How frequently do you perform penetration testing of your web applications? Is there a way to automate pen tests as part of the CI/CD process?

Continuous Integration/Continuous Deployment (CI/CD)Applications & Platforms
8.4k viewscircle icon6 Upvotescircle icon5 Comments
Sort by:
Engineer3 months ago

Pentesting is done once every year. 

Lightbulb on1
IT Manager in Energy and Utilitiesa year ago

We normally perform pen text before the application goes live then once every year. From my experience the actual pen test needs variation and hence can’t be easily automated.

Lightbulb on1
Information Security Analysta year ago

I would say the testing should be done once every new module is brought into the application

IT Analyst in IT Services2 years ago

It is recommended to perform penetration testing on web applications at least once a year or after significant changes are made to the application. However, more frequent testing, such as quarterly or monthly, may be necessary for highly critical applications.

As for automating pen tests as part of the CI/CD process, yes, it is possible. This is commonly known as "Continuous Penetration Testing." It involves integrating automated penetration testing tools into the CI/CD pipeline to identify and report vulnerabilities in real-time. This helps to ensure that any new vulnerabilities introduced by code changes are detected and remediated early in the development process. There are many commercial and open-source tools available that can be used to automate pen tests as part of the CI/CD process.

Lightbulb on1 circle icon1 Reply
no title2 years ago

Thanks for update. Will checkout tools for same.

Content you might like

When two Service Provider Companies come together in one, but they both have different procedures and processes, what are the best practices to consider?

How do you think AI will disrupt business across industries? Add to my list: 1. Content creation 2. Photos and video production 3. Basic coding and debugging 4. Strategic analysis to be highly complimented 

Read More Comments

What will effect of GPT-4 to IT industry's.

Increased efficiency92%

Less demand7%

We are dealing with a specific issue in our VDI non-persistent environment, which operates using Omnissa Horizon (formerly VMware). We are employing a hybrid join for authentication that integrates ADFS and Entra ID.   Here are the details of our problem:   1. **Environment**: VDI non-persistent using Omnissa Horizon 2. **Authentication Method**: Hybrid join with ADFS and Entra ID 3. **Issue**: Users are experiencing difficulties authenticating to Microsoft 365 apps within the virtual machine. The authentication process gets stuck in a loop when attempting to access the smartcard. I would appreciate any insights or experiences from others who have encountered similar issues or have a similar environment working successfully.

We would like to know what is the best advanced threat detection / prevention security control that provides the most bang for buck for a large organisation that wants to enhance its security posture to better detect and mitigate advanced threat actors. 

Main goals are to reduce dwell time, enrich alerts, reduce SOC engineer incident response time, illicit targeted threat intelligence to compliment 3rd party Threat Intelligence providers

Network Detection and Response (NDR)22%

Endpoint Detection and Response (EDR)42%

Extended Detection and Response (xDR = NDR / EDR / CDR)70%

Intrusion Detection & Prevention Systems (TLS Decrypting) IDPS26%

Deception Technology (External Only)13%

Deception Technology (Internal Only)8%

Deception Technology (External & Internal)10%

View Results