Our Blog

Agile Penetration Testing: What, Why & How?

Blacklock Oct. 29, 2021

Agile methodologies in software development have accelerated in recent years, helping businesses provide value to customers much faster. This approach takes an interactive approach to software development, where products are developed in small iterations throughout the entire process. Unfortunately, it increases the risk of cyberattacks, and security testing solutions are limited to vulnerability scanning and static code analyzers (SCA tools), which only finds the low-hanging issues.

Agile penetration testing is a continuous approach to security testing that significantly increases efficiency. It is done at frequent intervals through the development process, whereas traditional penetration testing is done right at the end as a point in time activity, just before the product launch. Contrary to belief, it’s more than capable of keeping up development schedules and doesn’t slow the entire development process.

Since feature development and production changes are much more frequent in agile development, agile penetration testing better complements the software development cycle.

Why Use Agile Penetration Testing?

If you have developed software that’s being used, frequent updates are inevitable throughout the year, resulting in new code. Since traditional penetration testing is designed to occur once a year, most of these updates are released without any security testing, meaning they can pose significant risks to the business and end-users. The most significant dangers are the potential exposure of data from adding new code and developers failing to meet with new attacks and exploits.

Agile penetration testing is a way to frequently test your software and ensure every update is free of any security risks before being released. Not only is the process quicker and more economical, but it provides greater security assurances for all stakeholders before new updates are released.

Here are some of the key benefits as to why you should use agile penetration testing:

Better Security — The continuous testing ensures that the new features are security validated before landing into production. The approach allows you to adopt secure by design principles i.e. building security into the product.

Feature-specific testing — Traditional penetration testing resembles the waterfall methodology. The problem is that it’s a one-off testing and largely focuses on the overall application. Agile testing allows penetration testers to focus specifically on new areas as they develop. At Blacklock, customers can request a new test, re-test, or feature-specific test at any time at a flat fee.

Flexibility — A key feature of agile testing is that it’s a largely automated process, meaning it can be arranged at any time when the feature is ready. This is crucial throughout the development cycle as it enables developers to integrate penetration testing into their DevOps processes. An experienced agile testing provider like Blacklock have the consultants readily available, so your testing needs can be responded to on time

Increased value — Due to limited scope, faster turnarounds and decreased capital expenditure, agile testing presents a greater ROI than traditional testing. Depending on the chosen plan, customers can save on the cost of a full penetration test and just cover the feature-specific testing. This is far more ideal than spending $10,000 or more per week and still adopting a secure by design approach. For this reason, agile testing is also much more accessible.

How Does Agile Penetration Testing Work?

Every agile testing provider has a different approach to agile testing, but the best ones combine automation and manual testing like Blacklock.

To initiate a test, customers sign up through our website by providing target details, choosing a plan, completing a payment and digitally signing an authorisation letter. This process onboards the customer application and gives them access to a dashboard, which lets them request feature tests after the first round of full penetration testing is completed. Customers can request additional feature-specific tests or retest for the same application, which avoids the need to perform the full penetration test every time and is more frequent.

When a test has been requested, our scan engine coupled with human-augmented testing does all the work, giving you the best of both worlds and provides an in-depth report on the findings. The turnaround time for this report is either 24 hours or 3 working days (depending on complexities) and provides clear guidance to developers on how they can deal with vulnerabilities.

If you think you or your organisation can significantly benefit from Blacklock’s agile penetration testing service or would like to know more, then get in touch with us now!