The world of software development has changed. Nowadays, around 65% of software projects use agile development. Through Continuous Integration (CI) and Continuous Deployment (CD), companies can react faster to market trends and publish new versions of their software much more frequently than before. These developments also lead to new challenges in software security testing, as the security tests also have to adapt to the shorter development lifecycles and become more agile.
Preview
New kinds of software development also require a new way of testing. The days when a software project took a year from initiation to deployment after a manual security check are over. Manual security testing can no longer keep pace with new software often rolled out several times a week.
Therefore, testing needs to be automated and integrated into developers‘ daily workflow. The Open Web Application Security Project (OWASP) calls this form of testing continuous security (testing).
Quality management and problems are well researched. For example, the rule of ten states that an error detected at a particular stage of product development costs ten times more money to correct than if this error had been found one step earlier. Compared to a mistake in the planning phase, an error in the production phase can cost up to 1000 times more. These figures are similar for software product security errors (i.e., vulnerabilities).
In agile software development, where a two-week development sprint covers all phases from planning to development to customer presentation, the value of testing increases radically.
Continuous Security guarantees that all software versions are tested during the development phase. Unlike manual security testing, which is often only performed for major releases, all versions are released after testing. This type of testing enables early error detection in the development lifecycle, which leads to time and cost savings while increasing the security level of the developed product.