Chip & System Security Testing 
Mobile & Backend Security Testing 
Our Company 
Contact us
Back to all articles
Mobile App & Software

Penetration Testing in the world of DevSecOps

4 min read
Edit by Hlib Budylo • May 5, 2023

Penetration testing is essentially the “art” of testing a system or application remotely to find security vulnerabilities, without knowing the inner workings of the target itself, cf.

When people say they need a "pentest", often it really means they want to improve security so they request a pentest because it is a popular practice. But there are a lot of different security practices, or better put, security operations. Let's look at some of the most popular ones:

  • Penetration Testing
  • Security Audit
  • Vulnerability Scan
  • Secure Design and Architecture
  • Bug Bounty Program
  • Risk assessment
  • Code review
  • Threat modeling
  • Security monitoring
  • Hardening

As you can see, there are really a lot of different things you can do but surely you can't use them all, isn’t it just too much to do?


The Role of Penetration Testing in a Security Strategy

Actually, you can and should use all of them effectively by spreading them evenly all through the development lifecycle. First comes secure design and threat modeling before product development, then adding scanners into pipeline and code reviews, later after product release you start pentests, audits/compliance, hardening, and finally bug bounties.

The problem is that in real life, security is often an afterthought in software development. Companies often lack resources and experience to provide secure solutions, and that is why they seek support from specialized parties - this is the root of the popularity of pentests, security scanners, obfuscators and bug bounty. That is because all of these can be done by a third party AFTER you already have a working - and maybe even commercially successful product or service.

But don't be fooled - the earlier you take action the better value you get. Those early security considerations in design and safe pipelines, updates checks and security policies give out so much more value-for-money and often can be done in-house without hiring external specialists.

In case you don't actually have a DevSecOps approach implemented, you still have IT infrastructure and deployment. So while code review might be not so relevant, other things do matter. For example, security design decisions exist: even if you did not consciously approve and took any of those, somebody had to. It may be IT personnel or a third party who set up a website or your corporate network. And if you are able to do it consciously and in an accountable manner, you will quickly improve your security posture.

To quote OWASP on this matter:

QUOTE_Pentest-DevSecOps.png There is No Silver Bullet - While it is tempting to think that a security scanner or application firewall will provide many defenses against attack or identify a multitude of problems, in reality there is no silver bullet to the problem of insecure software. Application security assessment software, while useful as a first pass to find low-hanging fruit, is generally immature and ineffective at in-depth assessment or providing adequate test coverage. Remember that security is a process and not a product.


In this regard, pentest is only a part of security operations and exists for specialized purposes. This purpose, if put very narrowly, is to answer the question “How an actual malicious actor would attack this system and how much damage their actions can bring?”

In order to achieve this, we step in as an attacker, using the same set of tools and techniques that an actual attacker would use to target the system. The effects that an attack creates in a system - average load, defensive and response of an alerting system, trace in logs - all of it is similar to real attack.


Integrating Penetration Testing in your development lifecycle

As you can see, the goals of a penetration testing can be uncomfortably narrow in purpose and as I said in the beginning people often don't actually need a pentest, they want to secure their systems.

That is why eShard often tries to create a personalized solution which fits those customer needs - to combine pentest with design overview, risk assessment, etc. We provide a wide range of security support, help people with secure design and reviewing their policies, perform specialized training to help our customers, provide support on vulnerability mitigations, prepare hardening and operation recommendations.

Contact us to know more.



All articles
Case Studies
Chip Security
Corporate News
Mobile App & Software
Vulnerability Research

you might also be interested in

Vulnerability Research

Discover esReven's knowledge modules for Reverse Engineering

1 min read
Edit by Mathieu Favréaux • Jun 29, 2023
CopyRights eShard 2023.
All rights reserved
Privacy policy | Legal Notice
Side Channel AnalysisLaser & EM Fault InjectionFirmware Security AnalysisSecurity Failure AnalysisVulnerability ResearchMAST: Mobile Application Security Testing