IT teams are under constant pressure, whether developing new applications or implementing off-the-shelf solutions. But the threat of hackers is increasing as tools and technologies become more sophisticated. This is why testing and security must go hand in hand, says Robert Castles, Chief Technology Officer at PMG.
With the need for speed in mind, teams often have the mindset that security and testing create blockades and slow implementation down. This opens the back door for cybercriminals, who bank on developers and IT taking shortcuts.
However, testing makes software application development and deployment teams more agile, capable and secure. Testing drives security – a practice that is becoming even more critical given the recent news of open-source vulnerabilities and accompanying breaches.
Avoid Shortcuts – and Headlines
One of the biggest gateways cybercriminals use to worm their way into a company is the software itself, whether off-the-shelf or custom, network or desktop, on-premises or cloud. And as they’re pressured to produce, development teams often use third-party open-source libraries and tools, which, unfortunately, can come with unknown weaknesses.
For example, the Log4J vulnerabilityOpens a new window in the widely used Apache Log4J Library raised technology and security communities’ alarms and concerns. Security experts said the vulnerability affected all systems and services using Apache Log4j versions from 2.0 and later and impacted various Java apps and services.
According to Glen Pendley, Deputy Chief Technology Officer at Tenable and reported by CISOMAGOpens a new window , “Everything across heavy industrial equipment, network servers, down to printers, and even your kid’s Raspberry Pi is potentially affected by this flaw.â€
Testing everything – even seemingly reliable open-source libraries – increases the likelihood that apps, code, and other software are sound and secure. This is especially true since open-source developers – often unpaid for their work – are increasingly burning outOpens a new window and calling it quits due to lack of support.
See More: Security Concerns Don’t Dampen the Enthusiasm for Cloud
Rethink Software Testing Procedures
Testing is the best way to play offense rather than defense to identify weaknesses. End-user testing, for instance, provides opportunities to discover weaknesses and think beyond the core application. In development, error pages are helpful as they point out hiccups that can then be fixed before a launch. However, in production, these same error pages may dump data that hackers can use to break into a company’s network. Â
Adding to the challenge are the silos existing between teams involved in different parts of the development process – business analysts, application developers, user experience teams, network admins, etc. The growing popularity of DevOps practices has undoubtedly helped many organizations, but there are still gaps in coordination and communication that cybercriminals can exploit. More emphasis needs to be placed on collaboration in developing a testing program that keeps security in mind.
So, how can companies ensure that all the teams are working together? Empower a chief information security officer (CISO) to collaborate with the many teams involved in software production and ensure a new release cannot go live until thoroughly tested and all potential security vulnerabilities are addressed.Â
Beware of Blind Faith
Anyone reading this would be hard-pressed to name a company that creates 100% of its apps or software. Instead, it’s common to rely on third-party applications, software or code providers. As such, it’s imperative to understand what security measures and standards those developers have in place.
If potential providers cannot produce a System and Organization 2 (SOC 2) report, walk away as this has become table stakes. SOC 2Opens a new window evaluates a service provider’s Trust Services Criteria (TCS), which is the ability to validate measures for security, confidentiality, availability, processing integrity and privacy. This report, tested by a certified public accountant, evaluates a company’s controls in these five areas over a set period – a minimum of six months is standard.
SOC 2 reports are as important as a Certification of Insurance (CIO). Would a reputable company operate without insurance coverage? The same holds for security. Consider that any organization relying on third-party code or software should also vet it as if it was written in-house. Don’t risk it by believing it’s secure without conducting your testing. Â
Increase Security with Thorough Testing
To ensure testing procedures are thorough, examining what “thorough†means is critical. User Acceptance Testing (UAT) should include use cases involving people trying to access things they shouldn’t. Consider whether all teams are involved in testing procedures – from source code developers to infrastructure administrators to the implementation team. Is your head of security empowered to enforce the protocols your organization has adopted?
Promote structured processes to establish discipline for development teams. Give them widely available tools like GitHub,Opens a new window an all-in-one mobile app pen-testing malware analysis and security assessment framework – and mandate they use it. Try it and see what it reveals about the apps used in development and question.Â
If creating in-house applications, define a cohesive build chain that includes continuous integration and continuous deployment (CI-CD) – a process enabling rapid integration of new validated codes for multiple environments. Consider whether doing so makes a company a first-class developer and whether processes and visibility are where they should be.
If relying on outside help, define what procedures should be in place for using third-party libraries, code detection and security scans. Another best practice involves subscribing to a security vulnerability data feed and implementing it into build processes. Â
Along with UAT, incorporate testing automation tools to cover more scenarios.Â
Automation works wonders for regression testing new releases and significant upgrades to existing solutions. Furthermore, think about employing new testing models like fuzz testing (or fuzzingOpens a new window ) to unearth coding errors and security loopholes in software, operating systems or networks. This quality-assurance technique does so by inputting the test subject with substantial amounts of random data (fuzz) to attempt to make it crash.Â
Batten Down the Hatches, Shore up Defenses
American businessman John T. Chambers, former executive chairman and CEO of Cisco Systems, once said, “There are two types of companies: those that have been hacked, and those who don’t know they’ve been hacked.â€
Even if using the most reputable third-party code/app/software provider in the industry, expect the best but prepare for the worst. This isn’t pessimistic – this is realism in an age of unprecedented security incidents and breaches.
Employ a CISO or a team of security specialists who insist no rock goes unturned. Create and execute a clear, must-follow governance process for all software development and implementations. Break down siloes. Make sure the governance process includes information-sharing among teams. Last but not least, review code libraries and tie them back to security notices – old and new – and incorporate them into the test-and-release cycle.
Just Do It: The Right Way
Threat actors are innovative and constantly upping the ante on their ever-changing hacking game. Developers should understand this and up their game, too.
A comprehensive security plan incorporating testing should be an integral part of developing and implementing software. Doing so establishes a focus on quality and delivers greater user security, which these days is undoubtedly a bankable competitive advantage.Â
How would you ensure that testing and security are more in sync? Tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We love it when you share!