The Coverage Checklist is a list of checks that ensure that a baseline of security controls are in place. The list is based in industry best practices. For Web, API and Mobile pentests the list is following OWASP ASVS (level 3), for other test methodologies not covered by OWASP Cobalt have defined a custom baseline based on input from domain experts.
The goal of the Coverage checklist is to support the pentest process by providing a baseline checklist that can be worked on collaboratively – this way it can easily be seen what has been covered by the team of pentesters, and what has not been looked at yet. The Avatars on the right of a Check indicates who completed the Check. Multiple pentesters can cover the same security control.
The Coverage checklist enables real time collaboration, and it’s possible to track progress directly by seeing how many of checks have been completed both for full Coverage checklist and on the Category level.
It is also be possible to associate findings with ASVS categories, this provides an overview to the customer about which security controls needs to be worked on, and also provides positive feedback on security controls that have been scrutinized and have passed the tests.
The purpose of this feature is not to describe how the pentest should be done, the purpose is to help coordinate the work and to ensure baseline coverage.
Typically the work of the pentesters will go well beyond what is covered by the Coverage Checklist.