Agile penetration “pen” testing is a continuous security assessment approach that allows companies to speed up secure software delivery to their customers.
Traditionally, penetration tests occur on an infrequent, “point in time” basis within the scope of a product release cycle or based on compliance mandates. This approach may fit if you still use the waterfall method, but it falls short if you use agile or other continuous development methodologies.
Unlike traditional pen testing(which tends to slow down product teams), when properly integrated within the SDLC, agile penetration testing can keep pace with your release schedule. The result: saving your business the time and expense of having to remediate long-standing problems that could have been identified much earlier in the process.
Agile pen testing is a programmatic way to unearth and remediate potential risks in an application within the existing timelines and schedules of product releases. Just as features are added or updated constantly during sprints, continuous penetration testing can make sure that the security of those new features are being tested just as frequently.
Many product teams have adopted agile software development methodologies but have not integrated pen testing into the agile process. For most, penetration testing remains a standalone process performed alongside other annual assessments. Our agile pen testing programs integrate into your product team’s software development lifecycle to reduce the timespan between code changes and security assessments, so code is not released to production with unknown risks.
The program is designed based on strong fundamentals in program planning and onboarding with teams to ensure minimal disruption to current engineering processes. Kroll’s dedicated program team aims to build institutional knowledge by providing continuity, expertise and support for making technical decisions with security in mind.
A view into a standard deployment of the agile penetration testing program:
In contrast to the usual method of conducting a security assessment by means of a pen test near the end of the release cycle, Kroll’s developer-centric security consultants engage with product engineering and project management teams to identify and remediate security vulnerabilities throughout the entire product release cycle.
This agile approach helps ensure that every product release, be it a minor bug fix or a major feature release, has been vetted from a security perspective. The solution model covers the following:
Onboarding and Program Development | Management | Tracking and Reporting |
---|---|---|
Key activities include:
| Throughout the program, each test is carefully considered:
| Efforts can tracked via a variety of reports and adjusted for key stakeholders:
|
Kroll’s ultra-flexible Cyber Risk Retainer can package your agile pen testing needs along with a variety of services like risk assessments, tabletops and red team exercises and more. With the retainer, clients also gain prioritized access to Kroll’s elite digital forensics and incident response team in the event of an incident.
Comprehensive Related Services
All these services can also be available as part of the Kroll Cyber Risk retainer:
Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.
Kroll’s certified pen testers find vulnerabilities in your APIs that scanners simply can’t identify. Protect your business and keep sensitive data secure by leveraging our knowledge and experience in testing modern API infrastructures.
Kroll’s team of certified cloud pen testers uncover vulnerabilities in your cloud environment and apps before they can be compromised by threat actors.
Assess the design, configuration and implementation of your web apps for critical vulnerabilities. Kroll’s scalable pen testing services consider the business case and logic of your apps, providing more coverage and an optimized program based on risk.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
by Andrew Rathbun, Eric Zimmerman
by David White
by George Glass
by Dave Truman
St Stephen's Green Residents Club's Inaugural Event