Are you really testing your applications?
The decision to perform security testing is usually driven by either an obligation (e.g. compliance to PCI DSS) or a risk management decision (e.g. protecting your business, your customers and your staff).
If you are a business which relies on the Internet as a channel, and have your brand boldly represented on a website, then chances are you will need to have web application security testing performed.
Over recent years, we have seen a positive industry shift towards more comprehensive, sensible and efficient ways of testing the security, capability and continuity of an application.
With the fast pace of business and technology change, it is surprising that slow-moving, segregated and isolated testing continues to still be commonplace. A more secure, robust and reliable testing approach involves integrating multiple stand-alone tests into a single unified approach.
Combined testing benefits
A combined approach can provide a number of distinct advantages:
Issues (whether security or not) can be identified, documented and entered directly into a defect management system, thereby reducing delays in having critical issues resolved and also enabling a direct interaction with the development team, rather than waiting for a formal report
Integrated testing takes less overall time to achieve as there can be synergies in test plans and environment and data readiness
Organisations end up with one set of defects, which can then be properly prioritised in context (either by risk or impact). This streamlines development / re-development priorities across multiple applications
Perspectives from security and non-security testing can be combined to improve the value of both forms of testing. This includes leveraging test cases such as input validation to help identify potential issues which could lead to injection attacks like cross site scripting
Other considerations for increasing the efficiency of application security testing include periodic or automated web application security scanning. Whilst these platforms will not typically identify application logic or other subtle security issues, they can help reduce the low hanging fruit that is often targeted by automated scanners and less mature attackers.
Combined testing risks
Whilst there are many benefits of combined testing, there are some gotcha's to be mindful of.. These include:
If testing activities are not well-managed and tracked, and issues arise (such as data corruption or inconsistencies) it can be difficult to identify the source
Over-runs in one or more types of testing can result in delays for another team, hence testing planning, monitoring and coordination become vitally important
Certain types of testing may impact performance, and skew results - e.g. it's probably unwise to be performing brute force password guessing tests against a system whilst testing responsiveness and user experience
Where incremental or immediate changes are being integrated into an application (i.e. find-fix-confirm), it can be difficult to accurately predict the security implications of changes, and as a result, areas that may have been tested free of security defects may regress or have vulnerabilities introduced
Establishing combined security testing can be challenging but the benefits can be realised when testing itself is well integrated. An interim / transition approach for businesses wanting to improve their cyber security posture is sometimes to:
Invest in upfront secure development training (SDLC) to improve code resilience and security
Empower development (and test) teams with basic security testing skills and tools to address the easily discoverable issues
Embed automated code review tools into the SDLC, which are supported by experienced security capability (as there is nothing worse than having hundreds of potential false-positive security defects that can confuse, disrupt or dishearten your developers)
If you would like to discuss new approaches to security testing or improving the security of your applications, get in touch.
Author: Clinton Smith