Describe Your Assets
Help our pentesters test your assets faster.
Our pentesters need all relevant information about your asset. To help you understand what to share, we include a description template.
For all assets, we’d appreciate a:
- High-level overview
- Description of important functions or features
- Business risks associated with each function and feature
Include links to published documentation related to the asset. You can upload documentation, diagrams, and more in various file formats under Attachments.
The following sections detail additional needs for different kinds of assets:
Web, API, Mobile
Web, API, and Mobile assets frequently include user roles in different categories such as:
- Administrator
- Service user
- Regular user
Each of these roles typically have different sets of rights, privileges, or permissions. We can verify whether such roles are appropriately limited.
For web assets, define the application type. For example, some web assets may be a:
- Page-driven website
- Single-page application
Web and API assets frequently include dedicated reference documentation. For example, RESTful API assets frequently include OpenAPI-based documents that describe the properties associated with each endpoint.
Web Asset Description
Help us find the right pentesters for your asset. Include a high-level overview of the application. Add details such as:
- Coding Language.
- Functions or features central to the capability of your asset.
- Business risks associated with specific functions or features.
- Special endpoints associated with your dynamic pages.
- While our pentesters can find the API endpoints used by your web app with browser “Developer Tools,” let us know if you have special concerns with one or more endpoints.
Network Assets (External and Internal)
Our pentesters need network diagrams to know what to test on a network. If you’ve set up a jump box for our pentesters on your network, include the location in the diagram.
Add network information, including the IP address / hostname of the jump box.
Cloud Configuration Assets
Our pentesters need to know how you’ve set up and use your cloud assets. Even when your cloud assets stand alone, they may share features with other types of assets.
For example, if you have dedicated roles to maintain cloud assets, describe them as you would describe a web app asset.
Make sure to include the:
- Cloud provider
- Service
- Unique users / roles
- Applicable network / architecture diagrams
Attachments
To share more about your assets, you can upload the documentation of your choice under Attachment(s). Our app limits uploads to 100 MB.
Tip
You can add a video walk-through of your asset as an attachment. This will give pentesters more context about the asset they need to test.Screen recording instructions vary depending on your device and operating system. As an example, read how to record the screen on your Mac.
If you’d like to upload files in a different format, you can try to:
- Compress or archive the files into one of the noted formats.
- For example, you can use a “Zip” tool built for your operating system to save your file with a .zip file extension.
- Contact your Customer Success Manager (CSM) or support@cobalt.io for guidance.
For complex assets, we encourage spreadsheets. The UI includes links to the following templates:
- Workflow/Priority Target
- User role matrix
We’ve included suggested data in the downloadable Excel (.xlsx) files. We encourage you to replace this information with other data, and upload it with any other documentation for your asset.
Now you can start setting up a pentest.