If your development teams have moved away from a waterfall approach to a more modern agile or DevOps methodology with frequent releases or continuous integration, how can you ensure and verify application security with just the “traditional” annual penetration test? Obviously, you can’t, in scenarios where you’re pushing new code to production every month or so.
Here is a real-life example of this issue:
Recently I was discussing a report from the latest in a series of annual application penetration tests with one of our healthcare clients. The test had revealed a critical SQL injection vulnerability that we were actually able to exploit to exfiltrate data and user credentials from the application.
As we talked, the client realized the module with this critical vulnerability had been released to production in March 2017 and the annual pen test had taken place as usual in December 2017—meaning the vulnerability had been in the public domain for about nine months.
Who knows what might have happened if it had been exploited by an attacker?
Ensuring the Security of Critical Applications in the Modern Era of Continuous Delivery
As organizations embrace agile methods and continuous integration, we’re seeing this issue come up more and more. This is why Pivot Point Security has created a flexible and cost-effective, subscription-based continuous assurance program for organizations that need to manage application security risk on a continuous or periodic basis, in alignment with more frequent releases.
Through this program, clients can:
- Ensure your applications are always secure
- Ensure limited resources are focused where they will do the most good
- Support governance, risk and compliance activities
- Streamline and save time and money across your application portfolio
- Get results quickly and cost-effectively, with minimal disruption to the software development lifecycle
- Benefit from application security expertise beyond what you have in-house
With agile/DevOps development lifecycles, continuous assurance is important for most applications. But it’s essential for critical applications that hold or process any sensitive or regulated data, such as client data, PHI or PII.
How can you assure that an application is always secure in a continuous delivery environment? The approach should be specific to the application, based on both the release cycle and the application’s criticality.
In the case of critical applications, you don’t want to push a single new feature to production without doing security testing. Conversely, a public website with minimal data might only need to be pen-tested every other release cycle. Some applications might only need to be tested with automated scans, which are good for flagging most of the OWASP Top 10 type vulnerabilities (e.g., cross-site scripting, SQL injection, etc.).
In many cases you won’t want to do a full pen test on the entire app every time you release something, because this will delay the production release by several days. Yet you still need assurance that you’re not introducing new risks.
One effective approach at managing security risk while saving time and money is to do an automated vulnerability scan of the full application with each new release to production, while performing focused, manual penetration testing on just the parts of the application that have changed since the last pen test.
This method offers assurance that new modules are risk-free, and also verifies that you haven’t created new vulnerabilities in existing modules. A further benefit is that you’re testing the application against any zero-day attacks that didn’t exist the last time you tested it.
Of course, finding and remediating any application security issues before the code is in production saves considerable effort and money as well.
This is just one example of the many ways that organizations can achieve security with continuous integration.
Contact Pivot Point Security to discuss how our continuous assurance model of application testing can ensure your applications are always secure.