security assurance as part of your development lifecycle
Traditional penetration testing typically takes place at the end of the development lifecycle, prior to go-live, ensuring that no major security flaws are present. This approach certainly has its place, and we would always recommend testing an application or system as a whole at least annually.
However, in today’s fast-moving DevOps world, this approach needs to be complemented with flexible, less time-consuming and more ad-hoc testing. Testing that fits with the agile development methodology.
In these cases, clients don’t want a full penetration testing report of their entire application. Rather, they want someone to spend a short amount of time looking at a particular feature, or area of the application, and instead of delivering a lengthy report, they want a ticket, or even an informal chat on a Slack channel.
Our agile testing service has been designed to meet these needs.
the benefits of agile testing
what we test
Examples of the types of vulnerabilities we look for and the areas we assess include:
- Authentication: weak/default credentials, flawed password reset mechanism, inappropriate password policy, inadequate protection against brute force attack, credentials exposed over HTTP, insecure password storage, user enumeration, etc.
- Session management: weak session cookie configuration, inappropriate timeout settings, flawed logout mechanism, session fixation, session token generated with insufficient entropy, etc.
- Authorisation and access control: horizontal and vertical privilege escalation, client-side verification not enforced by server.
- Cross-site scripting (XSS): stored, reflected, DOM-based, etc.
- SQL injection
- Other injection vulnerabilities: OS command injection, NoSQL injection, LDAP injection, Expression Language injection, Server-side template injection, XPath injection, etc.
- Cross-site request forgery (CSRF)
- Server-side request forgery (SSRF)
- Insecure file upload
- XML-related issues: XML external entities (XXE) attack, external DTD enabled, billion laughs attack, etc
- Unsafe deserialisation: Java, PHP, .NET, etc.
- Business logic flaws
- Unnecessary information disclosure
It is impossible to exhaustively cover all possible security vulnerabilities that may affect an application. Consequently, the aim of our test methodology is to act as a baseline, with additional tests and checks being performed by the consultant as necessary.
Every business is different, and our Agile Testing methodology is designed to be flexible to fit in with your development practices. Our general approach would typically be as follows:
We work with you to fully understand your organisation, your goals, your development practices, the application in question and your desired outcomes.
2. proposal & prerequisites
A proposal will be drawn up outlining the planned scope of work, a pre-agreed number of consultancy hours that will be made available and the preparations needed to start testing.
3. resources on standby
Our security consultants will be made available to you at any time, when you need them.
When you need a part of your application testing, we will agree the number of hours to be spent, and then perform the testing immediately. In accordance with agile principles, adaptiveness here will be key to achieve the best results without too much “red tape” and paperwork.
Security issues will be flagged and reported as part of the testing activity. This can be in any format that suits your development team, be it over chat, ticket, email or otherwise.
why choose us
Our agile testing is designed to support your security improvement efforts. It’s this support that truly sets us apart and our team is dedicated to reducing your cyber threat, to pass on our wealth of expertise and to provide you with the security assurances required.
Want to find out more about our agile testing service? Our team are on hand to provide you with the information and support you need. Please fill out the form below and one of our team will be in touch shortly.