Penetration test in a staging environment. When and how much?



  • We certainly all know the discussion when penetration testing makes sense. In a staging scenario, the test scenario can be interesting to use there to perform a penetration test. And, of course, also in production.

    But yesterday we had a discussion in the team how often we want to test our projects via CI pipeline and vulnerability scanner for issues.

    The discussion resulted in a violent exchange of blows.

    • As little scanning as possible. Only once a week would make sense to integrate the high risk issues into the respective sprint.
    • Permanent scanning via CI integration. But here the risk was described that one would find possibly too many false positives, which would go beyond any sprint planning.
    • Possible drop in performance if several pages are scanned at the same time. This scenario is also not impossible and I have experienced it in other projects. Scanning some pages took days.

    Do you have a meaningful strategy how and when to use penetration testing in an agile staging scenario?



  • I'm more in favor of static code analyzers (e.g. Sonarqube) which also inspect code for some common OWASP issues once per sprint.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2