What is Assets in Cobalt and how does it work?
Assets in Cobalt equals a Web Application, Mobile Application, API, Internal/External Network, Implementations of AWS/Azure/etc i.e. an umbrella term for any target for a Cobalt Pentest.
You can create, edit, view your Assets by going to the Assets tab, visible from the Organization view.
Here you can see how many pentests are in various states for an asset and can access the latest Pentest Report for quick sharing with stakeholders.
Additionally, you can create a pentest linked to this specific asset and edit the asset.
View per Asset
By clicking on the Asset you can find and add details about the Asset, including uploading relevant documentation. You can drill in to the Pentests that have been performed on the asset, and create a new Pentest on the Asset from the same view.
The Asset details are also available for Cobalt Core pentesters when they are assigned to Pentest - this will help them understand the Asset they are testing better.
Create a New Asset
- Describe your asset as clearly as possible
- Add a product walkthrough and asset documentation using the templates provided
- Keep your assets up to date
- Start creating/editing your asset before creating your pentest - you will be reusing the asset for future pentests
Step by Step Guide
You can start by adding a Logo, a Title and selecting the appropriate Type for your asset.
The next step is to choose your Asset Size and your preferred Coverage. This will determine the number of credits needed to fully cover the scope.
For each asset type, a Scoping Guide is available to help determine the Size of the scope and the Coverage needed.
In the Description field, you can provide any details about the asset that will help inform testing. This includes a high level overview of what the asset does and its place within your business and business workflows. A guide for the asset description is provided as a tooltip.
Under Attachments, include any documentation and if desired, video walkthrough of the asset (up to 100 MB) with the "Upload Files" button. Thorough asset documentation will help pentesters understand your scope better.
Templates for Workflow/Priority target and User role matrix are available to guide you if you are not sure what to add.
The User role matrix will help pentesters understanding how your permissions are set up. This is useful to perform privilege escalations for example.
The Workflow priority target will help pentesters to focus on the aspects that are the most critical to you especially if the pentest coverage is Light or Extended.
Click "Create Asset" when done.
Asset in the Pentest Wizard
Another way to create or edit an Asset is when you create a new pentest.
- If you choose to create a new Asset, you will see the same steps described above.
- If you choose to use an existing Asset, you will see a list of existing Assets to chose from and will be able to edit the Asset fields within the wizard as well.
If you select the wrong Asset by mistake go back in the wizard until you see above screen and then select the right asset.
Access and Permissions
Only Org Owners and Org Members have the ability to create an Asset directly from the Organization. Pentest Team Members will not be able to access the Assets tab.
However, Pentest Team Members will be able to see and edit an Asset that is linked to the pentest they have been added to. At the time, the only restriction is that they cannot attach files to the Asset. An Org owner/member of their company or a Cobalt Customer Success Manager can assist in this case.
You can find more information on Cobalt user roles in this article: What do the user roles mean?
Value of Assets
1. Structure your pentests data and observe trends
The Insights enable you to get an overview and compare results of your Asset(s). The data can be analyzed across one asset or all so you can zoom in and out to see how security posture changes across assets or as an aggregate.
More information about the Insights can be found here: Cobalt Insights.
2. Build knowledge and save time
Once you add information on your Asset, you will never have to start a pentest from scratch again. All this knowledge will be re-used on your future tests. When needed, you can edit the Asset content and add new documents.
In the background (not visible by Cobalt customers), a lead pentester on a new pentest is able to see previous open findings of the past pentests under the same Asset. This helps getting an understanding of the sensitive areas of your Asset and avoid leaving vulnerabilities open for too long. A lead pentester can see the details of the previous findings, re-test them and confirm with you if they are still occurring.
Can a pentest be attached to 2+ assets?
No, a pentest can only be linked to a single asset. If your Asset has multiple methodologies such as Web + API, you can choose a combined methodology. If the combination is not available, e.g. Mobile + External Network, pick one of the two and let your Customer Success Manager know so that the Cobalt team can select pentesters with the appropriate expertise.
I want to test two scopes (e.g. web and mobile applications), how many assets should I set up?
There is a 1 asset -> Many pentest relationship on the Cobalt platform, therefore we can rephrase the question as how many pentests should we run to test the two scopes (in this example one web app and one mobile app).
It will depend on multiple criteria:
- Do the two scopes share some of the same code or functionalities?
- Do you need a separate pentest report for each of the applications?
- Is there one or multiple teams in charge of these applications?
If the web and mobile applications communicate and share some of the same workflows, only one report is needed and that one team is responsible for the two applications, it makes sense to test them together. However, if the applications are different, need a unique report for each and are handled by different teams, it makes more sense to divide them into two tests.
It is possible to run separate tests on the same asset. In other words, the web and mobile pentests could both be attached to the same Asset.
In this example, we would suggest separating the Assets because it will allow you to get a more granular overview of the maturity of your security posture and progress over time by product.