Today, most organizations build software and most of them do so using Agile methodology, likely with DevOps or DevSecOps. Continuous development and rollout allow even the largest SaaS applications to seamlessly push updates, to meet customer needs, and to integrate usability into development. Increasingly, that also includes security. However, most DevOps and DevSecOps teams aren’t building security teams directly into their pipelines, they’re relying on pentesting and code review for security. Pentest-as-a-Service makes that possible, with recurring, scheduled pentests, built around critical updates, checkpoints, and releases.
At Cyver, we also take the critical next step of delivering pentest results, the vulnerability findings, via our cloud platform. Developers immediately receive access to findings and can roll them into the next sprint, allowing for seamless Agile methodology. Improving how we deliver findings makes our pentests better for DevSecOps, because you can immediately use data.
Planning Pentesting into Timelines
Many developers are resistant to code checks and pentests during development because they mean delays. That’s especially true if the product is almost finished. Pentesting the application before it moves into the production environment is crucial – but if your pentester finds bugs, it can slow down shipment and can result in weeks more work. The solution is to plan security checks and bug-fixes into timelines, because there will be vulnerabilities.
When to Pentest
Penetration testing works to identify vulnerabilities by acting the part of a malicious actor or “hacker”. This means that we attempt to compromise the system from a black hat (fully external) or grey hat (with knowledge of the system) perspective to identify flaws. This then allows you to mitigate those risks by resolving the vulnerability or working to prevent damage in case that exploit is abused. This means the application must be complete – if there’s not an application, you can’t test it. However, you can run code reviews well in advance of full pentesting.
Start with Code Review – While a very large company can afford to implement periodic pentesting at every code update, most should go for a lighter approach. For example, NIST shows that 85% of problems are implemented during the first coding phase. Running an early-stage code check could help you to catch a significant number of issues before basing other development on them – which the same study says will reduce cost-to-fix by over 30x.
Pentest Before Launch – It’s crucial to pentest the product before launch – hopefully with plenty of time in the development schedule for devs to remediate problems. Cyver facilitates this as much as possible, by delivering findings as tickets, which can be exported directly to Jira. Devs can communicate with the pentester to ask questions, to request more data, and to get a better idea of what they’re dealing with. And, once they mark it as remediated, we retest for free to ensure you’re secure and ready for launch.
Iterative Pentesting – DevOps means ongoing development, with new features, updates, and patches pushed on a continuous basis. Traditional pentesting on a yearly basis does not fill those gaps. Instead, we recommend testing on a scheduled basis, mapping cybersecurity checkpoints to large or critical updates, to new features, and to points corresponding with compliance requirements. That should be ongoing, based on budget and long-term vulnerability and threat environment.
Building a Full Security Environment in DevOps
Pentesting is just one piece of your larger security environment. Cyver delivers pentest-as-a-service, fitting regular and scheduled pentests and code review into your security environment. But, you also need other security measures:
Scanners – Scanners help you to fill the gaps, catch “low hanging fruit”, and mitigate easily exploitable issues between pentests. Scanners should be considered a base level of security because they’re always on. If an easily exploitable or machine-exploitable issue is pushed in a new update, you want to be aware of it, and immediately. SAST and possibly DAST are essential to your ongoing security.
Code Review – Good code review can prevent major vulnerabilities from ever moving into production. And, resolving issues in code is significantly faster and cheaper than waiting till those vulnerabilities are in the production environment. Code review is a necessity for any high-risk organization, especially if you have strict compliance requirements to meet. But, it’s only necessary for major new features and core updates.
Pentesting – Regular pentesting helps you to catch vulnerabilities that normally require human exploitation. Pentest-as-a-Service means that a pentester reviews the full environment in the scope of the pentest, looks for vulnerabilities, and assesses if existing vulnerabilities can be used to create new ones. With pentest-as-a-service, your pentest team looks at your application over time, allowing us to go deeper, to check if previous vulnerabilities have been re-created in updates, and to build stronger layers of security over time. If we know the site and what we’re working with, we can spend time doing more extensive pentesting – increasing your security with every pentest.
What Does Pentesting for DevSecOps Look Like?
Pentest-as-a-Service implements into Agile and DevOps, delivering benefits like faster remediation, better visibility, and lower costs than one-off pentests.
Integrate Your Team – Cyver onboards developers onto our cloud platform. Devs see updates for their features and modules as they’re added. Developers can also discuss findings with the pentester. And, with our credit system, finance can budget for pentesting throughout the year and put teams in full control of when and how security testing is carried out.
Findings-as-Tickets – Pentest reports are valuable and you need them for compliance, financial planning, and security overviews. But, they serve little value for Agile teams, which need to quickly access data and break vulnerabilities into work tickets. Cyver facilitates that by delivering individual findings as tickets, which can be exported to work management tools like Jira, or to other tooling via our API. That means no waiting to break down a pentest report, everything is already in tickets and relevant teams automatically receive notifications.
Vulnerability Management – Cyver’s platform offers vulnerability management, including a dashboard with metrics, threat analysis, and time-to-solve metrics. Plus, with integrated retesting, you always see when a vulnerability is fully remediated. That means dashboards function as a quick measure of application vulnerability. Over time, devs can work with pentesters to resolve the root of common vulnerabilities, so new code is more secure.
Eventually, secure development is a must for any application. Today’s cybersecurity risks are on the rise and they will keep going up. Shifting to DevSecOps or Secure By Design is an important part of delivering secure software and applications. For most organizations, that means partnering with external pentest providers, integrating scanners for SAST and DAST, and using code review to catch problems as early as possible. And, if you still need that security partner, Cyver is here to help. Visit our How it Works page to learn more about how we deliver Agile-friendly pentesting.