Bringing secure software at the speed of Agile
A well-funded startup that has, since its founding in 2015, become a leading provider of online proofing software for marketing firms and departments.
The company wanted to give its clients confidence that their online proofing software, a system for saving, internally sharing, and proofing marketing content, was as secure as possible.
The company develops its large flagship application using an Agile methodology, adding and updating features in two-week sprints. They already knew that a monolithic yearly penetration testing schedule did not provide frequent enough visibility into the security of their application, given how frequently new code went into production. They knew the security value of experts providing true manual penetration, and already worked with Security Compass Advisory to test the application quarterly.
However, as their company grew, they faced challenges. With features being released every two weeks, it was important to them and their prospective clients to shrink the risk window by testing even more frequently. They also wanted to align their penetration testing more closely with their roadmap and their Agile development processes. Further, they would be able to reduce the time to remediation and retest as needed.
At this point, they also considered whether they should bring their testing in-house or continue working with a security partner with specific resources and expertise. The idea of hiring internally posed challenges, since searching for and hiring someone with agile software development experience, cybersecurity expertise, and domain knowledge would be both difficult and expensive.
To keep regularly providing their customers with new features and product innovations, the company chose to continue working with Security Compass Advisory. The Advisory team has software security experts they already knew and trusted, and who had already gotten to know their software during the quarterly penetration testing. We discussed their needs in detail and, based on the scope of their flagship application, the Agile methodologies they use to develop it, and their plans for continuing growth, made the strategic decision to shift from a quarterly penetration testing engagement to a continuous penetration testing framework.
A Security Compass Technical Program Manager (TPM) and Senior Security Consultant on the Advisory team work closely with their team to optimize the continuous penetration testing program with their development process. When working on a quarterly program, software security testing focused more on the application as a whole. With the continuous program, penetration testing now shares Agile’s focus on features. From roadmapping through development, Advisory works strategically to identify and track specific features that need testing, as well as target upcoming new features that will have security impact. This program boosts confidence that they are delivering the most secure, feature-rich product possible.
The change to a continuous program has brought several security and operations benefits:
Alignment with Agile Processes: Instead of gearing up for quarterly penetration tests, we meet regularly for roadmap planning. During the meetings, we discuss their requirements, the current roadmap, and the features planned for rollout over the coming months. Then we work together on a testing plan.
Reduced Window of Risk: With new features released at the tempo of two-week sprints, continuous testing ensures that new features with security implications are penetration-tested manually by real security experts in a more timely manner than ever, leading to rapid and more secure growth.
Comprehensive Tracking Dashboard: In addition to traditional penetration testing reporting, we implemented a dashboard to track findings and remediation. This provides the information needed to accurately determine the current security state, prioritize remediation activities, and answer clients’ security-related requirements.
Access to Software Security Experts: The continuous penetration testing plan provides access to a dedicated TPM and a Senior Security Consultant. This saves the time and cost of hiring internal security staff and gives the flexibility of working with a security partner, while still having on-demand access to DevSecOps experts who have an ongoing familiarity with their product and their own implementation of Agile methodologies.
To learn more about Security Compass Advisory and our penetration testing offerings, visit us at: Enterprise Penetration Testing.