The Benefits of Continuous Testing

The Benefits of Continuous Testing

The traditional approach to security when developing a new software application, IT product or system has been to build it, test it and wait for something to go wrong. But this reactive find and fix approach is a costly, time consuming and risky way of doing things. Instead, companies are now looking to benefit from having security assurances much earlier in the project lifecycle, implementing security ‘by design’ and throughout the lifecycle of the project.

By Tamar Everson and Robert Newman

Security Consultants, Assurance

24 Jan 2020

The value of what we call Continuous Security Testing reflects the benefits of Agile development and DevSecOps, integrating and automating testing processes and related security measures from the very beginning of the development cycle. Testing early and testing often results in better protection, quicker times to market and reduced costs.

While a traditional penetration test is a snapshot-in-time assessment, Continuous Security Testing integrates with the development process. This allows the identification of vulnerabilities, and therefore remediation and retesting, to happen throughout the development process – rather than applying costly post-development patches. Continuous Security Testing takes place at the end of each Agile ‘sprint’, as soon as functional code is available. This allows any identified issues to be added to the backlog and prioritised for fixing in the following sprints, before the cycle continues. This method is particularly useful for applications developed in short iteration cycles and adds a pace to security improvements that traditional approaches can’t match.

Continuous Security Testing is efficient at finding most of the vulnerabilities that a penetration test would, including (but not limited to) injection attacks, session-related issues and business logic flaws. While these are the same as we find in other types of engagements, being able to implement fixes near the point of creation removes the need for separate teams having to unpick stale code to apply fixes at a later date. Working with the same team also helps to get a more in-depth understanding of the application, development process and the business decisions behind the system’s design. Together these mean that the test team can target testing to the needs and concerns of customers. Embedding the test team with the development team also breaks down the traditional barriers between developers and security testers, helps upskill developers and thus over time increases the quality of code at its inception.

When working with a team in this way, reporting can be done directly into a team’s bug tracking software. This allows developers to gain immediate, easy-to-digest visibility so that the team can prioritise accordingly. From a tester’s perspective, you can find an issue, inform the development team and have it fixed and re-tested within the hour!

Automated vulnerability scanning tools can also be used to provide frequent assurance on code as it is developed. However, they struggle to find business logic-based issues and without suitably skilled installation, configuration and maintenance they are prone to false positives. Although automation can support a team’s security aims, Continuous Security Testing follows a manual methodology and will always provide greater depth, and only highlight proven vulnerabilities.

Compromising security in the rush to market is no longer an option. Security by design is now the mantra for the technology industry. But this has to go hand in hand with early and continuous security testing. This is the only way to ensure the integrity of a new application, product or system through its entire lifecycle – achieved by harnessing the best manual skills and automated tools to achieve security at pace.

Subscribe for more Research like this

About Tamar Everson and Robert Newman

Security Consultants, Assurance

Tamar and Robert are part of our Assurance team and have worked on continuous testing projects for a number of clients.

Find out more

Book a Meeting

CREST
CREST STAR
CHECK IT Health Check Service
CBEST
Cyber Essentials
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor