If you’re building a new app, readying a new update, or otherwise changing code, it’s important to pentest that web property. But, at what stage of development should you start pentesting? Deciding when to pentest can be as important as deciding how to pentest. For example, if you start pentesting too soon, you’ll either pay for multiple additional pentests before going live or miss critical vulnerabilities that might appear later in the development process. At the same time, testing sooner means developers can resolve issues early on and build on a secure foundation. Once released, how often should you pentest?
While some of these questions depend on your organization’s industry and risk profile, others can be easily answered.
Should You Pentest During Development?
While the simple answer is “yes”, you might not have the budget or means to do so. It’s normally important to understand vulnerabilities during development. “Secure by Design” is a growing and important trend. You want and need to know how and when to test and assess vulnerabilities in code. Starting too soon means spending a considerable amount of money on testing and retesting, starting too late means potentially releasing a critically flawed product.
Here, pentesting during development means developers can actually fix and resolve issues, rather than uploading a patch or waiting for the next major software or app update. Because patches are often complex and expensive to develop and never solve the problem as well as doing so during development, finding vulnerabilities during development can actually save money over waiting until the product is live.
When to Pentest During Development
Most developers are familiar with the concepts of quality gating and early validation. You can apply those same concepts to pentesting and checking for errors during development.
Quality gating is the prospect of testing code at key stages to ensure it meets quality standards. Developers use this for bugs and, increasingly, security. If you set key points for testing code, you know when to check for issues and how to validate it. Because quality gating is often automated, you’d likely want to integrate scanners at each stage to assess for well-known vulnerabilities and issues. The results wouldn’t be perfect, but you’d likely catch a lot more than you would with no testing at all.
You also want to make sure that human pentesting is undertaken before you go live, before major updates are released, and at any point when critical or large-scale changes are pushed to the application. A thorough human pentest on code ensures that any vulnerabilities are found before code goes live. Human pentesting is necessary to achieve compliance or any ASVS level pentest. This can prevent major security issues, like when Dutch company Afspraakloket went live, and subsequently leaked social security numbers and private emails for thousands of users.
Conducting a pentest before going live means the code is as ready as its going to get, but you still have time to make direct changes to resolve issues. That can be incredibly valuable in the long run, simply because it can save hundreds of man hours over writing and launching patches, while also saving face and customer trust in case a vulnerability is found post launch.
Most companies divide development into “design”, “build”, “deploy”, and “operate” stages. If you don’t use these titles, you likely use something similar.
Design – Review basic security and integrate security into design. Make sure security is part of code review
Build – Build and test automation has likely begun and you’re already checking code at goal posts. Add security into this phase. Consider using scanners where applicable. If your budget is large, whitebox testing may be applicable here.
Deploy – Code is ready to launch and may be on test servers. Launch a greybox or blackbox pentest before introducing customers to the environment
Operate – This stage involves ongoing operation, updates, and maintenance. Consider pentesting periodically to assess for issues. It’s a good idea to pentest each time you make major changes to the code.
Other Factors to Consider when Pentesting
The larger and more vulnerable your application, the more important it is to pentest often and well. Pentest-as-a-Service means implementing pentesting directly into agile development cycles, so developers can take security into their own hands. For example, with Cyver, developers receive pentest credits as part of the budget. When they feel the source code is ready for testing, they simply schedule the pentest in, automatically test the new code, and make changes with feedback from the pentesters.
Want to learn more? Contact us to learn more. Or, visit our pricing page to find out how much it would cost to put pentesting in the hands of your developers