top of page
Abstract Blue Light

Replace your legacy penetration testing services with Continuous Security Testing from Sciber. A massive leap forward to create a proactive, more integrated, and higher quality service for discovering and mitigating software-related vulnerabilities in your applications and assets. This completely replaces the traditional penetration testing you do today.

Adapt the DevOps way of working in security testing to test and evaluate the security posture continuously. 

Keep reading to find out more.

Continuous Security Testing

A modern approach to a bug bounty program

Gradient Background

Traditional penetration testing is typically a one-time activity where a tester uses specialized tools to evaluate a specific scope of your environment and identify vulnerabilities over a set period of time. Once the testing is complete, a report is generated that includes findings and recommendations for how to address them. It is then up to the customer to decide whether or not to implement the recommendations. Because the testing is one-time and not ongoing, it is often referred to as a "one-off".

The traditional legacy way of working presents various challenges:
 

  1. The penetration tester spends up to 50% of the time to create the report. A lot can be automated but rarely everything. As a customer, you only get 50% of the value for the time spent on the test, the rest is spent on administration and reporting

  2. A penetration tester rarely has enough time to really understand the application

  3. After the report is received, the penetration tester typically goes away and is not available for later follow-up questions, or you have to pay extra for these

  4. The penetration tester rarely sits together with your development teams to build proactiveness using CI/CD and test cases in different frameworks to find vulnerabilities over time

  5. These forms of tests are typically done once or twice each year, due to compliancy or other factors. Everything and anything that happens in between (customer software releases, updates, etc.) you do not get any testing on. This means that the risk of having vulnerabilities between these periods is often high

  6. By not having a continuous way of searching for vulnerabilities, you risk increasing your technical debt and this often causes issues if a lot of vulnerabilities are found at once

Challenges today with the legacy penetration testing approach

skärmavbild-2023-05-05-kl_optimized.-16.50.08.png

At Sciber, we always question "how it is typically done" and focus on bringing value to our customers and maximizing your security investment. We propose a different way to do this to solve the traditional challenges and align more with the modern bug bounty approach:

Our approach

  1. The first step is to set the scope together with the customer

    • A scope is a list of assets (services, websites, hosts) that will be part of the continuous testing

  2. The second step is to onboard the assets. As a customer you only pay for each asset in scope

    • You can decide to use ASM (Attack Surface Monitoring/Management) to dynamically assign assets as they are discovered​ or have a list of assets such as your web site as one asset in scope

  3. Sciber will assign a security tester to the scope and assets and the work will begin. We will decide on the tools and the methods being used but are always open and transparent with the customer

  4. We are now live and will continuously report on any vulnerabilities discovered on your assets. Once a vulnerability is discovered we report it back to you without delay

  5. You as a customer can extend or remove assets from the scope whenever you need. At any time during the process you can extend your scope

Below is a short breakdown of the different service level tiers:

  • ​Tier 1 - Continuous Security Testing of one or several external applications

  • Tier 2 - Continuous Security Testing of external and internal applications including white box testing

  • Tier 3 - Everything included in Tier 1 and Tier 2 but with test cases that we help your engineering teams implement

Service levels

Reporting

Reporting is done via your tools directly to your teams via defined channels. We handle the communication with your development teams where applicable (depending on tier) to take action where needed.

Findings can be summarized on request to fulfill any compliance need without the extra administration fluff that you do not want to pay for.

skärmavbild-2023-05-05-kl_optimized.-16.44.46.png
  • Faster time from discovery to mitigation

    • Customers are notified immediately through defined channels

  • Test cases
    • Proactively detect similar types of vulnerabilities by adding test cases to your CI/CD pipeline​
  • Less time spent on summary reporting, better data over time

    • We have removed tasks that are usually spent on information not needed or consumed by customers​

    • Our findings are not saved in a PDF, we make the data reusable by maintaining a risk register

    • Concrete backlog of findings and risks mitigated - Great data for trending

  • Dynamic way of steering resources to focus on what is important - We can target specific applications and customers are able to steer priority dynamically

  • Less "one offs" with less risk of no follow ups

    • We continuously follow up any previous vulnerabilities discovered

  • Retesting

    • Vulnerabilities that are mitigated can be immediately followed up without delay to provide better feedback and more value to your engineering teams

  • Software resilience is something you create over time by working close together with your favorite hackers. With continuous testing you have a much better chance of having hackers that understand your application and not just see it once a year​

  • Building a culture together with your hackers and engineering teams is an important factor to achieve a long term understand of how vulnerabilities are prevented, not only mitigated when they occur

Customer values

Wavy Abstract Background
Abstract Background

The traditional bug bounty approach sounds interesting for me, what if I only want that?

We can also help onboard a customer to a bug bounty program where the whole method will be handled by the broker, with the main difference being that you have access to our competence and the closeness we can bring to you. We can also add the capability of doing test cases on top of the traditional service.

With our competence, you can get the most out of the traditional bug bounty programs:

  • Handle submissions from bug bounty programs

  • Evaluate reported vulnerabilities

  • Summarize vulnerabilities from many individual reports

  • Know who you are using in your security testing

  • Write test cases to proactively discover similar vulnerabilities in code that you deploy

bottom of page