QA and Cybersecurity
Nowadays Quality Assurance isn’t limited only to a software application functionality and requirements, Quality Assurance is also being implemented in other areas as performance, stability and application security.
In this article we will discuss about the relationship between Quality Assurance and Cybersecurity. The need to focus Quality Assurance on Cybersecurity is due to the increased cyber attacks to different companies and systems. Here we have some statistics related to cyber attacks¹:
- There’s an attack every 39 seconds: according a study made by Maryland University which was one of the first organizations to quantify hacker attacks, there’s a cyber attack every 39 seconds. These attacks affect one of every three US citizens.
- The average data leak due to hacker attacks will be over $ 150 million: Juniper Research suggests that due to the increase in business infrastructure that is connected to internet cyber crimes will have a bigger cost to companies to what it was on 2019.
- It’s expected that companies will invest $ 6 trillion in Cybersecurity for 2021: Companies will consider necessary to invest in cyber security and align their systems to global security standards to maintain their systems and applications secure.
- In 2020 there will be approximately 200 billion connected devices: According to a study made by Symantec Internet Security the amount of devices connected to internet is increasing really fast, it’s estimated that in the US there are 25 connected devices for every 100 inhabitants.
- More than 77% of organizations don’t have a cyber security plan and incident response: A study made by the Ponemon Institute, and requested by IBM also indicates that 54% of the organizations have been target of attacks during 2019.
- Most companies take over 6 months detecting a security leak, even the bigger ones: This has happened to companies like Equifax, Capital One and Facebook among others that have had these kind of problems. Users, passwords and credit card data have been already compromised when they realize what has happened.
Now, how can we avoid these type of problems? To make our systems secure we need to implement international security standards and also focus on the application risk areas, therefore the Quality Assurance and Security teams must work together verifying these requirements are fulfilled. The application areas that need our attention are:
- Access Control: This is one of the main application functionalities that need to be secure. Access control is used to avoid unwanted users access our application and also creating roles to only allow users access certain information or certain functionality.
- Application Security: This must be a continuous effort from the beginning of the project up to its production release. All the teams should work together to avoid application security leaks or vulnerabilities. It’s recommended that security reviews aren’t postponed to the end of the project to avoid release delays or issues due to security problems.
- Information Management: This section is in charge of maintaining the organization’s information secure. Here we test there aren’t any security vulnerabilities that compromise or leak the organization’s information. Information is currently considered one of the most valuable assets for organizations.
- Single Sign On: This area controls who has access to our application, it also helps maintain better control over user access and management. However, it requires better planing on setting up the different roles needed for clients and also a tight collaboration between the Quality and Security teams.
Knowing which areas we need to focus on isn’t enough, besides it’s important to know how Cybersecurity can be involved in our project and how to plan the project to make security a goal. For this, I consider the best approach is to use an agile methodology with a slight difference, this methodology should have the following phases:
- Planning and Definition: In this phase we review which are the existing risks and vulnerabilities that need to be fixed, also if possible triage these vulnerabilities to know what to focus on first.
- Review and Design: Here we review real risk scenarios and design solutions for each one of them. Just solving these scenarios isn’t enough, our application must be strengthened against all possible threats.
- Development and Security Reviews: In this phase the Development and Security teams work closely together, as code is being written the Security team reviews it periodically to make sure the application doesn’t have vulnerabilities and also for the Quality and Security teams to understand the application’s logic and functionality.
- Quality and Security Tests: This phase is for the Quality and Security teams to work together. Functionality, logic and security tests are performed during this phase. Later we’ll further explain these security tests.
- Implementation: In this phase the application implementation is done, also it’s important to run retrospective reviews to take a look at what was a success and what can be improved for future sprints.
- Maintenance: The fact that an application has been delivered successfully into production doesn’t mean the team is already done and they won’t work on it ever again, usually an application is maintained for a period of time that has been previously defined. Here, all issues that weren’t found before are taken care of and changes to the application functionality or security are addressed according to the client needs.
Most of these phases aren’t executed only once during the application’s lifecycle, they’re executed once for every sprint or iteration that is ran throughout the whole project. The following image explains this better:
Right now we’ll discuss phase four of the methodology and we’ll explain security tests that need to be executed. There are mainly seven types of security tests:
- Vulnerability Scan: These tests are, like their name says — a high level review of any kind of vulnerability the application or system has.
- Security Scan: These tests involve a more detailed review of the application and the whole system. We won’t check only the system’s security but we’ll also check the network to see if it has any risks or vulnerabilities that have to be fixed.
- Penetration Tests: These tests simulate a hacker attack. They are used to confirm how the system will respond to an external attack.
- Risk Management: These are tests that aren’t related only to the application, it also involves how potential security risks are being handled inside the organization. Here we review the human side of the organization. These tests are used to recommend security measures and actions to avoid or minimize security risks.
- Security Audit: Here tests are made to applications and operating systems looking for security leaks. Such tests aren’t limited only to certain applications but they’re executed to complete systems.
- Ethical Hacking: These tests are executed to the organization systems emulating the way a Hacker would attack the organization, unlike a real hacker this attack isn’t looking to steal the organization’s information but it looks to evidence security flaws or leaks that must be fixed.
- Posture Management: These are Security Scan, Ethical Hacking and Risk Management tests combined that globally evaluate the organization’s security level.
To execute each and everyone of these tests on every project is not a must but it’s important to have all these options in mind during the project planning to define a proper strategy and scope. I consider it’s really important to involve the Quality Assurance team from the early stages of every project. It’s cheaper and more efficient for a project when you involve the QA team from the beginning because fixing security and requirement issues is far more difficult when the project development is almost done or when the project is near to be completed.
In conclusion, I think it’s really important to include security tests in each and every project because nowadays most systems and applications are connected to the internet in some kind of way and this grants them more visibility to the world, therefore these systems are exposed to cybernetic attacks. Organizations besides setting up their physical establishment security now also need to think about Cybersecurity to avoid attacks and for information — which is one of their most valuable assets, not to be compromised. Currently, an organization’s credibility and reputation are also exposed to the world and it’s really complicated to keep them high. Then it’s important for an organization to be shown out to others as a company prepared for the changes the future brings and also that they’re up to date with world market needs. Also, user confidence in a system is of great value — a user won’t use it if they aren’t 100% confident that information is properly protected and that it won’t be leaked by accident or intentionally.
¹15 Alarming Cyber Security Facts and Stats — https://www.cybintsolutions.com/cyber-security-facts-stats/ 23/9/2019 — Devon Milkovich