IT teams and testers have been challenged by automated testing for decades now. It seems to me that many organisations haven’t really cracked the nut yet with regards to functional automation and many (too many) automated testing efforts fail to meet their objectives, budget and stakeholders’ expectations. Expectations seem to be lower for load and performance testing. I’m not sure if this is because it’s perceived to be more difficult or the risk is perceived to be lower or both. Either way I don’t think that’s true, but that’s for another post. There isn’t much conversation happening yet about automated security testing - yet. I find this strange considering 47% of companies surveyed for this year’s World Quality Report said that enhancing security is part of their IT Strategy. The number of security breaches is increasing – the 2018 Cyber Security Breaches Survey shows 43% of businesses in the UK experienced a security breach in the past year.
Automated Security Testing
Agile development methodologies and DevOps demand that testing is automated to be able to meet the cadence of frequent and regular releases. This is true for security testing just as it is for functional testing. When security vulnerabilities carry such a high business risk, and like functional bugs, security flaws can be injected into the code by developers at any time, I’d argue that automated security testing is a higher priority than automated functional testing.
While new vulnerabilities are being identified all the time, and I don’t envisage a time any time soon when that will change, the IT industry needs to find a more efficient and more cost-effective way to do security testing. Traditional, manual, methods are expensive and time consuming. Fortunately, nFocus has the solution for this – take a look on our website here.
We recommend automating user journeys through the system under test and using multiple scanning engines to identify all known web app vulnerability classes. This includes those listed in the internationally recognised OWASP top 10 and provides a high confidence level. It’s important that false positives are minimised with any security test and it’s also important to exploit an identified vulnerability to do this. This means the dev effort to fix vulnerabilities identified in the test output is minimised and won’t be wasted time.
An automated approach means that security tests can be executed with every release and the definition of done can include security testing. The effort required to execute the tests is minimal and the cost benefit is huge.Security Testing as part of your Agile Lifecycle
As a minimum, we would expect test results to be documented in PCI and UK Government PSN compatible formats proving:
- Impact, Priority and Likelihood of exploitation of all vulnerabilities found during the test
- Breakdown of where and when the vulnerability was discovered
- Technical description of discovered vulnerabilities
- Details of the exact attack used
- Simple to follow remediation advice
In a climate where vulnerabilities reported increased by 120% last year and the rise shows no sign of slowing down, companies cannot chose to leave security untested. Traditional security testing methods do not align with modern development lifecycles and automated security testing is the only way to tackle this growing risk.
Our security scanning tool and approach follows all of the best practice outlined in this blog. It can even integrate with your Jenkins or TeamCity server to manage scans through our API. We can also set up 2-way integration with JIRA to simplify defect management. Any vulnerability discovered is added into JIRA. There are also checks in place, which mean we can prevent rescanning of resolved vulnerabilities, preventing duplicated work.
Talk to us today to find out how we can help you mitigate security risks and integrate automated security testing into your development lifecycle.
You might also be interested in our webinar titled, “Automated Security Testing, how to do more testing whilst reducing costs” which is taking place on the 14th March at 2:30 PM - 3:30 PM GMT. Register for your place here.