Demo
Learn how Cobalt’s Pentest as a Service (PtaaS) model makes you faster, better, and more efficient.
Demo
Learn how Cobalt’s Pentest as a Service (PtaaS) model makes you faster, better, and more efficient.

Cobalt's PtaaS Exchange: Insights You Don't Want to Miss

The Cobalt PtaaS Exchange Roadshow kicks off on September 8th in San Francisco. It’s never too late to sign up for a free event where you can talk shop with local security and development peers, chat with industry leaders, and get a (free) bite to eat!

We have a stellar lineup of speakers for every location. They’ll share insights on how to align security closer to the business, ways to train engineers more effectively on cybersecurity, how attackers view your networks and applications, and more.

As hybrid work keeps adding more complexity and market competition gets more fierce, coming together to talk strategy has never felt more important. We want to give companies the tools they need to face 2023 with confidence.

So here’s a sneak peek at some of the insights we’ll be sharing at the event from our pentesting data, conversations with customers, and industry research

Biggest challenges for cybersecurity in 2023

Remote work, insider threats, security being deprioritized at the leadership table, and a very high demand for talent with a very low supply… in truth, none of these challenges are new, but they feel more pronounced as pressure keeps piling on security teams to be simultaneously enablers and defenders. 

There are many things teams of different sizes and with different budgets can do to face 2023. Take, for example, catching vulnerabilities earlier in their applications. We asked our subject matter experts which flaws they thought companies were most likely to underestimate, and they all said “the basic ones.” 

“Unfortunately, it is the low-hanging fruit. Without leveraging the OWASP Top 10, or SANS Top 20, malicious attackers would not be as successful as they are. Patching and looking for that low-hanging fruit is critical. Instead, organizations are looking for the panacea so they spend on the next new tool that won’t solve the problem.”

- Jay Paz, Senior Director of Delivery at Cobalt

Our own pentesting data backs this up. In 1400 pentests we did in H1 this year, the majority of findings that kept slipping past teams’ defenses were well-known vulnerabilities: 

  1. Cross-Site Scripting (XSS): Stored
  2. Broken Access Control: Insecure Direct Object References (IDOR)
  3. Components with Known Vulnerabilities: Using Outdated Software 
  4. Security Misconfiguration: Lack of Security Headers
  5. Security Misconfiguration: Insecure TLS/SSL protocols

While these findings look like low-risk issues, they can be chained into more dangerous exploits if left unaddressed. 

The vast majority of organizations still rely on the risk ratings provided to them by their automated vulnerability scanners. Unfortunately that does not factor in things such as chaining multiple attacks together, leaving vulnerabilities that should have been prioritized for remediation, unresolved for long periods of time after being discovered.

- Kevin Gilstrap, Senior Manager Professional Services at Cobalt

Continuous pentesting can help identify this low-hanging fruit and address it permanently. Pentest reports are in fact a great source of learning for developers, with plenty of information on how the flaw manifests in their application, what its impact can be, and how to prevent it. And there are more flexible options available to teams: Cobalt Agile Pentesting can zero in on a specific vulnerability teams know they’re susceptible to.

Focus on Talent

What happens when you have the findings, but don’t have the bandwidth to fix them? This is a prevalent problem in the aftershocks of the Great Resignation, coupled with tech layoffs and other seismic shifts across different industries. We researched the topic in this year’s State of Pentesting report, and found that this is a real challenge for many teams: 

  1. 94% of security teams had dealt with labor shortages in the last 12 months, and less than half were able to resolve the problem. 

  2. As a result, a vast majority of teams reported they struggled to maintain high security standards, mostly hurting in the area of compliance, secure development and risk governance.
     
  3. Collaboration with engineers also suffers, with nearly 90% citing this as a challenge.

The industry is still largely focused on years of experience as a key hiring requirement and as long as this issue persists organizations will continue to have difficulties recruiting talents. As a result, organizations are turning to Managed Security Service Providers(MSSP) as a way to bridge the talent gap and protect themselves and their customers. Smaller companies can't afford MSSP. The focus in my opinion should be developing cyber security talent through apprenticeship, internship and entry level security positions.

- Andrew Obadiaru, CISO at Cobalt 

Aside from looking for “top” talent, organizations are not allocating enough budget for their security teams. Fighting for more dollars is a tricky situation for many security leaders, so Cobalt managers shared a few tips that have helped them in their careers: 

    1. Jay Paz, Senior Director of Delivery at Cobalt: Understand the business first and what levers are available to find additional dollars. Without true knowledge of the business, the financials, margins, and expected growth, a security professional goes in with no knowledge of what is possible and where they can slot in. 

    2. Caroline Wong, Chief Strategy Officer at Cobalt: Develop a super strong understanding of your organization’s business goals and understand value creation. Remember that security is about protecting value created by a business.

    3. Kevin Gilstrap, Senior Manager Professional Services at Cobalt: When customers have a really good understanding of their infrastructure and where vulnerabilities live, they can work with their third-party vendors that conduct their penetration testing to make sure those areas are thoroughly covered. This allows their vendor to spend the necessary time in that environment demonstrating the risk to the organization and further backing up their recommendations for an increased budget.

More From Our Speakers

In case you miss our events, but still want to hear from our lineup, check out this collection of content we’ve produced with them in the past:

Back to Blog
About Cobalt
Cobalt provides Pentest Services via our industry-leading Pentest as a Service (PtaaS) platform that is modernizing the traditional, static penetration testing model with streamlined processes, developer integrations, and on-demand pentesters. The Cobalt blog is where we highlight industry best practices, showcase some of our top-tier talent, and share information that's of interest to the cybersecurity community. More By Cobalt
Cobalt Recognized as Only 'Leader' in G2's Penetration Testing Grid
It’s official: users love us! G2 named Cobalt the only leader in the Grid® Report for Penetration Testing Winter Report.
Blog
Jan 7, 2022
Then & Now: One Year Pentesting at Cobalt with Arif
Arif (@payloadartist) joined the Core last April and shared his experience of how things have been for him at Cobalt for the past year.
Blog
Apr 17, 2022