The term continuous security in the context of web application security is best understood when paired with well-known terms continuous integration and continuous deployment (CI/CD). Continuous security means that security is part of a continuous process – DevSecOps or, even better, SecDevOps.

The confusion around the word continuous

What makes the term continuous security slightly confusing is the fact that the word continuous can have several meanings in the context of cybersecurity. The dictionary definition of continuous is forming an unbroken whole; without interruption. Therefore, in the web application security space, the term continuous security is most often associated with real-time security solutions and continuous monitoring systems such as web application firewalls (WAF) and runtime application self-protection (RASP), which are designed for mitigation of existing information security risks.

However, to protect your web apps against malicious hackers, you cannot rely on real-time activities only. To avoid cyberattacks and data breaches you must know your attack surface and eliminate problems that create information security risks in the first place, not just mitigate. This involves using a security scanner to discover known vulnerabilities such as SQL injections and cross-site scripting (XSS), as well as misconfigurations. Testing must then be followed by efficient vulnerability management, remediation, and validation.

It obviously makes no sense to perform web application scanning 24 hours a day. Therefore, the word continuous in the sense of web application security testing, just like in the case of continuous integration and continuous deployment, means that security is interwoven within the whole software development lifecycle (SDLC) and not just a one-off vulnerability scan for security issues just before the release.

The evolution of continuous security

To understand continuous security, it’s best to compare today’s development practices with legacy project methodologies and look at the evolution of quality assurance and software testing in general.

In legacy methodologies such as the waterfall, there is a stage dedicated to software testing. At this stage, tests are designed, then performed manually. Any discovered errors are then corrected by the developers. Security testing in legacy methodologies most often forms part of the manual testing phase and involves manual penetration testing only.

With the move to agile methodologies, software testing becomes part of the software development lifecycle. Any new or updated functionality is developed and then immediately tested afterward. However, for this to be possible, testing can no longer be manual. Businesses need to automate software quality assurance processes with the use of tools such as Selenium.

Unfortunately, security controls are often left behind and treated as in the older methodologies. Security testing is often performed manually by pen testers before the release stage instead of becoming part of the automation, even though today’s modern security scanning applications are well-suited for integration. In such not-truly-agile setups, security teams are kept in silos far away from the development teams.

How can you achieve continuous security?

It is only with the introduction of solutions that support continuous security that software development can become truly agile. However, due to a large number of false positives, which require manual handling and retesting of security vulnerabilities, most solutions that are supposedly designed for continuous security (such as SAST tools) make it difficult to achieve true automation.

To benefit from continuous security, you need a modern web application security solution, not just a simple vulnerability scanner. You need a solution that you can fully integrate with your existing systems, that won’t overwhelm you with false positives, and that will effectively let you make security part of your agile environment. And these are exactly the ideas behind the development of Acunetix.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.