Continuous Penetration Testing Optimizes Security in Agile Product Development for Software Startup
A well-funded startup has, since its founding in 2015, become a leading provider of online proofing software for marketing firms and departments . The company ran its product development using Agile methodology and wanted to give its clients confidence that its software, a system for saving, internally sharing and proofing marketing materials, was as secure as possible.
- Shrinking the risk window
- Aligning penetration testing with Agile development processes
- Reducing the time to remediation and retest
- Continuous penetration testing
- Alignment with Agile processes
- Reduced business risk
- Comprehensive tracking
The company develops its large flagship application using an Agile methodology, adding and updating features in two-week sprints. It already knew that a monolithic yearly penetration testing schedule did not provide frequent enough visibility into the security of their application, given how frequently new code went into production. They recognized the security value of experts providing true manual penetration testing, and already worked with Kroll to test the application quarterly.
However, as the company grew, it faced challenges. With features being released every two weeks, it was important to the company and its prospective clients to shrink the risk window by testing even more frequently. The company also wanted to align its penetration testing more closely with its roadmap and its Agile development processes. Further, it wanted to be able to reduce the time to remediation and retest as needed.
At this point, the company also considered whether it should bring its testing in-house or continue working with a security partner with specific resources and expertise. The idea of hiring internally posed challenges, because searching for and hiring someone with Agile software development experience, cyber security expertise, and domain knowledge would be both difficult and expensive.
To keep regularly providing their customers with new features and product innovations, the company chose to continue working with Kroll. Kroll’s team has software security experts the company already knew and trusted, and it had already become familiar with the software during the quarterly penetration testing. After discussing its needs in detail with Kroll, based on the scope of its flagship application, the Agile methodologies used to develop it, and plans for continuing growth, the company made the strategic decision to shift from a quarterly penetration testing engagement to a continuous penetration testing framework.
Kroll experts and programme managers work closely with the company’s team to optimize the continuous penetration testing programme with their development process. When working on a quarterly programme, software security testing focused more on the application as a whole. With the continuous programme, penetration testing now shares Agile’s focus on features. From roadmapping through development, Kroll works strategically to identify and track specific features that need testing, as well as target upcoming new features that will have security impact. This programme boosts confidence that the company is delivering the most secure, feature-rich product possible.
The change to a continuous programme has brought several security and operations benefits:
Alignment with Agile Processes
Instead of gearing up for quarterly penetration tests, Kroll meets regularly with the team for roadmap planning. During the meetings, Kroll discusses its requirements, the current roadmap, and the features planned for rollout over the coming months. Then it works with the team on a testing plan.
Reduced Window of Risk
Because new features are released at the tempo of two-week sprints, continuous testing ensures that new features with security implications are penetration-tested manually by real security experts more promptly than ever, leading to rapid and more secure growth.
Comprehensive Tracking Dashboard
In addition to traditional penetration testing reporting, we implemented a dashboard to track findings and remediation. This provides the information needed to accurately determine the current security state, prioritize remediation activities and answer clients’ security-related requirements.
Access to Software Security Experts
The continuous penetration testing plan provides access to a dedicated programme manager and a senior security consultant. This saves the time and cost of hiring internal security staff and gives the flexibility of working with a security partner, while still having on-demand access to DevSecOps experts who have an ongoing familiarity with their product and their own implementation of Agile methodologies.