Menu
agile
testing
security assurance as part of your development lifecycle
Traditional penetration testing typically takes place at the end of the development lifecycle, prior to go-live, ensuring that no major security flaws are present. This approach certainly has its place, and we would always recommend testing an application or system as a whole at least annually.
However, in today’s fast-moving DevOps world, this approach needs to be complemented with flexible, less time-consuming and more ad-hoc testing. Testing that fits with the agile development methodology.
In these cases, clients don’t want a full penetration testing report of their entire application. Rather, they want someone to spend a short amount of time looking at a particular feature, or area of the application, and instead of delivering a lengthy report, they want a ticket, or even an informal chat on a Slack channel.
Our agile testing service has been designed to meet these needs.
the benefits of agile testing
flexible testing, when you need it
Our experienced security consultants will be on standby, ready to respond to your testing requests or queries in a timely manner.
specific in focus
Rather than testing areas of the application that have been tested many times before, our agile testing methodology allows us to focus purely on the new features being released, ones that have not been tested previously.
value throughout the development lifecycle
The earlier you can implement security practises in the development lifecycle, the greater the return on investment typically is. Often, a full penetration test is not appropriate in the early stages of a project, but agile testing can be invaluable. Whether it’s analysing design documentation or reviewing new session management functionality, our consultants can provide value early in the development process, either at runtime or in code, saving potentially expensive headaches further down the line.
provide security assurances
Agile testing can cover initial development, go live and subsequent releases. Not only will this ensure your final product is as secure as possible but can also provide your clients, and stakeholders, with the security assurances they require.
part of your team
Consider our security consultants as part of your security and dev teams. Rather than being a faceless third-party auditor, our goal is to form a relationship with you and your team, and know your application in far greater depth, so that when you want to run something by us, we know exactly what you’re talking about.
what we test
Examples of the types of vulnerabilities we look for and the areas we assess include:
- Authentication: weak/default credentials, flawed password reset mechanism, inappropriate password policy, inadequate protection against brute force attack, credentials exposed over HTTP, insecure password storage, user enumeration, etc.
- Session management: weak session cookie configuration, inappropriate timeout settings, flawed logout mechanism, session fixation, session token generated with insufficient entropy, etc.
- Authorisation and access control: horizontal and vertical privilege escalation, client-side verification not enforced by server.
- Cross-site scripting (XSS): stored, reflected, DOM-based, etc.
- SQL injection
- Other injection vulnerabilities: OS command injection, NoSQL injection, LDAP injection, Expression Language injection, Server-side template injection, XPath injection, etc.
- Cross-site request forgery (CSRF)
- Server-side request forgery (SSRF)
- Insecure file upload
- XML-related issues: XML external entities (XXE) attack, external DTD enabled, billion laughs attack, etc
- Unsafe deserialisation: Java, PHP, .NET, etc.
- Business logic flaws
- Unnecessary information disclosure
It is impossible to exhaustively cover all possible security vulnerabilities that may affect an application. Consequently, the aim of our test methodology is to act as a baseline, with additional tests and checks being performed by the consultant as necessary.
our approach
Every business is different, and our Agile Testing methodology is designed to be flexible to fit in with your development practices. Our general approach would typically be as follows:
1. scoping
We work with you to fully understand your organisation, your goals, your development practices, the application in question and your desired outcomes.
2. proposal & prerequisites
A proposal will be drawn up outlining the planned scope of work, a pre-agreed number of consultancy hours that will be made available and the preparations needed to start testing.
3. resources on standby
Our security consultants will be made available to you at any time, when you need them.
4. testing
When you need a part of your application testing, we will agree the number of hours to be spent, and then perform the testing immediately. In accordance with agile principles, adaptiveness here will be key to achieve the best results without too much “red tape” and paperwork.
5. reporting
Security issues will be flagged and reported as part of the testing activity. This can be in any format that suits your development team, be it over chat, ticket, email or otherwise.
why choose us
Our agile testing is designed to support your security improvement efforts. It’s this support that truly sets us apart and our team is dedicated to reducing your cyber threat, to pass on our wealth of expertise and to provide you with the security assurances required.
experience and expertise
Our team of security consultants have years of experience and a depth of expertise in information security testing. We invest significant time into security research projects, honing and developing skills which allow our consultants to deliver the best possible results for your organisation.
dedicated contact throughout
Every organisation we work with is appointed a dedicated account manager. Our account managers understand the complexity of coordinating tests and will work with you to ensure your test runs smoothly.
testing tailored to your business
No two organisations are the same and neither are our agile tests. We work closely with you to fully understand your goals, the security challenges, operational needs, the application in question and your priorities before we undertake any work.
post-test support
Our job doesn’t finish on the delivery of a report and our expert consultants will be available to answer any questions, share their expert knowledge and to provide remediation support.
contact us
Want to find out more about our agile testing service? Our team are on hand to provide you with the information and support you need. Please fill out the form below and one of our team will be in touch shortly.
