Over the past few years, applications have become an essential part of how organisations do business. In a fast-paced business climate, organisations are under increasing pressure to release new offerings and reach customers in new ways.
In this context, ensuring the deluge of new applications remain protected from hackers is a challenge. And that’s where Continuous Security Testing comes in.
Continuous Security Testing, which combines the activity of people and machines, and sees application security considered at every stage of the development cycle, has a number of advantages over a more traditional approach to pen testing, and many organisations are exploring it as a way to secure their application estate.
In other words, organisations are looking for the rigour of a manual pen test, but with the agility and approach that matches dynamic application development.
But what is Continuous Security Testing, and how does it measure up when compared with pen testing?
The rise of DevOps
To answer this, it is important to understand the current state of play regarding application development. Organisations are now developing and updating apps faster than ever before. In years gone by, application releases would occur every three to six months. Today it is not uncommon for businesses to update apps monthly or even weekly, and for some, it’s far more frequent than that. This acceleration is due in part to the rise of DevOps. This way of working sees IT and software development teams working closely together on the software development process. Previously, these two areas of an organisation were somewhat siloed, meaning that new application releases would occur at a much slower rate.
However the software delivery cycle is now far shorter. This means that application updates can be rolled out faster, with new features quickly defined, developed and tested, enabling organisations to adapt quickly.
On the one hand, DevOps has been beneficial to security. Security issues such as coding errors and other vulnerabilities can be fixed soon after they are identified, meaning there is a smaller window of risk for adversaries to exploit. However, a rapid rate of change can in itself introduce new issues.
However, DevOps has also created additional security challenges. Software developers are under increasing pressure to deliver new applications and updates to existing applications rapidly, meaning coding errors can fall through the cracks, giving attackers access to an organisation and its data.
So how can organisations ensure that the applications they deploy are water-tight when it comes to security, but without compromising on speed and agility?
The importance of pen testing
Traditionally, penetration testing was the answer. Penetration testing is still a key tool in the cybersecurity arsenal, and one that cannot be replicated by automated scanning alone. However, the way in which pen testing typically operates, with deep-dive tests taking place every six months to a year, is not compatible with the DevOps approach, and security teams have often struggled to keep up.
Furthermore, traditional penetration testing requires a high level of both skill and time, meaning it is often not practical or economical to carry out a full pen test for each software release.
When updates to new applications were less frequent, pen testing was well-suited to ensuring applications remained secure. However, now that new code is released every week or month, pen testing once a year leaves a substantial window of time for vulnerabilities to go unnoticed.
This creates a dilemma when it comes to DevOps and security. While development teams have grown accustomed to working at speed, conducting a full pen test before a product can be launched, which can take days or weeks, can introduce delays into the process.
If manual penetration testing is too cumbersome, slow, and expensive for the current speed of software development, does automation resolve the challenge?
The emergence of DevSecOps
In searching for answers to this question, many organisations are looking for solutions that offer the rigour of a manual pen test, but with the agility and efficiency of dynamic application development.
DevSecOps brings security into the DevOps equation. As well as IT and software development, it integrates cybersecurity processes into the software development life cycle, with application updates audited and scanned for vulnerabilities at every stage. This means that security becomes a shared responsibility for software development, security and IT teams, and issues can be addressed when they first emerge rather than at the end of the process.
A survey of 150 decision-makers conducted by Computing revealed that those who have fully implement DevSecOps rank its success at 8.5 out of 10. However, just 19 per cent of contributors had fully implemented DevSecOps, with 29 per cent having partially done so – though there was almost universal interest.
Fig. 1 : What stage is your organisation at in integrating application security testing (AST) into its DevOps environment?
The role of automation
Automated scanning tools are a key part of DevSecOps and have seen significant investment in recent years, with tools now commonly used to test code and scan live applications.
Scanning tools can highlight potential risks, which can then be investigated further by skilled pen testers. Automation can also detect a change, allowing the testers, working closely with their developers, to see when new changes have been introduced so that every new line of code can be quickly checked.
However, while they have their benefits, automated tools are not as thorough as traditional pen testing, and some errors or vulnerabilities can only be spotted by human testers.
Fig. 2 : Which of the following benefits have you experienced as a result of building a more integrated DevSecOps approach?
A continuous approach
Combining human intervention and automated scanning has given rise to a continuous approach to security testing. Continuous Security Testing incorporates both human and autonomous testing into every stage of the application development process.
This builds a greater collaboration between development and security teams. With application code changes being implemented over weeks, days, hours, and even seconds, having developers and security in the same team can enable an organisation to explore new ways to innovate through applications, while ensuring security remains a priority.
In addition, by adopting this approach, developers, system administrators, and security staff can address fixes without dramatically compromising their existing workloads. Following an annual pen test, developers are presented with an often long list of issues to fix, but with continuous testing, updates can be implemented over time without dramatically altering workloads.
It is important to highlight that Continuous Security Testing does not replace the traditional large-scale penetration test completely. But Continuous Security Testing does bring pen testing up to speed with agile DevOps strategies. By offering both speed and security, continuous testing has become an attractive option for many organisations.