PtaaS platform, if a finding is discovered, the engineering team finds out through slack and then goes into Jira where a ticket has been submitted and can be worked on right away. They have a direct line of communication between the engineer and the pentester who found the thing in the first place so they can figure out how to get it addressed.

 

Alan:                           Absolutely.

 

Caroline Wong:          Fixes problems.

 

Alan:                           It’s a process. You have a real process now instead of just saying, “Oh my God, look at this telephone book on my desk of all these vulnerabilities or these bugs or things I have to fix. And where do I start? Where do I start? And how do I do it? And who am I assigning what? Just the heck with this.”

 

Caroline Wong:          Exactly.

 

Alan:                           [Crosstalk]

 

Caroline Wong:          “I’m not gonna do this. This doesn’t make any sense to me. I’m confused. I’m gonna go work on the thing that makes sense to me and is straightforward and that fits into my work process.” If weird security people want engineers to fix security vulnerabilities, we have to be curious about their work process and their tools and how do they work? And we have to work with them.

 

Alan:                           That’s DevSecOps in a nutshell right there my dear.

 

Caroline Wong:          Yeah.

 

Alan:                           Hey, for people who wanna download the book, just go to cobalt.io?

 

Caroline Wong:          Yep, cobalt.io. I’m sure there is – I’m just typing in cobalt.io PtaaS.

 

Alan:                           Okay. And while you’re doing that, we will maybe hear more about PtaaS conference in September.

 

Caroline Wong:          Yes. I will be filling you in –

 

Alan:                           Okay.

 

Caroline Wong:          – as we figure out all the details.

 

Alan:                           Logistics.

 

Caroline Wong:          Yep.

 

Alan:                           That’s cool.

 

Caroline Wong:          It’s gonna be right next to SaaStr. So that’s why. I love San Francisco. It’s an opportunity to go to San Francisco and it’s right – I can’t remember which end of the SaaStr conference we’re thinking about doing it, but San Francisco, September, first ever annual PtaaS conference.

 

Alan:                           If you’re there, I’m there.

 

Caroline Wong:          Cool.

 

Alan:                           And we will be at RSA conference.

 

Caroline Wong:          Definitely. Most certainly.

 

Alan:                           In June. We’ll see you there. And 3000 people or more have taken your LinkedIn learning class.

 

Caroline Wong:          Well, so this is kind of fun. I have a bunch of different courses. I teach courses on the OWASP Top 10. I teach a very kind of general, like when an organization has a compliance reason to assign cybersecurity training to all their employees, I teach a course that’s like that. It’s really fun. We like hired additional actors. We tried to make it funny. I have a course on security metrics. The security metrics course has 3,000 –

 

Alan:                           [Crosstalk]

 

Caroline Wong:          But get this, cybersecurity at work has 90,000 winners.

 

Alan:                           Wow. You are the professor. Good for you, Carol. Well, you are actually our professor. That’s a whole another story. You’re a renaissance woman, man. Hey, thank you for coming on and visiting and telling us about it. Good luck with this. We will be in touch.

 

Caroline Wong:          Thank you so much.

 

Alan:                           Caroline Wong, author, professor, chief strategy officer, cobalt.io, go check them out. We’re gonna take a break. We’ll be right back.

 

[End of Audio]

Recent Articles By Author
Avatar photo More from Alan Shimel
Alan Shimel , , , , ,
Avatar photo

Alan Shimel

Throughout his career spanning over 25 years in the IT industry, Alan Shimel has been at the forefront of leading technology change. From hosting and infrastructure, to security and now DevOps, Shimel is an industry leader whose opinions and views are widely sought after.

Alan’s entrepreneurial ventures have seen him found or co-found several technology related companies including TriStar Web, StillSecure, The CISO Group, MediaOps, Inc., DevOps.com and the DevOps Institute. He has also helped several companies grow from startup to public entities and beyond. He has held a variety of executive roles around Business and Corporate Development, Sales, Marketing, Product and Strategy.

Alan is also the founder of the Security Bloggers Network, the Security Bloggers Meetups and awards which run at various Security conferences and Security Boulevard.

Most recently Shimel saw the impact that DevOps and related technologies were going to have on the Software Development Lifecycle and the entire IT stack. He founded DevOps.com and then the DevOps Institute. DevOps.com is the leading destination for all things DevOps, as well as the producers of multiple DevOps events called DevOps Connect. DevOps Connect produces DevSecOps and Rugged DevOps tracks and events at leading security conferences such as RSA Conference, InfoSec Europe and InfoSec World. The DevOps Institute is the leading provider of DevOps education, training and certification.

Alan has a BA in Government and Politics from St Johns University, a JD from New York Law School and a lifetime of business experience. His legal education, long experience in the field, and New York street smarts combine to form a unique personality that is always in demand to appear at conferences and events.

alan has 91 posts and counting.See all posts by alan