'Secure by design' is becoming a mainstream approach to ensuring software system security. Assuring that security involves making security testing part of the software development approach. Here, NashTech Security Consultant Hien Trinh discusses the practicalities of security testing and looks at how NashTech incorporates it into modern software development methods.
In software engineering 'secure by design' means that the software has been designed to be secure from the foundations up. Secure by design is becoming a mainstream development approach to ensure the security and privacy of software systems. But to be certain that the security built in to a software design is effective, you have to carry out security testing that's aligned to the software development approach.
Functional testing of software is based on a variety of elements such as risks, requirements, use cases and models. Security testing is based on the security aspects of those elements, but additionally aims to verify and validate security risks, security procedures and policies, attacker behaviour and known security vulnerabilities.
So the traditional approach of simply making application security testing a checkpoint before deployment doesn't really hold water. That's because it's difficult to address vulnerabilities and weaknesses discovered during the analysis and testing process in a timely and cost-effective way.
Of course, security testing can't guarantee that a software system or the organization using it will be safe from attack. What it can do, however, is help to identify the risks and evaluate the effectiveness of existing security defences.
People, process and technology are often regarded as an 'iron triangle' that delivers a complete IT solution. All three areas will have an impact on the overall IT delivery — including on security:
At NashTech we take security considerations into account throughout the entire software development lifecycle (SDLC) to ensure security requirements are implemented. That's why security testing is embedded in all lifecycle phases.
We use different methodologies and techniques (reviews, analyses and tests) to assure security in each phase, as the mapping below describes.
Use a list of secure coding practices during the code review to determine if developers and the software itself are following established security methods and best practices.
Validate that the system meets users' needs in real-world conditions. This includes ensuring that security requirements have been implemented and met correctly. By this phase, most security testing should have already been performed, but there will still be opportunities to test security scenarios that occur at the business process level.
Check the configuration to confirm that security configurations are correct in the target environment.
Have an expert carry out penetration testing, vulnerability scanning, and impact analysis of patches. The focus is on testing changes made to correct defects and add functionality to ensure no new vulnerabilities have been introduced to the system.
One important thing to bear in mind is that a security risk assessment is only a snapshot at a given point in time. New threats emerge daily, which means security risks change all the time within an organisation and for any given project. Applications change over time as well.
Security risk assessments should therefore be carried out at regular intervals, which will vary according to the project and the degree of change it experiences.
Security is a critical aspect of modern applications development. The experience we've gained working on many successful client projects over time has given us insight into what's needed to deliver secure, high-performance software.
We use the OWASP Top 10 as the core of our security testing standard. And because not all security standards apply to all situations, we make sure we understand the unique requirements of each project and client, and tailor our approach to suit them.
To learn more about our Software Testing Services, email firstname.lastname@example.org and a member of the team will be in touch.