Application Security

Continuous Application Security vs Pentest

Periodical pentest execution guarantees Application Security in Application? After all, why don’t we just execute pentest on our applications?

If you have ever asked yourself this question, we brought some important considerations to reflect upon, before searching for a definite answer.  We can say that nowadays the majority of business has a strong core-based on software.

Therefore, it is not a surprise that when there is a security problem in an application, the impact is huge on some businesses. In times of laws, rules and other regulations that require more application security, we still have a lot of doubts hanging over application security issues.

One of these discussions is when we talk about adopting Continuous Application Security models to replace the use of specific tests, such as pentests. Let’s understand better each one of them.

What Continuous Application Security is

The concept of Continuous Application Security strongly brings the thought of integrating security tools into the CI / CD process.

When talking about CI / CD, we refer to the development pipeline with Continuous Integration / Continous Development. That is, it is a development model that requires a more careful look to manage development, considering that it is a development cycle that occurs faster and more dynamically.

The CI / CD hardening process involves tracking changes from end to end, which can be quite challenging when it comes to software that is already in pentests production.

So, what happens is that the more solutions are put on the development track – such as containers, microservices, and others – the more we need to automate processes and integrate tools.

Without these precautions, we are bound to find in our development processes points that will surely be considered bottlenecks, putting in check the agility that development needs today.

Finally, when we move to broader scenarios, we can consider that using security processes in teams already integrated with the DevOps methodology, we have DevSecOps as a development model.

And when we talk about security processes, we refer to both automated tools and steps performed manually by analysts and developers.

So it is just at this point that we have to pay extra attention to make the relationship between the processes chosen to promote software security.

This is because the use of security tools to analyze and correct the application by itself to add security to the development process cannot be considered the same as DevSecOps.

Using the DevSecOps approach goes far beyond using tools to make applications safer: it takes a change in posture and culture, not just tools.

SAST and DAST vs Pentest

We can state, as a comparative between Continuous Application and Pentest, the static and dynamic tests done through a development process, for instance.

In a model where there is continuity of secure steps within a development process, it is important to have not only SAST (Static Application Security Tests) but also DAST (Dynamic Application Security Tests): they occur on distinct levels.

While SAST is running to ensure coding security, being done directly on the repository, the tests DAST runs in a more advanced level, where the application is put on an operation to be tested.

Though, it is also worth when performing a Pentest. These tests can not be considered as isolated solutions to a security problem in an application. These tests use, like other resources, make the development process more secure, although, separated, they are just isolated points that help but don’t resolve.

After all, not only Pentest but also when using an automated analyses tool, remarks are made to point out vulnerabilities that need to be validated and corrected.  Not to mention in case of scans of vulnerability the showed results can be higher and filled with false-positives and even false-negatives –  which are much more dangerous.

However, working on the core of secure development is always an alternative that presents a better cost-benefit considering the results in the long run. The use of Continuous Application Security is a process, a set of resources that when implemented bring a change in the way developers work.

Hence, the result of implementing a Continuous Application Security process is mature software, more secure since the beginning.

What is a pentest?

A lot has been said about the performance of this type of test, and it is needed to acknowledge that yes, it can make a positive impact since it is executed within a defined and organized process.

However, Pentest can also end up guiding companies to a false feeling of security when done as a test that can show all fragilities in an application.

Therefore, we see that each test has its own importance and benefits, and it is necessary to understand how they work to be more productive and efficient, knowing the right moment to apply each one. Pentest is a type of test that should preferably be performed within the Continuous Application Security process, ideally in final stages, so that the security of an application in production can be observed.

When performing Pentests, we assume that the application to be tested is already operational and that we can verify that the planned and implemented security requirements are being effective in keeping the application secure.

Pentests can be performed completely manually. Usually, these tests are performed with the help of tools, which are used to support the analyst so that he can gain scale and perform more efficiently.

But look: Tools should be viewed as support, process support. After all, it is the analyst’s expertise and knowledge that will determine the success or not of the test.

Check the 3 types of Pentest

When we talk about Pentests modalities, we can consider that intrusion tests are performed in 3 basic ways, which we will explain below.

White Box Pentest

The first form is called a white box, and in this type of test, the analyst who will perform the test receives all information with administrator privilege to perform the test such as URL, login, and password.

This type of testing aims, in addition to identifying the vulnerabilities that may be present in the application, to go deeper into the target because it already has the relevant information to log in, without having to infer them.

Black Box Pentest

A second test model is a black box, where the attacker has no information about the target. In this type of test, the attacker will behave similarly to a real attacker, seeking to discover their weaknesses without any information.

Grey Box Pentest

The third type of test is a gray box, a mix between the two previous modes. In this, the attacker has some information and can follow some paths already known. This can help in evaluating specific parts of the application.

The important thing is to understand that each of these types of Pentest has advantages and disadvantages. The test must be performed within a standard that provides the information and insights desired by the company.

Of course, it should be noted that testing should be done by a team with appropriate technical knowledge and free from interference from the development teams.

What are the benefits of Application Security in Pentest?

We have seen above the main differences between Continuous Application Security and security testing, with the use of tools supporting analysts to make Penetration Testing attempts.

But first, in order to understand the benefits of each, we have to understand in which situation we should use each one.

Well, you may have noticed that when we talk about Continuous Application Security, we are talking about a much larger model that even addresses the realization of pentests. If we already understand this, it becomes easier to realize the advantages.

The main and most basic benefit of using a Continuous Application Security process is that it is much more structured and distributed throughout the development process, not just at the end of the pipeline.

As a process, it needs to be supported by several actions, features, and – in the case of development – tools that enable the automation of a good part of the process. This automation and use of safety-related actions throughout the process will result in a more mature and secure product as it has undergone evaluations throughout its development cycle.

Joining a Continuous Application Security program is ensuring that application security will be a priority since its inception. And that doesn’t mean Pentest doesn’t have its value: security testing also has its importance and timing.

When thinking of performing Pentests, or intrusion tests, we think of evaluating an application that is in the final stage of its development process.

This is because performing pentests shows not only developers but also everyone involved in the application development and security process, which vulnerabilities can be identified at application termination.

So we can understand that pentest is important, but it can’t be considered a substitute for a more structured process like Continuous Application Security.

Long story short…

As we considered in the topic above, the main issue to understand is that Pentest, or intrusion test, just like any other testing, is a component of a Continuous Application Security process.

The process, however, is much larger than performing spot tests. And unfortunately, many companies have the false impression that investing solely in isolate and periodic testing can give their development teams a broader view of how secure their applications are.

Pentest is but a photograph of how its application is at the time it was made: that is, once deployments and updates are performed, that photograph no longer matches the reality of the application.

This means that even if the vulnerabilities pointed out by Pentest are corrected and validated, after changes that may have been made even to correct vulnerabilities, new vulnerabilities may arise, and that pentest reality no longer exists.

Another important point to consider when talking about the maturity of Continuous Application Security and Development models is to invest in the knowledge of your team. Security testing can show your team that they are creating vulnerable code, but be sure to teach them how to improve!

In this case, it is worth thinking about a periodic Training Program on Safe Development and a Security Champions program so that the Safety knowledge agenda is always spread and stimulated among the teams.

So you have to understand that there is no shortcut: especially when it comes to faster and faster deliveries.

Therefore, either application security is achieved by building a well-structured and well-executed process, or a real level of security is not achieved in the applications created and delivered.

Nova call to action
About author


Over 15 years of experience in Information Security and Applications, graduated in Data Processing worked as a Professor and participated actively as an instructor on trainings to more than 6000 developers and IT teams. Father of two daughters and trader on free time.
Related posts
Application Security

Finding classes for exploiting Unsafe Reflection / Unchecked Class Instantiation vulnerabilities in Java with Joern

During a pentest engagement we found a Java application vulnerable to unsafe reflection [1]. This…
Read more
Application Security

Mitigating Vulnerabilities: Elevating Security Proficiency in Software Development

In the ever-evolving digital landscape, the significance of software security cannot be overstated.
Read more
Application Security

The Importance of Supply Chain to Application Security

When we think about software development, we usually think about complex technical concepts…
Read more

Deixe um comentário