During my career as a product manager, I have worked with companies as they have implemented and used Agile methodologies to develop and release software. It offers businesses a world of new options for more nimble software development, and helps keep customers more satisfied since the features they need often do not have to wait for a ground-up redesign anymore. But for a lot of companies using Agile, their security program has yet to catch up.
Traditional penetration testing mirrors the schedule of waterfall software development. Releases are monolithic, and security testing happens before these releases, and then once a year during the life of the software. This process may fit if you still use the waterfall method, but it falls short if you use Agile or other continuous development methodologies.
In Agile, production software changes far more frequently. Consider traditional two-week sprints. You are releasing 26 versions of your software each year, meaning a yearly schedule leaves 25 of those versions untested. What if one of those untested releases contains a security issue? At best, you and your customers may have to deal with the headache of a critical update. At worst, you may have to deal with a widespread security breach.
You’re thinking about development in a new way. It’s time to think about penetration testing in a new way.
Continuous penetration testing
Agile methodologies allow development teams to build and release software in a more nimble, integral fashion. Shouldn’t penetration testing work the same way?
When you build new features into software, you always have to ask what risk the updates to the code are adding. Continuous penetration testing is a programmatic way to make asking and answering those questions part of the Agile development process. Just as features are added or updated continuously during sprints, continuous penetration testing can make sure that the security of those new features are being tested just as frequently.
The beginning of a continuous penetration testing program looks much like a traditional penetration test: a comprehensive assessment of the existing application. This establishes a security baseline. However, continuous penetration testing does not stop there. It integrates into your development processes. And that requires listening and learning. How do you implement Agile methodologies? What is your roadmap? What are the security-critical features on your development roadmap? Based on those answers, a security product manager can work with your product manager to plan out the right timeline and smoothly integrate testing procedures.
The result will be a program that brings you more confidence about the security of every software release, helps developers become more aware of security concerns throughout the development process, and saves you the time and expense of having to remediate long-standing problems that would have only been identified up to a year later in a traditional penetration test.
Business advantages of continuous penetration testing
The technical advantages of continuous penetration testing in an Agile environment are clear, since it fits in so much better with the actual development lifecycle. But there are also business advantages to adopting continuous penetration testing.
Consider the question of risk. When adding new code to your application, you need to know what risks you are introducing. What data might be exposed by these new functions? What guidelines or regulations have become relevant based on things your developers have added to the software? These questions can arise as quickly. With continuous penetration testing as part of an Agile workflow, you can ensure that you are assessing and addressing these risks on an ongoing basis, not just once per year.
You may have questions about whether continuous penetration testing will disrupt your business. Easy answer: it doesn’t have to with the right partner working closely with you and your team. A product manager with experience in application security will lead the engagement. Their team will listen closely, learn about your development processes, and build penetration testing in a way that integrates smoothly with your processes and your release schedule.
Continuous penetration testing is also cost-effective. Your business will spend less time and money remediating software vulnerabilities and responding to security incidents if you bring in the right expertise to identify and address critical issues before releasing software.
Why Security Compass Advisory
Every business implements Agile differently. When choosing a partner for continuous penetration testing, you need to consider not only their software security expertise, but also their approach to working with clients. You need a partner who not only has industry-leading technical knowledge, but also a track record of listening to and collaborating with clients. After all, continuous penetration is more than a once-yearly engagement. It’s an ongoing part of your security program.
For fifteen years and counting, Security Compass Advisory has worked with developers to help secure software. Our deep bench of security consultants not only have the technical ability to provide industry-leading penetration testing services, but also understand software development and Agile methodology. Security Compass Advisory has a collaborative approach that sets it apart from other companies in the penetration testing space. Since listening to business goals and working with a company’s specific implementation of Agile is so crucial to successful continuous penetration testing, this approach makes us a natural fit.
Agile methodologies have revolutionized the process of software development. If you are ready to reduce your software security risks at the speed of Agile, Security Compass Advisory is here to help you design and implement a continuous penetration testing program that fits your business. When you are ready to learn more, we are ready to have the conversation. Get in touch with our team.