Continuous Penetration Testing Optimizes Security in Agile Product Development for Software Startup

Continuous Penetration Testing Optimizes Security in Agile Product Development for Software Startup

A well-funded startup has, since its founding in 2015, become a leading provider of online proofing software for marketing firms and departments . The company ran its product development using Agile methodology and wanted to give its clients confidence that its software, a system for saving, internally sharing and proofing marketing materials, was as secure as possible.

Overview

 

Industry
  • Software
 
Challenges
  • Shrinking the risk window 
  • Aligning penetration testing with Agile development processes
  • Reducing the time to remediation and retest

 

 

Kroll Services
  • Continuous penetration testing
 
Impact
  • Alignment with Agile processes
  • Reduced business risk
  • Comprehensive tracking 

Challenge

The company develops its large flagship application using an Agile methodology, adding and updating features in two-week sprints. It already knew that a monolithic yearly penetration testing schedule did not provide frequent enough visibility into the security of their application, given how frequently new code went into production. They recognized the security value of experts providing true manual penetration testing, and already worked with Kroll to test the application quarterly.

However, as the company grew, it faced challenges. With features being released every two weeks, it was important to the company and its prospective clients to shrink the risk window by testing even more frequently. The company also wanted to align its  penetration testing more closely with its roadmap and its Agile development processes. Further, it wanted to be able to reduce the time to remediation and retest as needed.

At this point, the company also considered whether it should bring its testing in-house or continue working with a security partner with specific resources and expertise. The idea of hiring internally posed challenges, because searching for and hiring someone with Agile software development experience, cyber security expertise, and domain knowledge would be both difficult and expensive.

Solution

To keep regularly providing their customers with new features and product innovations, the company chose to continue working with Kroll. Kroll’s team has software security experts the company already knew and trusted, and it had already become familiar with the software during the quarterly penetration testing. After discussing its needs in detail with Kroll, based on the scope of its flagship application, the Agile methodologies used to develop it, and plans for continuing growth, the company made the strategic decision to shift from a quarterly penetration testing engagement to a continuous penetration testing framework.

Kroll experts and programme managers work closely with the company’s team to optimize the continuous penetration testing programme with their development process. When working on a quarterly programme, software security testing focused more on the application as a whole. With the continuous programme, penetration testing now shares Agile’s focus on features. From roadmapping through development, Kroll works strategically to identify and track specific features that need testing, as well as target upcoming new features that will have security impact. This programme boosts confidence that the company is delivering the most secure, feature-rich product possible.

Results

The change to a continuous programme has brought several security and operations benefits:

Alignment with Agile Processes

Instead of gearing up for quarterly penetration tests, Kroll meets regularly with the team for roadmap planning. During the meetings, Kroll discusses its requirements, the current roadmap, and the features planned for rollout over the coming months. Then it works with the team on a testing plan.

Reduced Window of Risk

Because new features are released at the tempo of two-week sprints, continuous testing ensures that new features with security implications are penetration-tested manually by real security experts more promptly than ever, leading to rapid and more secure growth.

Comprehensive Tracking Dashboard

In addition to traditional penetration testing reporting, we implemented a dashboard to track findings and remediation. This provides the information needed to accurately determine the current security state, prioritize remediation activities and answer clients’ security-related requirements.

Access to Software Security Experts

The continuous penetration testing plan provides access to a dedicated programme manager and a senior security consultant. This saves the time and cost of hiring internal security staff and gives the flexibility of working with a security partner, while still having on-demand access to DevSecOps experts who have an ongoing familiarity with their product and their own implementation of Agile methodologies.

Learn more about Kroll Cloud Security and Penetration Testing services.

Stay Ahead with Kroll

Cloud Security Services

Kroll’s multi-layered approach to cloud security consulting services merges our industry-leading team of AWS and Azure-certified architects, cloud security experts and unrivaled incident expertise.

Penetration Testing Services

Malware. Ransomware. Social engineering schemes. Brute force attacks. How confident are you that your protective measures are effective against current and emerging cyberattacks?

System Assessments and Testing

Kroll’s field-proven cyber security assessment and testing solutions help identify, evaluate and prioritize risks to people, data, operations and technologies worldwide.

Cyber Governance and Risk

Manage cyber risk and information security governance issues with Kroll’s defensible cyber security strategy framework.