What would it take to make pentesting fit with agile security practices?
Before I answer that, let me explain why you should make your pentesting agile (agile-ify it?).
Digital strategy and innovation have been disruptive forces across pretty much every industry and market worldwide. Business technologies like cloud and SaaS, which form the underpinnings of digital transformation, are critical to the spirit of competition that determines market dominance and creates category leaders. For all these reasons, agile software development has become a mainstay.
Digital transformation. Agility. SaaS. Innovation. Disruption. It might sound like I’m getting ready to play a game of buzzword bingo, but my point is this: speed and success are inextricably linked. So why leave security out of the equation? If your business is agile, your security program should be, too. And that’s exactly what Cobalt’s customers told us.
Our customers span all segments, maturity levels, and sizes. To continue meeting the needs of these agile businesses, we evolved our PtaaS offering to support versatile, ad hoc testing. We’re not just paying lip service to a broader business trend -- if we were, we’d have called it “nextgen” ;-) -- we’re allowing organizations to pentest for common use cases like the following:
New Release Testing
Pentest a new release before or shortly after it reaches production. With new release testing, companies receive more assurance that new products or features are properly secure.
Delta Testing
Pentest for incremental improvements based on code differences since a specific date or version. This is useful after changes are made to an existing feature, for example.
Exploitable Vulnerability Testing
Pentest a single vulnerability or a small subset of vulnerabilities across an asset to validate fixes. Log4j is one example where exploitable vulnerability testing would come in handy.
Single OWASP Category Testing
Pentest a single OWASP category for a web, mobile, or API asset. With an Agile Pentest focused on a single OWASP category, companies can conduct targeted tests to review a specific category like Access Control, and ensure their code aligns with best practices.
Microservice Testing
Pentest Kubernetes within AWS, Azure, or GCP, as well as hosted network services. For organizations practicing agile development, microservices provide an easier way for teams to adopt continuous delivery. Microservice testing helps identify security flaws in a microservice architecture and its APIs.
Agile Pentesting varies from what Cobalt calls Comprehensive Pentesting, which our clients choose when they are pentesting for compliance, in response to M&A activity, or a similar business driver that’s often linked to a third-party mandate.
For anyone already familiar with PtaaS – which is much hyped for driving economic benefits to the tune of 66% reduction in exposure time, 53% lowering of pentest cost, and 176% more ROI – Agile Pentesting signals the next frontier.
For everyone else it’s the Holy Grail, as one of our customers acknowledged:
"With Agile Pentesting, Cobalt has plugged into our development cycle allowing us to skip lengthy scoping processes and test new features as needed. Our company releases software updates constantly, and this provides assurance that our products are well tested. Cobalt has achieved the Holy Grail of pentesting and made customers’ lives easier, mine included."
Read more about Pentesting for agile development.