Show HN: Oneleet – Penetration Testing for SOC 2 and beyond https://ift.tt/DghEUPB

Show HN: Oneleet – Penetration Testing for SOC 2 and beyond Hello HN, Over the past months at Oneleet (YC S22), our team has been building https://app.oneleet.com , a compliance-focused pentesting-as-a-service platform. It allows companies to easily schedule and manage penetration tests, designed for both compliance and security enhancement. We collaborate exclusively with top-tier vetted penetration testers based in NATO countries, ensuring superior quality results. Competitors like Cobalt work with just about anyone, of which they put multiple on a single engagement to ‘average out’ the quality. Despite their efforts, it is still hit-and-miss. By being very selective about who we work with (many Cobalt pentesters don’t make the cut), we are very consistent in the level of insight and quality we provide. Our team puts a lot of work into making sure that pentest results can be leveraged beyond security improvements. We are fully aware that with the current SOC 2 craze[1] most companies are just looking to tick their compliance and control boxes[2][3], but that doesn’t mean you can’t have both that box ticked and fundamentally improve your app’s security. Which is why we make sure our pentests serve both purposes: Present technical detail at a deep level but also provide documentation that is meant to be a sales and trust-building tool. Some of the things I used to hate when I worked as a pentester myself was seeing how common it had become for pentesters to just take Nessus findings, slap a pentest report title page on it and then proudly proclaim how they found these critical ‘SSL’ and ‘HTTP Header’ findings. Not to mention how much trouble it can get you in with your auditor when they see all those criticals they don’t understand the nature of. When those auditors then require you to fix all those criticals, you quickly find yourself going down a rabbit hole of unnecessary engineering effort. Great pentesters, on the other hand, use those exact same tools but know what to do with the information that they generate. Take a tool like Burp Suite, which is known among pentesters as the go-to tool for manual web app pentesting. Despite it primarily being used for manual testing, it also has ‘auto scanning’ functionality built in that is mostly useless without a human guiding the tool. More than once I heard both pentesters and clients state: “We already do Burp Suite scanning, so we have that covered.” Don’t get me wrong.. there are plenty of tools that provide a lot of insight without needing human guidance. Running Nuclei[4] frequently on your web-facing hosts is a great way to spot low-hanging fruit-type vulnerabilities, but it will require you to at least have some basic understanding of what the reported findings entail, and whether the associated severities are accurate or not (CVSS scores can be very random, so using them as a yardstick can be a terrible idea). This is why we’re strict about not allowing testers to inflate the severity of findings, or to revert to reporting boilerplate findings that many automated tools spit out by default. If you’re interested in having a pentest performed, you can get started by going to https://app.oneleet.com . After registration, you will be guided through an onboarding flow after which you can schedule a call with the founding team and a pentester. We’d love to get your feedback and answer any questions you might have! References: [1] https://ift.tt/CoEDIAH ] [2] https://ift.tt/7cYDgIn [3] https://ift.tt/auR40K5 [4] https://ift.tt/mNH7yTx https://ift.tt/4Cx7Ud1 May 12, 2023 at 12:07AM