Penetration test in a staging environment. When and how much?
emmalee last edited by
We certainly all know the discussion when penetration testing makes sense. In a staging scenario, the test scenario can be interesting to use there to perform a penetration test. And, of course, also in production.
But yesterday we had a discussion in the team how often we want to test our projects via CI pipeline and vulnerability scanner for issues.
The discussion resulted in a violent exchange of blows.
- As little scanning as possible. Only once a week would make sense to integrate the high risk issues into the respective sprint.
- Permanent scanning via CI integration. But here the risk was described that one would find possibly too many false positives, which would go beyond any sprint planning.
- Possible drop in performance if several pages are scanned at the same time. This scenario is also not impossible and I have experienced it in other projects. Scanning some pages took days.
Do you have a meaningful strategy how and when to use penetration testing in an agile staging scenario?
I'm more in favor of static code analyzers (e.g. Sonarqube) which also inspect code for some common OWASP issues once per sprint.