A highly process-oriented Quality Assurance (QA) function in Software Development Life Cycle (SDLC) ensures the best software, application or product as possible, yet the role is sometimes perceived as an afterthought which comes at the end to check on all aspects of the product or application including security testing before the release to the public or end customer.
The procedures and standards they implement to be able to do their job ensures that the product or service meets a certain set of requirements. A seasoned QA professional will look out for a bug, error, slow load time, and navigation breaks throughout the whole SDLC, but the aspect of security is not earmarked specifically for a QA. While minimizing the risk of defects and errors, there is a lurking threat and risk, around the security of the application or product.
What is security testing?
Security testing is a process intended to reveal flaws in the security mechanisms of an information system that protects data and maintains functionality as intended.
Just like the requirements of the software or service have to be met in QA, security testing warrants that certain security requirements be met. Typical security requirements may include specific elements of confidentiality, integrity, authentication, availability, authorization and non-repudiation.
What is the need to have security testing?
The usual software testing looks out for certain bugs or flaws inherent in the software, which could hamper or even stop the software from performing, but security testing is on the lookout for those application vulnerabilities and threats that can cause loss of sensitive and confidential data, revenue and reputation. These threats and risks could be due to an employee accessing the software or external actors, who intentionally will attack the defences of the software to get to the data or exploit the software’s weaknesses. The threats are everywhere, whether it is on-premise software, cloud-based or web-based applications.
The security process should start right at the beginning of the requirement gathering stage, moving through the design, testing, implementation, rollout and support phases. So, if the QA is roped in to be present at all of these stages, then security testing should have a place in the software development QA framework.
Reasons for security testing to find a place in the QA program
1. It fits the QA role
Following security practices and processes, the whole team in SDLC ideally should be able to meet the requirements by checking and testing the application vulnerabilities from a security point as well. It is the duty of the QA to look out for any vulnerabilities whether it is in the network, system software, client-side application or server-side application security. The QA teams have to train and adopt the security testing methods and processes, even if they do not have any application security background.
2. A high-quality application is a secure application
The standards for quality include security as well. The QA framework, which has QA testing as an integral part is expected to test and confirm whether the application is secure as part of releasing a satisfactory application. Many use cases of security testing encompass basic areas like password encryption, permissions, logins, session timeouts and cookies to more advanced ways of bypassing existing controls. All of it and more fall under the purview of a secure application.
3. Security QA is cost-effective
It is not always feasible to have a separate security team of experts for security testing. With advanced automated testing that can monitor and detect vulnerabilities, security testing is becoming manageable for QA teams. Many of the automated tools comply with GDPR and PCI DSS requirements, hence addressing the complex compliance needs of an application. Isolated security teams often perform a scan but can’t provide additional understanding beyond what the tool tells them because they don’t have the breadth and depth of knowledge into just how the application works.
In our earlier blog of DevSecOps, we explain that with DevSecOps, instead of just ensuring that the software is in compliance or meets a certain specification or audit requirements, it also has to take all the steps and use the tools and methods to ensure that the code is written as correctly and securely as possible to hold up against future cybersecurity attacks or risks. Well-rounded and multi-skilled professionals are needed throughout the SDLC, so if it means training QA to take up the responsibility of security testing, then the business benefits and the clients and users can be assured of a secure code and application.
If the end goal of better time-to-market, improved user adoption and seamless user experience are met, then all is well in the world, but a threat to the security of customer or business data through the application or product could undo the good work of all stakeholders in SDLC. Hence, it becomes the role of the QA to look at a wider expanse of issues related to the software and deliver on true product quality. If you need any assistance launching your Security QA program, contact Packetlabs to learn how we can help.