Software Security Testing – Where to Start?
The Importance of Security Testing: One popular (and false) myth about security testing is that there is no return on investment (ROI) in security testing, which is why not every company is prepared to do it. However, security testing can point out where your applications can be improved in order to improve efficiency, reduce downtime and enable maximum throughput.
A good start is employing the Pareto Principle, better known as the 80/20 rule. It states that 80% of effects come from 20% of causes. This principle can also be applied to security testing, fixing 80% by focusing on the 20% causes. This can be achieved by identifying and classifying your applications on business criticality so that it´s clear which apps are vulnerable to eventual revenue or reputation loss. This distinction helps you to apply the appropriate security testing type (and assign the associated budget) to each application category, enabling you to be more efficient. Your current systems also need to be updated regularly with the latest security updates, so make sure your organization implements a patching process schedule, as well as a secure Software Development Life Cycle process. This ensures that security assurance activities such as penetration testing, code review, and architecture analysis are an integral part of the development effort.
On its own, even great software security testing isn’t enough, companies also need a way to measure security progress. Are things getting better? Staying the same? Getting worse?
A security assessment of software performance means first defining security goals — in the form of metrics — and then measuring these goals to determine their overall impact on security posture. As noted by OWASP (1), “defining the goals for the security testing metrics and measurements is a prerequisite for using security testing data for risk analysis and management processes.”
In practical terms, this means using objective measurements such as the total number of vulnerabilities detected in software before and after security testing occurs. In addition, testing can attempt to uncover “root causes” of software issues that can be reported, categorized, and addressed. OWASP also suggests setting software testing goals that align with business outcomes: How does securing “X” piece of code lead to “Y” corporate goals?
(1)The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. Companies should adopt this document and start the process of ensuring that their web applications minimize these risks. Using the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code.
Testing, Testing, and Testing
To achieve effective and long-lasting software security results, multiple testing types are recommended. These include:
- Manual testing: The starting point for software security testing. Experts use advanced penetration tools and techniques to uncover potential weak points.
- Dynamic testing: The sheer number of applications now used by businesses makes automation a necessity. This is the goal of dynamic testing; security teams use automated processes to discover if the software is vulnerable to large-scale issues such as SQL injection or XSS flaws.
- Web application security testing: Here, the goal is digging down into user and admin permissions. Are both sides of the software chain secure? What potential vulnerabilities exist?
- Interactive application security testing: With increasing focus on client-facing and cloud-based applications, it’s easy to forget about operating systems, databases, and network applications. Effective software security testing must include software composition analysis, regular system evaluations to ensure foundational software doesn’t present undue risk.
- Penetration testing: Also called “pen testing,” this type of testing has experts attempting to “hack” their way into company software with the intention of uncovering uncommon vulnerabilities. Think of it as getting into the hacker mindset. Attackers often think outside the box — your security needs to do the same.