News on security breaches is hitting the headlines more often than ever. This is due to magnified scope and scale of the threats even with new technologies like mobility, cloud, big data, Internet of Things (IoT) and cryptocurrency. While there’s a growing sophistication in technologies and associated risks, security practices seem to be lagging behind. Many security reports from advisory firms like Deloitte, Gartner, and KPMG point out low organizational capabilities with respect to security aspects due to talent, culture, collaboration and so on.
As many of these issues are structural in nature, it is vital for enterprises to evolve their security structure. This article is focused on one of the ingredients required for such structural change - Integration of security in QA process.
Traditionally, cybersecurity has been the responsibility of the IT security team. However, the rationale behind having an isolated process of security faded away with advancements in technologies. We have moved over the generic threats that could be overcome by securing network layers.
Today, there’s a need to evolve security policies and processes to ensure the right data is sent and the right people have access to them over the infrastructure (such as cloud, mobile, and IoT) that’s no longer in strict controls of the organization. This requires better enforcement of security practices across the software development process. It is necessary to shift-left security implementation and validation to minimize risks grounds up; with speed. So organizations can take better security measures by incorporating security validation in the QA process. But is security a QA issue?
QA team has a holistic understanding of the users, data, and applications. This gives them an advantage over other stakeholders to check security issues. It doesn't mean that QA takes over the job of IT security. The QA team can provide security intelligence to both the developer and security teams to mitigate risks. Here are a few ways QA can help security:
Fuzz testing is a software testing technique. It is used to detect bugs by running the program with invalid, unexpected, random or dumb data. This is basically fault injecting to see if the code is robust enough and doesn’t freeze, crash or produce unwanted errors. Due to this, fuzz testing can be used to check the code against Denial of Service (DoS) attacks, SQL injections, and Cross-Site Scripting (XSS). It is also useful in finding memory-related bugs that may lead to a security vulnerability.
It is quite common for an application to encounter unexpected behavior and print a stack trace for the error. The stack trace not only includes debugging information about the error but also the path of files and often the path to the origin of the code. Such messages are insightful information on the inner workings of an application. These can be easily exploited by attackers using methods like Directory Traversal and SQL Injection. The QA team can check for server error handling during application development to prevent any information leakage that may make the application vulnerable to attacks and also save the application from uncaught errors.
Exploratory testing is an unplanned approach to software testing. The tester can use any methodology with his/her skills and diligence to test the software. Exploratory testing can be useful to security in addition to finding functional and performance issues. For example, the QA team can check functionality related security issues in payments. They can look for unwanted behavior when credit card information is entered and explore various scenarios that can compromise payment transactions.
Use of Tool for security testing (Please elaborate on following):
1. Static code checkers:If every bug and code issue had to be resolved manually, the production process would have been highly tedious and would have extended substantially. Static code checkers enable developers to analyze the code early in the development life cycle, before even execution of the code. Minor as well as fatal errors can be prevented at a very early stage, omitting unnecessary cycles. Thus, before the final migration of code to the functional Quality Assurance phase, several errors can be resolved instantly in the development phase itself.
2. Dynamic Application Security Testing (DAST):
DAST helps massively to gain insights on plausible external threats and issues in code from an outsider’s perspective. These tests run in the execution mode of the code in production or the operational state since it lacks access to the source code. It accesses the application through the User Interface of the product (front-end) and is thus a black-box testing mechanism with sequence of test being outside to inside. DAST successfully eliminates several external threats in the process.
Integration of security in QA can improve software by complementing IT security to ensure risks are detected at an early stage. However, doing this can have its own challenges. The QA team needs some awareness and change in mindset regarding security issues. They may need to be trained for best practices in combining security; like safeguarding sensitive user data during the tests.
In the age of digital transformation, the complexities in services and technologies are growing. And so are the number of digital predators who find new ways to attack. Integrating security in QA can be an important step to complement security, identify risks early and speed up the software delivery.