At a time when hacking is on the rise and massive security breaches are a regular fixture of the evening news, application security has become a top priority for enterprises — and for good reason. The average cost of a data breach has reached $4 million, according to IBM’s 2016 Cost of Data Breach Study, and Juniper Research predicts costs will soar to $2.1 trillion by 2019.
But developing secure software — and testing it adequately — isn’t always a straightforward proposition. The proliferation of tools, the struggle to trim down alerts to only what matters, and the lack of support for some software frameworks and programming languages all conspire to make adding security testing to software development a challenge, a recent TechWell article notes.
Security is so broad that these days that it must permeate virtually every aspect of the application development lifecycle. Preventing, identifying, and taking action on security vulnerabilities must be a team sport, with quality and testing the star players.
If you want to mitigate risk, the entire team must be enabled to quickly identify and take action on potential vulnerabilities. Everyone from your developers and DevOps engineers to architects, testers and any outside security consultants, need to have quick and easy access to the right information. That means closely tracking test cases and their risk levels, what has been executed and what hasn’t, and what the results are.
The following best practices provide guidelines for testing your apps’ security vulnerabilities. Integrating this critical step into the software development lifecycle will help your organization protect your assets and your reputation.
Application security checklist: Knowing the risks and how to address them
Application security testing isn’t simply a matter of making sure that third parties can’t hack their way into your products. Having your data compromised is just one of many potential vulnerabilities that you face. As you plan, develop, and test applications, you also need to be taking a number of other risk factors into account. These include:
Do you have a reliable way of verifying that the person logging in is actually who they say they are? It’s important to ensure hackers can’t gain access by using a false identity or assuming the identity of a user.
Are you letting the right people access and change the right pages while prohibiting everyone else from doing so? Tests should be strategically designed to test each role and its access permissions.
How are you going to ensure that your application is always up and running so that users are able to access their data at any time? To minimize downtime, it’s important to ensure you have an adequate system for logging failure events and repair times.
What are you doing to ensure that users’ data is secure so that it can only be seen by the right people at the right times?
How do you guarantee that all of the data in your applications is accurate and up to date?
Each of these factors represents an array of potential security vulnerabilities that should be addressed during development and testing. Ensuring that you’re writing all of the necessary manual or automated tests to identify vulnerabilities can significantly reduce the cost of developing and maintaining software. According to TechBeacon, “Catching bugs before they are shipped in production code can save anywhere from 20 percent to 50 percent, according to one large insurance firm’s estimate, and reduce the cost of fixing a bug by as much as 100-fold.” But to be successful with testing — particularly at a time when any application needs to undergo hundreds of tests every time new code is deployed — you need to be able to keep track of lots of critical information. For example, you need to know which tests have been run when and by whom. You’ll also want to know what version of code they ran their tests against. Plus, it’s important to be able to quickly see what the original security requirements were so you can address issues swiftly.
With so many people involved in the quality assurance process, you need a way to store test results and other related information so that there’s visibility and transparency. That way all of the right people can access the information quickly and efficiently.
Application security testing best practices
When it comes to maintaining the security of your apps, testing is essential. And to do that effectively, you need to have the right tools to help you along the way. It’s critical to have a testing tool that can help you keep track of whether you’re executing all of the appropriate security tests across all iterations and releases. That should include who ran the security tests and when, as well as any relevant notes from the test executor.
Results storage and retrieval
You should also be able to both store the results of all of your security tests in one place and upload automated test results seamlessly using an automation host or API. Not only that, any tool that you use should give you the ability to create custom fields or provide some other way for you to categorize security tests to help facilitate searches.
Last, but certainly not least, you need to be able to conduct a risk analysis. This is particularly true if you’re taking an iterative approach to software development. That’s because there’s just no way that you can test everything. With the risk analysis, however, you can focus the time and resources that you have available on hitting your app’s highest-risk security vulnerabilities, while tracing risk requirements.
Prioritizing security testing is essential for protecting your organization’s assets, reputation and software users, as well as for gaining efficiencies and reducing the bottom line. As such, it’s critical that you adopt a risk-based approach to testing.