Security Testing in Your Project: A Client Overview
Security is not optional — it is built into how we work. This article explains the security testing we perform during development and what you should consider for your ongoing security posture.
Security During Development
Security is incorporated throughout the development lifecycle, not just at the end:
- Secure coding standards: We follow OWASP guidelines to prevent common vulnerabilities (injection, XSS, CSRF, etc.)
- Dependency scanning: We use automated tools to detect known vulnerabilities in third-party libraries
- Code review: Security considerations are explicitly part of our code review checklist
- Static analysis (SAST): Automated tools scan code for security issues as part of our CI pipeline
- Secrets management: We never store credentials, API keys, or passwords in code repositories
Penetration Testing
Penetration testing (pen testing) is an authorised simulated attack on your system to find vulnerabilities before malicious actors do. For projects handling sensitive data, financial transactions, or personal data at scale, we strongly recommend a professional pen test before go-live.
Pen testing can be arranged via Progressive Robot (as a quoted additional service) or by your own preferred third-party security firm. Either way, we will provide full technical documentation and co-operation.
OWASP Top 10
The OWASP Top 10 is an industry-standard list of the most critical web application security risks. Our development standards are designed to mitigate all OWASP Top 10 risks. If you have specific security compliance requirements (e.g. ISO 27001, Cyber Essentials, PCI-DSS), tell us at the outset so we can build accordingly.
After Launch
Security is ongoing. Vulnerabilities are discovered in dependencies continuously. We recommend annual pen tests for live systems and ensuring all security patches are applied promptly — a key benefit of a managed services retainer.