25 July, 2019
Agile Methodology In Security Testing
Development teams work extensively on ensuring that the application being developed has minimum time to market (TTM) possible. While at the same time, security considerations are not something that can be ignored now. This leads to a conflict between the goals of agile development methodologies and secure development. The best possible way out of this is to combine both as agile security to ensure the long-term viability of an application or software being developed. Agile security also addresses.
In an agile development environment consisting of various short sprints, finding, addressing, and fixing vulnerabilities along with coding issues using traditional tools is a time-consuming task, and it puts speed breakers on the overall development speed. Development teams essentially need security testing tools that can be cohesively integrated into their development environment. These tools must be significantly automated that the requirement of human intervention is minimized. For example, BreachLock Cloud Platform supports Jira API integration so that whenever a finding is detected in a particular asset, a bug is raised on a relevant Jira board.
Ideal Features of Agile Security Testing
Figure 1: Ideal Features of Agile Security
- Accuracy: Many security tools generate a substantial number of false–positive alerts which need to be verified by security analysts. However, in a DevOps environment, this is highly undesirable. Security testing tools with minimum false positives must be preferred.
- Automation: Automated tests should be performed in regular intervals so that they become a part of the standard testing process. On the BreachLock platform, automated scans can be scheduled at various frequencies such as daily, weekly, monthly, etc.
- Speed: In an agile or DevOps environment, time is of the essence. Hence, the decision-makers should focus on selecting a security testing platform wherein minimum time is consumed, but not at the cost of accuracy. On our platform, we complete most of our DAST scans within 2 and a half hours.
- Actionable Results: The results of security tests or scans must not raise more questions than they answer. We provide unlimited access to our Security experts through the inbuilt ticketing system. A user can raise a ticket against each finding to get a clear understanding of the situation. In addition, all the findings are prioritized based on their risk level along with remediation support.
- Integration: The BreachLock cloud platform offers integration with tools such as JIRA to cohesively become a part of your development ecosystem. With more such APIs under development, the security testing process can be further automated and simplified in a DevOps environment.
Security is definitely not the most exciting topic in the world for DevOps or Agile teams. For them, security considerations can be the sole reasons for stress and frustration. From a developer’s point of view, he did not get into application development because he wanted to run debugging tools or security tests for hours. Security issues, at the end of a project, may take days in being resolved, if not weeks. As a result, the efficiency of the overall development process is reduced, which is not a wanted outcome for the decision-makers. However, all such issues can now be swiftly addressed considering the advancements that have been made recently in agile security testing.