Agile
testing

security assurance as part of your development lifecycle

Traditional penetration testing typically takes place at the end of the development lifecycle, prior to go-live, ensuring that no major security flaws are present. This approach certainly has its place, and we would always recommend testing an application or system as a whole at least annually.

However, in today’s fast-moving DevOps world, this approach needs to be complemented with flexible, less time-consuming and more ad-hoc testing. Testing that fits with the agile development methodology.

In these cases, clients don’t want a full penetration testing report of their entire application. Rather, they want someone to spend a short amount of time looking at a particular feature, or area of the application, and instead of delivering a lengthy report, they want a ticket, or even an informal chat on a Slack channel.

Our agile testing service has been designed to meet these needs.

The benefits of agile testing

Flexible testing,
when you need it

Our experienced security consultants will be on standby, ready to respond to your testing requests or queries in a timely manner.

Value throughout the
development lifecycle

The earlier you can implement security in the development lifecycle, the greater the return on investment typically is. Our agile testing can provide value early in the development process, saving potentially expensive headaches further down the line.

Specific in
focus

Rather than testing areas of the application that have been tested many times before, our agile testing methodology allows us to focus purely on the new features being released, ones that have not been tested previously.

Provide security
assurances

Agile testing can cover initial development, go live and subsequent releases. Not only will this ensure your final product is as secure as possible but can also provide your clients, and stakeholders, with the security assurances they require.

What we test

Examples of the types of vulnerabilities we look for and the areas we assess include:

  • Authentication: weak/default credentials, flawed password reset mechanism, inappropriate password policy, inadequate protection against brute force attack, credentials exposed over HTTP, insecure password storage, user enumeration, etc.  
  • Session management: weak session cookie configuration, inappropriate timeout settings, flawed logout mechanism, session fixation, session token generated with insufficient entropy, etc. 
  • Authorization and access control: horizontal and vertical privilege escalation, client-side verification not enforced by server. 
  • Cross-site scripting (XSS): stored, reflected, DOM-based, etc. 
  • SQL injection
  • Other injection vulnerabilities: OS command injection, NoSQL injection, LDAP injection, Expression Language injection, Server-side template injection, XPath injection, etc. 
  • Cross-site request forgery (CSRF) 
  • Server-side request forgery (SSRF) 
  • Insecure file upload 
  • XML-related issues: XML external entities (XXE) attack, external DTD enabled, billion laughs attack, etc 
  • Unsafe deserialization: Java, PHP, .NET, etc. 
  • Business logic flaws 
  • Unnecessary information disclosure 

It is impossible to exhaustively cover all possible security vulnerabilities that may affect an application. Consequently, the aim of our test methodology is to act as a baseline, with additional tests and checks being performed by the consultant as necessary.

Our approach to agile testing

Every business is different, and our agile testing methodology is designed to be flexible to fit in with your development practices. Our general approach would typically be as follows 

1. Scoping

We work with you to fully understand your organisation, your goals, your development practices, the application in question and your desired outcomes.  

2. Proposal & prerequisites

A proposal will be drawn up outlining the planned scope of work, a pre-agreed number of consultancy hours that will be made available and the preparations needed to start testing.  

3. Resources on standby

Our security consultants will be made available to you at any time, when you need them. 

4. Testing

When you need a part of your application testing, we will agree the number of hours to be spent, and then perform the testing immediately. In accordance with agile principles, adaptiveness here will be key to achieve the best results without too much “red tape” and paperwork.  

5. Reporting

Security issues will be flagged and reported as part of the testing activity. This can be in any format that suits your development team, be it over chat, ticket, email or otherwise.

Why choose us

Our agile testing is designed to support your security improvement efforts. It’s this support that truly sets us apart and our team is dedicated to reducing your cyber threat, to pass on our wealth of expertise and to provide you with the security assurances required.

Penetration testing experts since 2001

Dedicated account management

Testing tailored to your organisation

Comprehensive, quality assured reporting

Unrivalled post-test support

Contact us

Want to find out more about our agile testing service? Our team are on hand to provide you with the information and support you need. Please fill out the form below and one of our team will be in touch shortly.

Our latest research

Our Labs page is the place to discover our latest research, advisories, tool releases and challenges.

Looking to improve your security? Our insights are a great place to start.