Top 5 Agile Pentesting Challenges in Software Development

As the Agile software development adoption continues to grow, businesses are increasingly looking to incorporate manual human-driven penetration testing, dynamic vulnerability code analysis, and SAST tools into their CI/CD pipelines.

In the first part of this miniseries, we discussed the advantages of conducting penetration testing in an Agile manner. However, it is equally important for businesses to be aware of the challenges that this approach presents in their efforts to create and deploy secure software.

Dragos Stanescu - December 15, 2022
Top 5 Agile Pentesting Challenges in DevOps
Picture Credit - Canva

Quick recap

It was obviously that an Agile testing approach comparing to the traditional security testing offers several advantages for organizations, like:


  • Focused penetration testing breaks the testing process into smaller, more manageable chunks, allowing for more frequent and targeted assessment of specific system segments. This approach reduces stress and confusion for the testers, and enables them to identify and resolve potential vulnerabilities more quickly and efficiently.

    Focusing on smaller segments of the system at a time, focused pentesting allows for a more thorough and effective assessment of the overall security posture.

  • Ongoing communication and collaboration between the organization and the pentesters team is essential for creating a dynamic and adaptable approach to maintaining and improving the organization's security posture. This collaboration allows for a more effective and efficient testing process, and can help the organization to stay ahead of potential threats.

    By working closely together, the organization and the penetration testers can quickly identify and address potential vulnerabilities, and adapt their testing strategies as needed to ensure that the organization's security posture remains strong.

Challenges in Agile Penetration Testing

Challenge #1

One of the most significant challenges faced by businesses looking to bootstrap penetration testing in its current development life cycle environment is the need to adapt a viable real-time security testing strategy that follows the Agile concept as a framework. Modern times require dev teams to work in short, iterative “sprints” to quickly develop and deliver software.

This means that testing must be able to keep up with the rapid pace of development and must be able to adapt to changes in the software as it evolves. And this does require a certain amount of expertise and flexibility from the resourcing perspective for cybersecurity skills. And generally speaking, not many organizations or penetration testing vendors have the appropriate in-house generous talent pool to quickly accommodate such requirements.

Challenge #2

Another challenge is integrating penetration testing into the development team's workflow. In the Agile dev world, the entire development team is responsible for the quality and software security, and the security team is part of it too. This means that the Offensive Security application team must be able to work closely with the development team, and must be able to provide regular feedback and guidance when necessary.

One way to address these challenges is through automated testing. In such way, businesses can reduce the time, effort, and costs required to conduct testing.

Challenge #3

Another important consideration is defining proper pentest focus and fixing security issues along the way. Market changes are reflected in the business requirements. For that reason, the software Delta releases could require a continuous focus change that will vary from Improper Input Validation, Security Misconfiguration, to Broken Access Control. In an agile development environment, there are many competing priorities, and allocating sufficient time and resources to security testing as part of every delta releases can be challenging.

This means that businesses must scope their testing focus very accurately, while keeping a fair balance between their need for security and business releases speed expectations. Combining human offensive security knowledge, analysis tools like DAST, Static Application Security Testing allow to uncover and fix, retest, and ensure that testing is performed consistently and accurately, maintaining the overall investment at peace.

To be clear, Pentesting as a Service (PTaaS) is not Agile security testing, but rather a business model that attempts to meet the expectations of modern DevSecOps teams.

Challenge #4

The fourth challenge relates to the highly regulated businesses like banks and other similar environments, still using a hybrid development lifecycle approach, with the waterfall concept playing an important part of the inside culture. For that reason, this concept is certainly not a good fit.

When conducting penetration tests in highly regulated environments, here are some of the most important considerations that could interfere with the Agile adoption:

  • Obtaining all necessary approvals and permissions before beginning any testing activities.
  • Ensuring that all testing activities are conducted in accordance with applicable regulations, as privacy and data protection laws.
  • Establishing clear communication channels between the security team and the business segment stakeholders so that issues will be addressed effectively.
  • Following a testing process requirement that minimizes disruption to operations while still ensuring a thorough assessment of security controls. (e.g., no heavy automated testing allowed is allowed, but only manual)
  • Documenting all processes, findings, and recommendations in a way that complies with organizational policies and regulatory requirements.

When conducting penetration tests in highly regulated environments, here are some of the most important considerations that could interfere with the Agile adoption:

Going a little further, such organizations execute many non-technical tests, and those are more focuses on the processes and procedures surrounding the system instead of the technical aspects. And that's why, they are not a great fit for an agile penetration testing approach, as the testing process needs to be more comprehensive and methodical.

Challenge #5

Finally, businesses have to consider non-functional testing in an application aspect too. The focus is often on functional requirements, such as the features and capabilities of the software. However, non-functional requirements, such as security, performance, and reliability, are also important, and must be addressed to write vulnerability free source code and implicitly build secure software.

Conclusions

Overall, the challenges faced by businesses looking to execute penetration testing in an Agile development environment can be significant. However, businesses can overcome these challenges by adopting an easy to follow simple playbook that focuses on information security testing, such as using DevSecOps best spoke principles of Measure and Monitor: Monitoring performance, Security, Compliance Metrics, and ensure that their software is secure before deploying in production.

Here are three points worth to consider:

  • Use human-drien security testing to uncover niche security risks.
  • Start small and, as the team is getting used to the testing challenges, gragually add complexity via automation. Bounce back to simplicity if the CI/CD pipeline workflow logic became too complex and difficult to comprehend and manage.
  • Know when the Agile penetration testing is a fit or not for your organization.

Be the adversary - attack first