/29 Aug 2017

Effective QA is Critical to Security

Internet-facing software is always under attack—that’s simply the reality of our connected world. Hackers, worms, and automated tools are constantly probing to find vulnerabilities so they can steal or modify critical information. Despite these threats, companies are investing in digital technologies to improve processes and increase efficiency, and many of them are turning to outside partners for help. According to Forrester, 90% of decision makers decide to work with an outside partner to build and manage digital experiences.

Working with a development partner is a great way to accelerate digital transformation, but it’s critical that companies choose partners that will secure and protect their data (and their customers’ data). And a sure-fire way to assess a development partner’s commitment to security is to evaluate their QA process.

Quality assurance ensures a product meets requirements and is free of mistakes. Inadequate QA is dangerous because every software defect presents a security risk. The risk may be a lack of user acceptance, or a potential vulnerability that can be exploited by hackers.

Fortunately, the mechanisms used by QA to prevent software defects can simultaneously increase software security assurance:

  • Code reviews can also check for security vulnerabilities, by leveraging static application security testing (SAST) tools.
  • QA already tests non-functional software requirements such as performance, fault tolerance, and scalability. In a similar way, security requirements should be captured as testable non-functional requirements.
  • Vulnerability scans can be included along with other automated test scripts designed to work in the software’s agile, rapid release cycle.

Since the QA process is conducted outside of the development team, defects and security risks are more likely to be uncovered. This outsider’s perspective helps teams create testing scenarios that consider the entire threat landscape and account for various use cases. It allows QA to ask the right questions of the developers, owners, and customers to ensure all requirements are met.

Businesses looking to balance today’s threats with the need to accelerate digital product creation need to consider development partners with a strong QA practice. To assess their QA strength, ask these questions before the development process begins:

  • How is security assurance incorporated into QA?
  • How does the QA team stay educated about current security risks and the newest trends in the behaviors of bad actors?
  • Who is responsible for QA (and are they separate from the development team)?

Without effective software quality assurance, it is impossible to mitigate the risks present in today’s threat landscape. By performing reviews, manual and automated testing, and leveraging its unique perspective, QA is critical to security.

Peter Hesse is 10Pearls’ Chief Security Officer. For nearly two decades, Peter has leveraged his passion for technology and experience in security to develop successful solutions to interesting problems. From an exciting start developing the reference implementation of a standards-based certification authority for the National Institute of Standards and Technology (NIST), to overcoming obstacles and successfully demonstrating the system that formed the basis of the Federal PKI, Peter has built his reputation tackling complex challenges and explaining them to others.

Peter founded and ran the successful information security consulting firm Gemini Security Solutions for over a dozen years. He now focuses on avoiding the common break/fix mentality around security, and instead finding ways to architect and build security into systems and products.