

Background

DevOps and continuous delivery are changing the way software is delivered, enabling businesses to deploy software far more frequently than in the past, thereby improving time-to-market, consistency and application stability.

Automated unit, integration and acceptance tests, static code analysis ensure essential quality controls but they are focused on the functional aspects of the software, not on security.

Current Scenario

Our current scenario is that we do all our development in an agile fashion, but as we have very strict requirements to making our applications secure, a pen-test must be performed before releasing.

This happens in the very end, making any findings risky to fix and have severe risk for delaying our release.

We also have a limited pool of security experts, and may in some cases have a long wait ahead of us before pen-test can be performed.

And we are the lucky ones. We have security experts testing our code. We all know that this is not the case for a lot of web-applications out there. Some have to hire expensive consultants and some doesnt do any security testing at all.