Penetration Testing & DevOps

Figure: Phases of Penetration Testing

Penetration testing, AKA “pen test” is an authorized attempt by an individual or a team to exploit the existing vulnerabilities in an organization’s technical infrastructure and all components to determine whether unauthorized access or malicious activity is possible or not. It is often emphasized that pen testing is not a one-time activity. An organization must conduct pen tests regularly, either weekly, monthly or quarterly.

A pen test concludes after the tester(s) present their report and findings. This report basically conveys the efficiency of an organization’s existing security controls and defense mechanisms. Further, a successful pen test also predicts the potential losses suffered by an organization if the vulnerabilities found are exploited by the attackers.

Based on the location of the testing team, a pen test can be either external or internal. In an external test, as the name suggests, the testers perform their testing activities from outside. The testers may or may not be familiar with an organization or its technical infrastructure. The success of conventional external tests depends totally upon the ability of the testers. In internal testing, activities performed by testers look like an insider’s attack as the testers have some sort of authorized access to the organization’s technical infrastructure.

Importance of Penetration Testing in DevOps

As we have discussed, DevOps focuses on speedy completion of development processes for faster delivery of products and services. Not considering security in the development process has its own set of vulnerabilities. For example, stored data will be unencrypted, the code may be vulnerable to buffer overflow, or there might be a data leakage. Vulnerabilities and flaws in a product or a service can be endless if its security has not been considered.

In order to ensure that security is cohesively blended into DevOps penetration testing should be performed on an ongoing basis to keep up with the continuous developments. Realistically, performing penetration tests by hand can be a tedious task as it might slow down the development process. And if that happens, following DevOps principles will yield no benefits.

Hence, there is a dire need to conduct automated security tests to identify flaws, vulnerabilities, data leakage, and loopholes in a timely manner. These tests need to be conducted at a frequency such that they do not hamper development speed while at the same time enhancing data security. To start with, a properly defined plan for security in DevOps must be laid down.

First, the pen testing plan must consider development methodology and the environment in which a product or service is being developed. For example, a cloud-based application is being developed using agile methodology. Since this is a cloud-based application, you must get in touch with your cloud service provider to understand how to conduct application testing on their platform. If this is not done, then your tests will look like a DDoS attack on your account and the service provider might shut down your account as a part of standard procedure.

The second step is to define the scope of your automated tests along with selecting an appropriate tool that is capable of simulating a real-life cyber attack. While defining the scope, your tests should cover the network, connected devices, data transmission, access levels, degree of automation, and fulfillment of compliance requirements. Along with this, the ideal tool will automate most processes and require human intervention only in serious cases. A fully automated tool may not be the best choice for penetration testing in DevOps.

The third step is to document and report the findings of the testing tool and additional findings from the pentester. These findings must mention actions taken to address an issue found during the testing. Further, how people respond to a flaw may also indicate their level of confidence in the product under development.

Conclusion

Software and automation have continued to make our lives easier so far – and that will continue. Developers are the key personnel who have to be made security aware so that security is not forgotten. Also, the coordination between the development team and the security team has to be a two-way street so that a secure system is built and data integrity is considered everyone’s shared responsibility.

Discover the BreachLock advantage – where AI-innovation, human-validation of artifacts, and automated scans enable rapid remediation for DevOps during the penetration testing engagement. Schedule a discovery call now