20/09/2019 - Security Testing
Security – it is the watchword on the lips of all of us, particularly when it comes to IT systems that hold personal data or information that could compromise a company and create bad press for them!
With the flow and availability of information increasing by the week through the Internet of Things and ever larger, more complex systems and integrations, security is getting left behind; not a good state as companies and people risk being compromised through systems that can be breached through a lack of the right security testing. Indeed, security testing is a big subject, but on a recent survey we found that few companies considered security testing to be anything more than ‘penetration testing’.
Whilst pen testing is clearly important, it is a just one part of many if security testing is to provide the CIO and business with the confidence it needs to launch and maintain new applications.
If we consider the prime reasons behind security failures and data breaches, we can include:
In recent security breaches, it would have made us think about the loss of data and how it might affect us? The simple answer is, of course, yes.
This is clearly a major concern, but not the only one. If we look at some recent metrics from Myers-Briggs, they cited security testing as having the greatest cost to fix.
Let’s look at what they said in their table of ‘Defect Damages & Recovery Costs’:
|By Defect Origin||Cost|
|3. Requirements (wrong or missing)||$150,000,000|
|7. Requirements creep (wanting more)||$90,000,000|
|10. Bad fixes||$60,000,000|
|11. Test case||$50,000,000|
How many companies would have thought that security failures are the most expensive to fix in IT systems? Not many, I suspect. Quite clearly, though, the costs in the table aren’t the standard costs for all companies, but they do represent the cost of defect recovery for major applications in large companies and government agencies. Even if your company is not a major SI or government, you can quickly extrapolate the cost of a security failure by using your own cost of failure metrics. Try it – I guarantee you will be horrified!
The numbers and bad press alone tell us that that security of systems is a to be managed if it not to become a bigger problem. Another issue is that many risks faced are avoidable with the right strategy, planning and organisational skills. It is a sad fact, however, that what is needed to help ensure security is not seriously underestimated by those responsible for delivery, many of whom fail to recognise just what the lack of proper security testing and lack of investment in the right skills can cost them in the marketplace. We have only to look at the disaster that TSB recently faced in the UK to understand the scale of the problem. What started as a platform upgrade clearly resulted in a public-relations disaster, when some people we’re locked out of their accounts and others were presented with information and data that was not theirs. The consequential outfall is likely to have cost TSB millions in compensation, reduced market share resulting from a loss of customers and the consequential downfall of their CEO.
There have many other recent and notable security breaches that are well-documented in the public domain, including British Airways, Equifax, TalkTalk, Tesco Bank, Wonga and many others we could mention.
However, the point is that these are all household names who have suffered cost loss and reputational damage, so don’t think it won’t happen to you. I don’t know what the security testing policy of these companies was and won’t speculate on it – suffice to say it will have changed.
What is also a fact is that we have all had enough of hearing about how systems have been compromised, our data spread to the highest bidders and platitudes about ‘how we must learn the lessons and apply it to the future so that it doesn’t happen again’. Well, guess what? The future is today, and prevention has and always will be better than cure.
Why spend time on causal analysis and damage limitation when it is better to plan for the requirements and problems of security in the first place. One thing you can be sure of – planning and embracing security in IT systems is infinitely cheaper than waiting for the inevitable to occur and then closing the stable door once the horse has bolted!
Consider these basic, quantifiable facts about the state of the industry today:
Consider also the basic checklist of what is required to think about planning security testing:
These things are a big deal – so why aren’t they managed as the ‘De Facto’ standards by companies that build IT systems? Remember, the IT systems you develop, test and deploy are supposed to underpin day to day operations of business, but if those systems are not secure then neither is your business. Get used to it.
What can be done?
TSG Training is fully cognizant of the need for experts in the field, and as such have commissioned industry-expert Randy Rice to come over from the US to London specifically to deliver an ISTQB Advanced Security Testing course on November 12th to 15th. The course will teach you about:
This is a real big opportunity to get ahead of the game by meeting Randy and benefitting from his experience and leadership to become a certified security testing expert.
This course can only be good for you, your career and your company. The course is strictly limited to 12 people, so be sure to book your space now at the all-in price of $1,750, plus VAT. November 12th—15th at TSG Training— don’t delay or you’ll miss out. £1,750 may seem a lot, but think of it as investment insurance and what it could cost if you don’t have the skills to get security nailed.
Randy Rice is a leading author, speaker, consultant and practitioner in the field of software testing and software quality.
He has over 40 years of experience in building and testing software projects in a variety of environments, with deep experience in security testing for major corporations, cyber security start-ups, and government agencies (including defence).
Randy is the chair of the ISTQB Advanced Security Tester Working Party which created the 2016 Advanced Security Tester Syllabus.
He has authored over 70 training courses in software testing, including security testing and software engineering. Randy holds many ISTQB certifications, including all three core Advanced Certifications, the Advanced Security Tester, Advanced Test Automation Engineer, Certified Mobile Tester, and Certified Agile Tester certifications.
Randy is co-author with William E. Perry of the books, Surviving the Top Ten Challenges of Software Testing and Testing Dirty Systems. He is on the board of directors of the American Software Testing Qualifications Board (ASTQB).
Randy founded Rice Consulting Services in 1990 and continues to train, mentor and consult with testers and test managers worldwide. Many of his clients deal with complex testing problems in critical applications. His clients often comment that his practitioner experience in the trenches adds great value to the concepts he teaches and the consulting he performs.