The nature of corporate and proprietary information today is that it increases in mass — and value — exponentially, almost on a daily basis. In light of this fact it is more crucial than ever that application testing be embraced and be an integral part of the software development lifecycle to detect software flaws and vulnerabilities. The risks are too high not to employ the latest tools and methodologies to ensure that your business, whether it’s a financial conglomerate, a small business or a large healthcare institution, is protected from cyber attack. Knowing the risks is key; employing the right processes and solutions is paramount to data protection, and to peace of mind.
These were among the insights shared at the fall Software Test Professionals Conference 2016 held Sept. 19-22 in Dallas, Texas. In the increasingly complex world of information protection, understanding the roles of key participants is invaluable. This includes developers, quality assurance engineers and software testers, who need to work in tandem to share knowledge of industry standards and best practices while assessing risk. This requires intimate knowledge of your industry domain. Healthcare professionals must become deeply familiar with HIPAA regulations, financial IT professionals must fully embrace PCI compliance, and government information managers have to know DISA STIG guidelines inside out.
Testing makes the difference in application security, speakers agreed. In fact, IT managers were urged to conduct a range of testing, including manual code analysis, Static Analysis (SAST) and Dynamic Analysis (DAST). The vanguard of application security are now using a Hybrid of these techniques and correlating them. If you’re not employing all of these testing tools and techniques, security experts concurred, you’re increasing your cyber security risk.
Keynote speaker Mikko Hypponen of F-Secure brought this caveat home. His message, “State of the Net,” stressed the coming wave of the Internet of Things, or IOT. “Some day, every device you own will run on software that is connected to the Internet, including your refrigerator,” he explained. What’s the downside? “Every (connected) device presents another pathway for a hacker to get into your network.” Although your appliances may not house sensitive information, the proliferation of the IOT may allow wrongdoers “to get on your network and get into your alarm system to open your doors. The point is that all of this software needs to be tested,” he said.
Another keynote speaker, quality engineering program manager Mike Lyles, addressed the conference on “Rethinking your Testing Practice.” Education is key, he emphasized, pointing out that developers “Always have to think of new ways to test and expand. Communication between developers and testers” is vital in finding leaks in porous software that allows for an illegal breach, he said.
From Code Dx, Brianne O’Brien discussed two essential tenets of application security testing: process and tools, and how Quality Assurance professionals can apply security testing to their testing regimen. “Understanding your application security objectives, tools and processes as well as the security features of the applications you are testing is vital.” She also stressed using multiple methods of testing, including SAST, DAST and Hybrid. She further emphasized the importance of prioritizing application security findings — ranking security risks and identifying those security findings that are most critical to fix.
Ms. O’Brien also cited the importance of employing more than one tool in detecting software security flaws. “One static analysis tool on average will detect only 14 percent of all weaknesses,” she noted. Ms. O’Brien also outlined the key features to look for in researching application security testing tools to ensure that they help to achieve an organization’s goals of shielding against a cyber security breach.
Finally, Chris Romeo, CEO of Security Journey, addressed the conference on“Teaching Your Team The Art of Security Testing.” In presenting the topic, he pointed to the two other fundamental tenets of security testing: mindset and knowledge. Mindset involves psychology: it amounts to knowing how attackers think so that you can apply the same focus to your testing. Knowledge, he says, involves educating your team on the core items that they must understand in order to implement sound security testing. “Everyone is a security person,” he pointed out, “and testers need to adopt the security person mindset.”
With Code Dx insights, conference participants came away with the undeniable message: Application testing with the right tools is no longer an option. It’s a necessity in helping to keep vital applications secure today, and in the future.