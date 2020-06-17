If software is eating the world, then DevOps is eating software development. The practice of DevOps combines development (Dev) and IT Operations (Ops) to enable the acceleration of development life cycles and the continuous delivery of software.

However, information security, and in particular application security, is being challenged as DevOps proliferates. In a recent study I conducted along with Cobalt.io, DevOps oriented companies are found to have expanded Pentest deployments in production, instead of taking the more difficult route of building security directly into DevOps pipelines.

This study, Pentest as a Service Impact Report: 2020, found that application security (appsec) continues to rise as a top priority for companies. While the security teams used to take the exclusive responsibility of appsec, today’s modern enterprises prefer a shared responsibility model between development and security.

The data from this study was drawn from in-depth interviews with five companies deploying a Pentest as a Service solution. The companies are SaaS and enterprise software providers, ranging from large, publicly-held companies to mid-sized organizations.

The most significant findings of the study are as follows:

Security drives pentesting adoption, not compliance: A similar study conducted in 2017 found that compliance was the primary driver for adopting pentesting at that time. This time around, however, all the companies interviewed cited heightened security awareness and management mandates to secure applications and services as the top driver.

Companies are expanding pentest scopes and frequency: The study found that companies are testing 100% of their applications on an annual basis. Some test their business-critical apps more frequently. This is distinctly different from 2017, when companies were only testing their most business-critical applications. Additionally, companies have expanded the scope of pentesting to include APIs and microservices.

Pentest-as-a-Service enables a culture of close collaboration between security and dev: The study found that deploying Pentest-as-a-Service allows the direct engagement between dev, infosec, and testers, which often lead to faster results and lower false positives. Pentest-as-a-Service also provides ongoing visibility into test results, which helps to reduce friction and foster collaboration between security and engineering.

Pentest as a Service has a lower overhead than professional service-based pentesting: Pentest-as-a-Service provides ongoing, real-time test results and an engagement platform, making triage and validation visibly more efficient. Users pointed to faster course correction, better documentation, and easier triage efforts, when compared to traditional manual testing. Consequently, Pentest as a Service results in fewer false positives and more impactful outcomes.

The proliferation of DevOps has fundamentally changed software development. At the same time, it presents unique challenges to application security measures, which must adapt to accommodate modern development practices.

Pentest-as-a-Service favors communication, transparency, and real-time collaboration, all of which are critical in a fast-paced software development environment. DevOps-focused organizations should consider adopting Pentest-as-a-Service to better respond to customer needs, increase confidence in the software they build, and ultimately achieve business outcomes faster and more efficiently.

