Let’s examine how rigorous retesting of products during a pentest engagement can make products more secure and what goes into performing efficient retesting.
Introduction: Why Retesting?
First of all, let’s clarify what retesting is. Basically, it’s the very last phase of pentesting and a quite crucial one.
After the final report with all found vulnerabilities and bugs from the pentest team, it’s on the client’s side to get them patched.
Developers and the internal security team work in tandem to apply fixes and mitigate all the vulnerabilities.
Once the client is done with the patching process, they’ll reach out to the pentest team again, to retest the bugs that were fixed.
But this is a classical model. In this case, pentest optimization tools such as Hexway can be very helpful.
So, instead of reaching out manually to the pentest team, developers can fix issues before the end of the whole pentest process and send them back for retesting in seconds.
This leads to the main question: why is retesting required? Simply put, retesting makes sure products are safer and ensures higher levels of security are attained faster.
When bugs are patched, the applied mitigations might seem ample from the client’s perspective: devs would have fixed the code from their understanding.
But it’s not necessary that these fixes are actually enough. The patches can actually create new unintended bugs.
Hence, retesting is required to make sure that the vulnerabilities are actually patched and that there are no existing bypasses.
Performing this phase is essential for product safety, as it weeds out any overlooked security issues.
Carrying Out Retesting
It’s time to see how retesting should be correctly performed. One of the most important aspects of retesting is efficient communication between the pentest team and the client.
The client can be represented by their dev team or their internal security team or in a few cases, both. The first round of messaging goes from pentesters to their client, where every finding is explained in detail.
This usually delivers via a pentest report, which can also be created in Hexway.
For each submitted bug/issue client creates a ticket at their end to track the progress of patching that issue. Once these are resolved, they’ll reach out back.
Hexway allows users to send issues back for retesting by just changing their status in Jira in no time.
This saves a lot of time for both sides and helps to build better relations between customers and pentest providers.
Retesting involves reporting, communication, and tracking of progress. Reporting is pretty self-explanatory, where collaborative workspaces like Google Suite or M365 Office can be used.
A pre-defined template can be used too, where a team can make the changes as and when new bugs are found.
Then to communicate everything with the client, it can be chat-based using tools like Slack, Discord etc to relay information.
For further discussions, calls are even better. Lastly, comes the task of tracking the issues.
This is usually done through Jira which is a popular bug tracker software. But this is usually customer-facing, and relaying the progress on Jira tickets to the pentesters can be a hassle.
What if there is a tool that can perform everything mentioned above: no-pain reporting, swift communication, and two-way issue tracking, all in a single place?
There’s a unified, collaborative Tool for Red & Blue Teamers both with an easy-to-use UI and a customer portal that allows seamless communication, retesting is way easier and faster with such tools!
Let’s take a look in our next section at how Hive takes all the challenges pentest teams face with retesting and provides a complex solution, made by pentesters for pentesters.
How Hive Expediates Retesting
While Hive provides a lot of features like credential storage, checklists, visualizations, asset management, etc. but there is one specific feature of Hive that immensely helps in retesting: Issues.
Let’s take a deep dive into this specific feature. Whenever a bug is found, pentesters can create an issue related to that bug, it could be known CVEs, unpatched software, app-specific vulnerabilities, network attacks or even juice fresh 0-day.
Now here’s the best part, as soon as the pentesters create an issue in Hive, a corresponding task is created in Hexway’s customer-accessible Apiary dashboard.
And it gets better, as customers can create a Jira issue right from the Apiary dashboard with all the necessary details pre-filled.
Recently, an important update was introduced which made it possible to have reverse sync from Jira to Apiary! As soon as the status of a task in Jira changes, it is reflected in Apiary.
Since Apiary and Hive work seamlessly together, the status changes are also relayed to the pentester team.
This three-way integration between Hive, Apiary, and Jira decreases the manual interaction needed between different teams and increases efficiency. Reterst faster, better!
Below are some of the other important characteristics of the issues feature:
- Custom Status: Instead of usual boring statuses like “in progress”, or “completed”, etc. you can set the custom status for each issue as per your need (fully customizable with different emojis and colors!)
- Import to Report: Hive allows you to import your issues into a report, with the option to select from multiple report formats. This allows easier migration of all the issues.
- Issue comments: You can add comments to individual issues. Comments are of two types: internal and messages. Internal comments serve as notes that can be viewed by the pentesting team while messages are relayed to the Apiary dashboard, acting as a great communication medium with the clients!
- Mass actions: Instead of changing status, importing, and editing each issue one by one, you can perform changes to multiple issues at once, allowing faster updates.
These were some of the important capabilities of the Issues feature provided by Hexway Hive, which plays an important role during retesting.
This is in no way an exhaustive list as there is a lot more to explore when it comes to the Issues section of Hive: visualizations, attaching checklists, images, and lots of other stuff that make it easier to describe issues.
You can even create templates and schemas for issues based on customer requirements so that you don’t have to start from scratch every time you create a new one.
And just like that, Hexway solutions eliminated the hassle of using all the numerous tools we discuss in our previous section!
If we have to conclude this article by saying one thing, it is “Retest your products! That will ensure there are no hidden vulnerabilities that might go under the radar due to a lack of testing after the initial round of mitigations and fixes being applied”.
While traditional retesting involves a lot of communications over different channels and mediums, Hexway Hive provides a unique solution where it combines everything from relaying information to clients to managing issue progress in a single place!
Hexway solutions Hive and Apiary can help you with your PTaaS goals, and now with Jira integration, they can fit into your workflow smoother than ever.
You can also check out a Path To Pentest Guide: 10 Best Penetration Testing Phases, Lifecycle, Methods – 2023.
Also Read: Penetration Testing As a Service – Download Red Team & Blue Team Workspace