The classic mode of software penetration testing was well adapted to the waterfall model. You used to build large releases, and did a penetration test to discover and remedy security issues before those releases.
Odds are, you are no longer developing software that way. You are using an incremental, feature-focused development methodology like Agile. You are adding features to answer customer demands at the speed of business, and making new releases every few weeks. If you use two-week sprints, you release 12 or 13 versions every six months, or 24 to 26 every year. Testing every six months or every year means a lot of untested versions that may put customers, and your reputation, at risk. It’s time for a new model of penetration testing designed to keep up with that pace: continuous penetration testing.
Here are five key facts to know about penetration testing, from what makes it different to the benefits to what to expect.
1. How does continuous penetration testing differ from traditional application penetration testing?
Continuous penetration testing starts from the same place as traditional application testing: a comprehensive assessment of the application. Unlike a traditional test, it does not stop there until the next top-to-bottom test. Instead, that assessment forms a baseline.
Then, as you develop each feature, the new features and altered code are penetration tested as part of the process, and you can remediate them before each new version goes live. You can identify and remediate vulnerabilities as part of each sprint. This means you can put more secure software in your customers’ hands, version after version.
2. How does continuous penetration testing typically work?
The specific time frames and plans for continuous penetration testing depend on how your business structures its software development. It is real penetration testing tailored to your development methodology, risk profile, and security priorities.
The project is led by a Technical Program Manager (TPM) with strong knowledge of both security and your team’s development program. Continuous communication between the TPM and your team means penetration testing can be tailored to the security needs at every stage of the project, based on feature updates made during each sprint.
An engagement starts with a traditional penetration test of the entire product, to gather a strong security baseline. Once the baseline is established, your team and the TPM establish timelines for when to test during each sprint. This includes tailoring the depth of testing based on the features developed during those sprints, and the security implications of those features. Those tests are tailored to the security needs for each update. Some changes require a simpler review. Others require a more detailed audit, and even more complex new changes require a full-fledged security assessment.
Think of it like a Formula 1 pit crew. At each pit stop, the team determines the sections of the car that need to be worked on at the time, and brings forth the members of the crew who specialize in those repairs. It is an iterative process, with different maintenance and different experts required each time depending on the needs of the car. Continuous penetration testing works similarly, with the TPM and your product manager as the leaders of the pit crew, and skilled staff ready to perform testing as necessary to keep your product in peak condition through each sprint.
3. Does continuous penetration testing slow down development?
When done right, continuous penetration testing does not slow down development. Doing it right means the security experts performing the testing get to know your project, learn how your team functions, find out your security priorities, and establish communication channels with your development team. With these foundations in place, you can build a program that integrates seamlessly with your development process and makes it possible to release more secure software on time and on budget.
4. How will my business benefit from continuous penetration testing?
Continuous penetration testing leads to better software development. With more frequent testing and remediation, developers become more aware of secure development practices and are better prepared to incorporate them into their work.
It gives you a clearer view of your business risk, since you are finding out and addressing what exposure new software features add as each one is added instead of having to catch up during more spaced out security assessments.
It also builds client trust. With supply chain attacks leading to more companies asking about vendors’ security practices, adopting a continuous model will provide the necessary proof that every version of your software that makes it into their hands has been thoroughly assessed.
5. How can I get started with continuous penetration testing?
To start a continuous penetration testing program does not require a massive new hiring initiative. This is true even though most companies, even some large enterprises, do not have all of the security, development, and product management expertise on staff to begin an effective program. Working with an experienced and trusted partner can get you started faster and more cost-effectively than hiring your own team.
When choosing a partner, make sure to ask the right questions about how they execute continuous penetration testing. Those include:
- What is the size of their team, and what aspects of product security are those team members skilled in?
- What industries do their team have experience with?
- What are their project management and communication protocols?
- What is their resource turnaround time?
- How do they define their security prioritization during sprints?
- When planning the effort for each iteration of testing, how do they maintain a balance between automated and manual testing?
Finding these out from the beginning ensures that you choose a partner who fits your needs, and can therefore build a more fruitful relationship as you build and continue your program.
Why Security Compass Advisory?
Security Compass Advisory has over fifteen years of software security experience. Our collaborative approach sets us apart, giving us proven experience working as an extension of clients’ security teams. We have worked with software development teams across a broad range of industries, and even have the size and experience to keep a large, growing enterprise’s continuous penetration testing program running on time and on budget.
Learn more about how agile penetration testing can help you develop more secure software at the speed of business by reading our free agile penetration testing eBook.