Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
Agile pentesting: frictionless security for development
Maintaining the development speed demanded by the business without compromising application security is a challenge in many of today’s business environments. This is especially true in the financial sector, where market demands are increasingly focused on digital interactions over physical ones.
This has led to a rush to feel that developments have been secured, often resulting in quick tests at the end of the development process that fail to ensure effective vulnerability coverage. If a critical weakness is discovered at this stage, it can set agile processes back, delay releases, or even expose the company to reputational risks.
One example of a development vulnerability that went undetected due to the lack of proper pentesting during the secure development cycle occurred in 2018 at the Marriott hotel chain, when an attacker accessed the customer database via one of its developments, affecting customers up until September of that year. This exposed the confidential and financial data of nearly 500 million people, leading to an £18 million fine by the UK government two years after the incident.
Late-stage security always arrives too late.
Why are threats not detected?
The evolution of agile development methodologies has incorporated some security mechanisms into the development cycle, such as adaptations of traditional pentesting for short cycles, automated pentesting, or incremental pentesting.
However, in many more traditional companies, the pentesting process is still treated as a post-development activity, using traditional methods that tend to be lengthy and exhaustive, resulting in delays to the go-live of services. Even worse, to speed things up, pentesting time is often reduced.
Let’s consider a hypothetical case where a retail company wants to capitalise on a sales channel not yet exploited by competitors. A development is planned to integrate into the current app, with the development team given a three-week deadline to deliver the update, followed by one week for the pentesting team to validate it. After 15 days, the retail company's comms team makes a public announcement that a new update will soon launch to streamline the payment process for all customers.
When security lags behind the business, it always loses ground.
By the time the pentester reviews the update, the entire development lifecycle has already passed. If something critical is detected, the update has to be redeveloped. On top of that, the pentester is under pressure to carry out a thorough analysis in just a few days. If the update involves multiple changes, it’s likely that some parts won’t be reviewed within the allocated time.
Now suppose a high-severity vulnerability is detected that requires another week for the development team to fix, and at least a couple more days for Cyber Security to revalidate. Since the comms team already announced the update, it’s likely to go live as is, with a follow-up patch issued later to mitigate the risk. But by then, the attack window will have been fully opened.
An open attack window can cost more than any delay.
How should pentesting be integrated into agile development?
In most companies, and as part of best practices, an automated and dynamic pentesting approach has been adopted within the software development lifecycle. In all approaches, it’s essential that developers and pentesters work closely together.
Let’s explore how each phase of the development lifecycle can benefit from this adaptive pentesting approach. These phases include planning, design, development, testing, implementation, and maintenance.
During the planning phase, integration is entirely collaborative. The pentesting team can contribute by identifying initial risks, enabling developers to clearly understand which threats they need to mitigate during development.
Security starts before writing the first line of code.
In the design phase, developers lay out the architecture on which the project will be built. This is a critical moment for Cyber Security analysts to contribute by identifying potential weak points, such as identity management or use of third-party components. These aspects can be validated through design-level testing.
During the development or coding phase, automated security tools are integrated to perform static code analysis (SAST) and dynamic code analysis (DAST). But the next evolution of these traditional processes is interactive application security testing (IAST), which enables pentesting teams to access the internal structure of the application while also observing how it behaves under traffic.
This should be complemented by manual testing on specific segments of the application to analyse the software’s composition, helping uncover common vulnerabilities in both development and architecture.
Automation helps, but in-depth evaluation is what protects.
The testing phase is where pentesting teams have traditionally stepped in. After functional testing is complete, the development is handed over for attack simulation and threat detection. This makes the phase critical from both a business and security perspective; any missed vulnerability could have serious consequences in production.
During implementation, pentesting support is key for the infrastructure. Testing servers, containers, databases, lambdas, or any other component ensures not only the application but also its environment meets the required security standards.
In the final phase, maintenance, it’s crucial to establish ongoing support that’s not aimed at detecting functional errors, but at anticipating and correcting emerging vulnerabilities in system components. For this, persistent pentesting services have been developed in recent years, sometimes complemented by manual testing or even more aggressive techniques like red teaming.
Security doesn't end at launch: it begins its longest cycle.
Security is not an obstacle
For organisations with development teams or frequent software projects, development speed is key to staying competitive. But increasingly, it’s just as important, and necessary, to integrate pentesting at every phase of the application lifecycle. Unlike a few years ago, this is no longer optional but a strategic necessity.
Today, Cyber Security is no longer seen as an obstacle, but as a business agility enabler, provided it’s integrated proactively, collaboratively, and with automation. This approach not only improves the company’s security posture but also preserves the agility the market demands. Ultimately, integrated pentesting allows innovation to move forward with confidence, knowing that every line of code is backed by robust protection practices.
Well-integrated security drives business agility.
