Agile Penetration Testing Program

Integrated into your software development lifecycle (SDLC), Kroll’s agile penetration testing program is designed to help teams address security risks in real time and on budget.

Talk to an expert
/en/services/cyber-risk/assessments-testing/agile-penetration-testing service

What is Agile Penetration Testing?

Agile penetration “pen” testing is a continuous security assessment approach that allows companies to speed up secure software delivery to their customers. 

Traditionally, penetration tests occur on an infrequent, “point in time” basis within the scope of a product release cycle or based on compliance mandates. This approach may fit if you still use the waterfall method, but it falls short if you use agile or other continuous development methodologies.

Unlike traditional pen testing(which tends to slow down product teams), when properly integrated within the SDLC, agile penetration testing can keep pace with your release schedule. The result: saving your business the time and expense of having to remediate long-standing problems that could have been identified much earlier in the process.

Agile pen testing is a programmatic way to unearth and remediate potential risks in an application within the existing timelines and schedules of product releases. Just as features are added or updated constantly during sprints, continuous penetration testing can make sure that the security of those new features are being tested just as frequently.

 

 

Merging Product, Development and Security For Greater Efficiency

Many product teams have adopted agile software development methodologies but have not integrated pen testing into the agile process. For most, penetration testing remains a standalone process performed alongside other annual assessments. Our agile pen testing programs integrate into your product team’s software development lifecycle to reduce the timespan between code changes and security assessments, so code is not released to production with unknown risks. 

The program is designed based on strong fundamentals in program planning and onboarding with teams to ensure minimal disruption to current engineering processes. Kroll’s dedicated program team aims to build institutional knowledge by providing continuity, expertise and support for making technical decisions with security in mind.

 

The Agile Assessment Lifecycle

A view into a standard deployment of the agile penetration testing program:

The Agile Assessment Lifecycle 

 

Managed Agile Pen Testing Program Overview

In contrast to the usual method of conducting a security assessment by means of a pen test near the end of the release cycle, Kroll’s developer-centric security consultants engage with product engineering and project management teams to identify and remediate security vulnerabilities throughout the entire product release cycle.

This agile approach helps ensure that every product release, be it a minor bug fix or a major feature release, has been vetted from a security perspective. The solution model covers the following:

  • Enhancing the development sprint plans to include the appropriate level of security assessment required
  • Strategizing “abuse cases” for every release through a rapid threat modeling exercise ahead of development

 

  • Validating countermeasures to the said abuse cases, along with exploratory threat scenarios through an agile pen testing exercise post development
  • Logging of any potential vulnerabilities directly on development platforms, such as JIRA, Azure DevOps, etc., for remediation
  • Validating the applied fix (remediation) by conducting an optional retesting exercise
  • Analyzing vulnerability patterns, scoring, time to fix and other critical statistics and communicating program improvement opportunities in sprint recaps

Managed Agile Pen Testing Program

Onboarding and Program Development
Management
Tracking and Reporting 

Key activities include:

  • Contextual Knowledge of App(s)
  • Security Requirements Strategy
  • Agile Framework & Methodology
  • Release Cadence/Cycles
  • Roadmap Planning

Throughout the program, each test is carefully considered:

  • Track & Scope Pen Test Cycles
    • Frequency
    • Priority
    • Coverage
  • Assign resources
  • Consistent monitoring

Efforts can tracked via a variety of reports and adjusted for key stakeholders:

  • Vulnerability Tracking and Prioritization
  • Remediation Testing and Tracking
  • Budget and Effort Tracking
  • KPIs and Metrics
  • Trend Analysis

Onboarding and Program Development Management

Key activities include:

  • Contextual Knowledge of App(s)
  • Security Requirements Strategy
  • Agile Framework & Methodology
  • Release Cadence/Cycles
  • Roadmap Planning

Management

Throughout the program, each test is carefully considered:

  • Track & Scope Pen Test Cycles
    • Frequency
    • Priority
    • Coverage
  • Assign resources
  • Consistent monitoring

Tracking and Reporting

Efforts can tracked via a variety of reports and adjusted for key stakeholders:

  • Vulnerability Tracking and Prioritization
  • Remediation Testing and Tracking
  • Budget and Effort Tracking
  • KPIs and Metrics
  • Trend Analysis

Key Benefits – The End Results

The efficiency and flexibility of agile, with a more secure product:

Cyber Insurance Preferred Partner

Kroll has a dedicated team for insurance and legal channels, with extensive relationships with 50+ cyber insurance brokers and carriers worldwide and exclusive benefits to insureds.

Endlessly Adaptable

Development and security teams seamlessly communicate to cater testing to new features and priorities.

Fewer Vulnerabilities

Over time, the backlog of software vulnerabilities decreases.

Native Security

Ongoing feedback and collaboration helps developers implement better secure development practices in new code.

 

Why Kroll?

  • Our team conducts more than 53,000 hours of cyber security assessments every year and carries well over 100 security certifications encompassing offensive security, cloud, penetration testing, mobile, and web testing.
  • Senior team members have each spent decades working in cybersecurity and our award-winning penetration testers are certified to some of the highest global industry standards, including CHECK, CREST (CCT/CRT) and SANS (GIAC).

 

  • Kroll handles over 3,000 incident response cases worldwide every year, enabling us to leverage the latest frontline threat intelligence and adversary mindset in every engagement.
  • Our testers have diverse backgrounds in information technology, application development and cyber investigations. This experience enables them to anticipate evolving and emerging cyber threats for our clients across industries and jurisdictions.

Agile Pen Testing as Part of a Cyber Risk Retainer

Kroll’s ultra-flexible Cyber Risk Retainer can package your agile pen testing needs along with a variety of services like risk assessments, tabletops and red team exercises and more. With the retainer, clients also gain prioritized access to Kroll’s elite digital forensics and incident response team in the event of an incident.

Comprehensive Related Services

All the services below can also be available as part of the Kroll Cyber Risk retainer.

  • Network Penetration Testing – External and Internal
  • Application Penetration Testing – External and Internal
  • Web Application Penetration Testing
  • IoT Device Penetration Testing
  • Dark Web Risk Exposure
  • Social Engineering Exercises
  • Red/Blue Team Exercises
  • Cyber Due Diligence Assessments

Increased Cyber Resilience with a Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Connect with us

Robert Deane
Rob Deane
Associate Managing Director
Cyber Risk
New York
Phone
Rahul Raghavan
Rahul Raghavan
Senior Vice President
Cyber Risk
Toronto

See all servicesStay Ahead with Kroll

Valuation

Valuation of businesses, assets and alternative investments for financial reporting, tax and other purposes.

Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate security, legal, compliance and regulatory risk.

Corporate Finance and Restructuring

Comprehensive investment banking, corporate finance, restructuring and insolvency services to investors, asset managers, companies and lenders.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Environmental, Social and Governance

Advisory and technology solutions, including policies and procedures, screening and due diligence, disclosures and reporting and investigations, value creation, and monitoring.

Investigations and Disputes

World-wide expert services and tech-enabled advisory through all stages of diligence, forensic investigation, litigation and testimony.

Business Services

Expert provider of complex administrative solutions for capital events globally. Our services include claims and noticing administration, debt restructuring and liability management services, agency and trustee services and more.

APAC State of Incident Response 2022


State of Incident Response: APAC

Oct 31, 2022

Cyber


Cyber Risk and CFOs: Over-Confidence is Costly

Sep 13, 2022

by Greg MichaelsJames McLearyWilliam Rimington

Cyber


Guide to Cloud Penetration Testing: What It Is and Why You Need It

Sep 08, 2022

by Alex Cowperthwaite

Cyber


How Penetration Testing Can Better Prepare You for a SOC 2 Audit

Sep 02, 2022

by Alex CowperthwaiteRob DeaneBenjamin Mahar

Cyber


5 Facts to Know About Continuous Penetration Testing

Mar 29, 2022

by Alex Cowperthwaite

Webcast


KAPE Intensive Training and Certification

Online Event Apr 12 - Dec 08, 2022 | Online Event