Continuous Penetration testing

what do you suggest in terms of continuous integration vis-a-vis penetration testing. In your experience have you seen Pen testing done nightly/weekly basis from a CI server(bamboo, Jenkins) etc?

I'd say that continuous integration testing is quite a different thing from penetration testing. I have seen where security testing has been built into testing on a regular basis and I think it's valuable when done as part of the development and build process rather than after the fact. Trying to do testing after the fact isn't as helpful and the more security is built into the development process, the better off everyone is. Earlier reporting of issues allows for more rapid fixing. Ideally, before the ship rather than in a patch afterwards.

Ric

Great. Thanks for the reply. So you are recommending including pen testing as part of the process. Like after every sprint, run pen test to see if there are any issues?

I don't think I'd refer to that as penetration testing but after every sprint, I would strongly recommend adding in a variety of security testing to whatever other testing you are doing. Anomaly testing is really good. Boundary testing in a serious way, rather than just testing the programmer's assumptions. Input validation. Lots and lots of input validation, including using anomaly testing.

Ric