How to relieve the burden of application security testing?
Most development teams are measured by the amount of functionalities they produce, not on how secure their code is. But you get what you measure. Is this something that should change? What should a software buyer demand from testing?
In their marketing, companies that provide development services often declare that they follow the principle of ‘secure by default’. But in real life, making truly secure applications is a tremendous task.
An obvious problem is how application QA testing is assigned and performed. Normally, it focuses in ensuring that the code includes all the functionality that the customer wants.
Developers may well be aware that security testing in a project is weak or nonexistent. They can worry whether they know enough about security to fix and prevent risks themselves. In the worst case, they may turn a blind eye to the issue, and mentally delegate fixing vulnerabilities to someone else.
Even if developers are fully knowledgeable on how to write secure code, they may simply lack resources for security testing. Teams are under heavy pressure to release new code faster and faster.
The relief: Automated tools and external expertise
It is not possible for any single developer to go through all the application code. Often, the code has been developed throughout several years. To relieve their burden, developers must find effective solutions.
Application security testing is significantly easier with advanced automation tools. They also speed up the testing process and can swiftly pinpoint the most critical issues. Of course, developers still need to learn how to write more secure code.
The quickest relief is to use external expertise or full-scaled testing services; that is, to outsource. The team can better concentrate on its core task, such as user experience, while they have someone else fool-proof the security. An outsourcing decision gives immediate assistance to a burning problem. Best services provide instructions on code level and educate the developer, too.
Paradoxically, security testing itself involves security issues, even GDPR related privacy concerns. Where can outsourcing take place? What sort of test data can be used?
For some teams, the EU border prevents outsourcing of software testing. Sure, it is a valid concern that some data would leak outside the EU. But if bad code of a web application is put into production, it would leak out anyway. The Internet respects no borders.
An important point concerns GDPR. It concentrates on data privacy, which makes proper test data management imperative. It’s tempting to run tests with real business or customer data, but it should never be done. Real personal data should not be anywhere unless it’s essential to have it available. Application testing can very well be done without it – the minimum effort is to mask the data, but it also has challenges (see my other blog)
Buyer - Check the test results!
If you are on the buying side, you are in a good position to improve security. In my experience, many buyers simply rely on a vendor’s word that everything has been tested. No vendor agreement helps you if a cyber crook steals data that you store, e.g. personal identities.
I suggest that buyers should demand concrete and detailed information.
- First, security should be embedded deeply into the development process from the very beginning. It must remain on the table at all times.
- Second, security requirements must be included in the development backlog.
- Third, the buyer should check the test results.
- Fourth, a buyer should accept the final product only after issues raised by the tests have been fully addressed.
In any case, the most worrying scenario for everyone is to do nothing. Instead of hiding your head in the sand, testing is the key to better quality and security. My message: Use all the tools at your disposal and improve your skills using them. And do not hesitate to reach out for help.
Do you want to know more about different models of application security testing? Download my practical guide.