Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cyber Security testing in an agile environment


Published on

How do you test your cyber security in an agile environment? Moving to a continuous testing methodology, applying red teaming, using a smart bugbounty program and having a well oiled incident response process help you maintaining your cyber security in an agile environment.

Published in: Internet
  • Be the first to comment

Cyber Security testing in an agile environment

  1. 1. Arthur Donkers Security Officer Interested in infosec, technology, organization and combining these all into one solution. Critical Security Architect Trainer for PECB (ISO27001, 27005, 31000) Convinced that Infosec is a means to an end, not a purpose in itself. Contact Information + 31-6-53315102
  2. 2. Cyber Security Testing How to align security testing to your agile cyber strategy
  3. 3. Agenda What is this all about? Who am I? Out with the old! In with the new!
  4. 4. Securitytesting in Cyber space Does classical penetration testing still fit in the rapidly moving cyberspace? Or do we need a new approach?
  5. 5. Who am I? Arthur Donkers Independent security consultant Security tester for mobile, IoT and hardware Trainer for PECB (ISO27001, 27005, 31000)
  6. 6. These are my opinions This presentation is based on MY personal experiences with MY clients and MY projects. Your mileage may vary, I just want to make you think about your current security testing strategy.
  7. 7. … one more thing ... I’m not a big fan of the term cyber, I think it is an empty term…
  8. 8. Classic testing strategies Classic security testing follows the waterfall project delivery model: SECURITY TEST
  9. 9. Classic testing strategies this means: - Test after delivery of product (but hopefully before actual deployment); - Within a set scope (only the product); - Within a limited timeframe (before release date); - With limited resources (people and money)
  10. 10. Classic testing strategies which leads to: - time crunch (prioritizing individual tests, features left untested); - limited security assessment (product is not assessed in its final environment); - Too little time to test (time crunch); - No testers available due to time shift (limited resource); - No time to fix things (no feedback).
  11. 11. Classic testing strategies Trying to swim upstream…
  12. 12. Classic testing strategies Same issues apply to regular testing as well, this is often part of a (mandatory) compliance program: - Limit scope (don’t test the scary stuff); - Limit time (need to be recertified yesterday); - Don’t care about the actual execution (having ANY test executed often considered sufficient).
  13. 13. Classic testing strategies Tick in the box exercise!
  14. 14. So now what? Modern development of products needs to adapt quickly and follow a risk based approach. This is often referred to as Agile Development
  15. 15. Agile testing strategy Security testing needs to be integrated into the incremental and continuous delivery cycle
  16. 16. Agile testing strategy Security testing is not a separate step anymore: - follow at least the risks identified in the agile cycle (and any additional risks identified); - embed security testers in project (secure development); - focus and prioritize (there is no 100%) - automate and tool up
  17. 17. Agile testing strategy Supporting environment (just an example):
  18. 18. Agile security management For your regular testing you should: - employ a red team (for continuous testing); - don’t limit the scope (let them think and work like a hacker); - actively and continuously manage the vulnerabilities and associated risks.
  19. 19. Agile security management What is ‘red team’ exactly? “Penetration testers assess organization security, often unbeknownst to client staff. This type of Red Team provides a more realistic picture of the security readiness than exercises, role playing, or announced assessments. The Red Team may trigger active controls and countermeasures within a given operational environment.” (Wikipedia)
  20. 20. Agile security management So it is a simulated attack, without the limitations of a regular penetration test to yield better and more complete results: A simulated hacker attack
  21. 21. Agile security management Continuous security testing uses the same approach, but in a continuous flow instead of an exercise.
  22. 22. Agile security management • Continuous security testing becomes part of your operational security process (vulnerability management) and gives you a realtime and continuous view on your current security posture. • This helps you to prioritize risk mitigation and resource allocation (put $$$ where it has the most effect). • And it fits very well into the continuous improvent which is part of ISO27001 
  23. 23. But wait! There’s more!
  24. 24. What then? All organizations have limited resources (people, time, money). Leverage the hacker community via a bugbounty program.
  25. 25. Bug bounty program Reward hackers for reporting bugs to you ’They’ have the time and dedication to look for bugs. You must set the right terms and conditions. And make sure you can handle the bug reports that will be pouring in (both in volume and quality!). If done properly, this could be an addition to your continuous testing team!
  26. 26. Bug bounty program Make sure you have at least: - set up a (responsible) disclosure policy; - set up a reward system (separate the wheat from the chaff); - set up an incident handling process (things may/will go wrong and/or trigger alarms).
  27. 27. Responsible disclosure Allow for people to report bugs and vulnerabilities to you: - without ‘punishing’ the reporter; - in a safe (and sometime anonymous) way; - using clear communication protocols. So you can resolve these bugs and vulnerabilities before they bite you!
  28. 28. Bug bounty program You can run your own bug bounty program, Or have a specialized company do it for you, like
  29. 29. Incident handling process In a continuous security testing strategy, the incident handling is necessary to catch all things that slip through the cracks. This is not an omission, but a result of the fact that you cannot test and secure everything. But you should prepare yourself!
  30. 30. Incident handling process
  31. 31. Wrapping up Old skool testing does not fit the bill anymore! Perform continuous testing; Think like a hacker using red team approach; Leverage the hacker community through bug bounty program; Prepare for incidents.
  32. 32. More info at:
  33. 33. THANK YOU ? + 31-6-53315102