What is Agile Pentesting and Should You Integrate It into Cybersecurity

For many organizations, pentests are large-scale investigations into the cybersecurity of their assets, with scopes often encompassing every IP address and server they have. While that approach is important and often necessary, especially for routine compliance and meeting regulatory requirements, it doesn’t always make sense. 

For example, many organizations use Agile development, where you push new updates and features constantly. Continuous development, two-week sprints, and weekly or bi-weekly updates are more and more often the norm. That can make it extremely difficult for organizations to keep up with cybersecurity – because it’s too costly and time-consuming to pay for a full pentest each time you update and introduce new vulnerabilities into your code. 

Agile pentesting is one increasingly popular answer. 

What is Agile Pentesting 

Agile Pentesting uses smaller targets or scopes, allowing pentesters to check specific assets, updates, or features. Often, this is only possible after the full or comprehensive pentest has been completed and acted on. Then, when you introduce new changes, Agile pentesting allows you to test impacted areas of your application rather than the full application. 

For example: 

  • New release testing, where you pentest “just” the new release
  • Vulnerability testing where you look for a single vulnerability type, such as one OWASP Top 10 category to validate a fix (Cyver offers this for free within 30 days of your initial pentest)
  • Microservice testing, where you pentest microservices such as Kubernetes on your cloud or hosted network services

At Cyver Core, agile pentesting also includes options for code review, enabling you to get insight into improvements before code goes live. 

How to Use Agile Pentesting 

Agile pentesting is intended to supplement the more traditional and comprehensive approach to pentesting rather than to replace it. This means that you should use a full pentest as a baseline and then use Agile pentests to test targeted parts of your website or application throughout the year. That allows you to maximize cybersecurity while improving budget spending. 

In addition, by targeting pentests to specific assets, you can more easily share outcomes with specific effected teams. Cyver’s pentest portal also means you’ll receive vulnerability findings as tickets, which you can export to work management platforms like Jira. The combination means you can receive vulnerabilities relevant to specific teams and then very quickly move those into the backlog, so you can remediate and request a new Agile pentest to ensure those vulnerabilities have been remediated. 

  • Agile pentests should be mapped to development and release cycles 
  • Security teams can request data on specific vulnerabilities or assets, which they can them immediately work to harden 
  • Engineers assigned to remediate a specific issue, like Log4j, can request a pentest to determine which assets are affected by the issue

Essentially, if you want to focus your attention or a team’s attention on one thing, an Agile pentest is a great solution. Here, you’ll always want to follow up with full pentests, usually mapped to your compliance regulatory needs. However, with the smaller pentests in place to test your new features and releases, even those pentests will contain fewer surprises, meaning you can remediate and pass your audits more quickly. 

If you want to know more about how Cyver can work with your Agile development or security teams to deliver Agile pentesting, schedule a call. We’re more than happy to discuss your needs, demo the platform, and work together to see if we can help you improve your cybersecurity.