Agile Pentesting for Resolving Vulnerabilities in Sprints — Cyver

Most organizations already use Agile development. But, despite implementations like Secure Development Lifecycles, many Agile teams still struggle to implement regular pentesting into sprints. Traditional pentest delivery, in the form of a large report, doesn’t merge well with quickly pushing backlog items to Agile sprints. And, Agile sprints don’t lend well to creating predictability for scheduled pentests.

Cyver delivers solutions to both problems, helping you better integrate cybersecurity into Agile development. Our Pentest-as-a-Service solution means pentests are managed in the cloud, schedulable, and directly integrate stakeholders and developers. This eventually allows you to implement Agile pentesting, where devs can immediately move findings into backlog and begin remediation as part of the next sprint.

When to Start Pentesting?

There are two ways to pentest during development. The first is to use secure coding. Here, a security code company performs a continuous check on written code. This is ongoing, feedback is incorporated immediately, and it almost guarantees fully secure code. However, this process can be extremely expensive. While it’s a must-have for high-risk industries like banking, it may be out of budget for your average web application or SaaS product.

The second option is to integrate incremental tests into your Agile sprints. Here, you build testing and code review into the software at Agile intervals, when it makes sense. You might still have some security flaws in the base code. However, you do get multiple instances of testing and code review, at points where testing offers the most value for the money.

Here, many organizations divide testing into automated scans and manual pentesting and code review:

It always makes sense to run regular automated scans on the build environment. It doesn’t make sense to start during the first sprint, but once you have a usable product, it’s essential. From that first scan, you can prioritize resolving flagged issues as part of upcoming sprints, before issues go live and affect the production environment. Designing vulnerability scanning into your sprints ultimately reduces the cost of future tests and debugging.

Once the tool is ready to move to a production environment, a pentest can help you identify deeper vulnerabilities. Here, a full manual pentest and code review, typically to ASVS Level II or higher, is needed for most software. It’s important to run a first pentest before releasing to the production environment.

• Catching vulnerabilities before release reduces costs up to 30x
• A report by NIST shows that 85% of total vulnerabilities are implemented during initial development
• OWASP guidelines show that automated scanning isn’t enough for security, you need the human element of security

Implementing Continuous Pentesting

Continuous pentesting is the process of running regular, scheduled pentests as a standard. Integrating security into Agile development means running pentests over the long-term, so you understand your full security environment. To reduce costs, we recommend using a combination of techniques.

• Planned Tests — Regularly scheduled pentests assess the full scope of your environment and its security to create baselines. These tests require complete network, asset, and IP scoping, a consultation with your team, and significant investment and custom code to thoroughly test your assets. Planned tests should be conducted at least once per year but, for software assets with financial and private data, we recommend at least twice a year. These tests normally align with large compliance frameworks like ISO27002, COBIT 5.0, etc.
• Incremental Tests — Incremental pentests allow you to test new software, features, and security changes without testing the full application. This reduces the time and cost of the pentest, while still allowing you to maintain a mostly complete picture of your environment security. Developers receive vulnerability findings quickly and can immediately work them into the next sprint for resolution. With Cyver’s credit system, development teams are in full charge of when incremental testing takes place. Here, finance simply budgets for cybersecurity in advance. Then, development can use credits to schedule their own pentests when features and updates are ready.

Pentest Deliverables in the Cloud

You can integrate Pentesting into Agile development without a cloud portal and threat dashboard. However it’s difficult to do so without a means of giving developers control of pentests, offering full oversight of the process, and delivering findings as tickets. Cyver delivers Pentest-as-a-Service, complete with a secure online portal. You give stakeholders (devs, security, IT, finance) access and roles in the portal, and they automatically receive updates.

How does it work? We plan, schedule, and deliver Pentests in our secure online portal. Findings are uploaded as tickets, allowing developers to react quickly and immediately set up workload. We also offer free retesting, meaning every fix is checked. When findings are finished, you receive a complete report, which you can view in the cloud, or download and print.

Cybersecurity threats are always on the rise. Staying on top of them is costly and time consuming. Implementing pentesting into your Agile security can help, while reducing costs, total attack surface, and creating a culture of proactive fixes and mitigation. If you’re curious, visit How it Works to learn more.

Originally published at https://cyver.io on March 23, 2021.