QA Professionals: Taking the Lead on Security Testing
by Matt Angerer
QA professionals bring a tremendous amount of value to security testing, but they still don’t play as large a role as they should. QA understands the way an application is put together, and their perspective can be invaluable when determining areas at risk. QA professionals are particularly well-suited for developing test scenarios to improve security, a growing concern for software organizations. Testers have the skills necessary to solve these and many of the other problems facing businesses today. While it would be difficult for testers to manage code review, their holistic thinking process allows them to see the big picture, a necessary part of tackling the persistent problems within the software development industry.
Here are some suggestions we’ve pulled together to better involve your QA team:
Including Testers in Development Planning
The first and most important step for involving testers in application security is to bring them into the fold from the outset for test planning purposes. Far too often the requirements for security established in early-stage planning lack the specificity they need. Testers, by their very nature, tend to insist on specifics to ensure that every element can be tested properly. There is nothing worse than an ambiguous requirement. This is where tools like HPE ALM help to identify security requirements for your application under test, such as, “Application Under Test will not contain any Critical or High Severity Issues uncovered by the HPE Fortify On Demand Dynamic Scan.” Under this high-level security requirement, your QA team could break it down even further into sub-categories. Remember, it’s not wise to throw something “over the fence” at a QA professional and ask them to test without involving them in the early design and build stages. This can often lead to overlooked requirements and inneffective test coverage.
Identifying Areas Vulnerable to Attack
Taking a risk management mindset is critical to security testing. Testers must be able to determine where attackers are most likely to strike, and what they’ll be looking for. Some of the most common targets are passwords, credit cards, and social security numbers. Tools like HPE Fortify On Demand and Fortify Security Center help organizations like yours mitigate those vulnerabilities. QA professionals are typically better suited for running such scenarios because they know the individual weaknesses of their developers. With that knowledge, they’re able to ensure vulnerable areas of code are scrutinized more carefully, following an HPE Fortify scan. Your QA team can use HPE Sprinter to run exploratory vulnerability tests over areas that were touched by more junior developers. HPE ALM also integrates with HPE Fortify On Demand through a custom REST-based API. Contact ResultsPositive to learn more about our custom integrations.
Testing Both Sides of the Coin
Many times in testing the focus rests solely on what the application is able to do. While that is certainly important, it is also important to consider what the application is not able to do. For example, allowing a user an unlimited number of attempts at entering a password. Doing so leaves an application far too vulnerable to automated programs, which could eventually result in a code breach. If your organization processes credit cards, you’ve likely heard of the PCI-DSS standard. The PCI Security Standards Council developed a guidance document (available for download below) about penetration testing. We encourage you to review this guidance document closely as it covers “both sides of the coin” for you:
Download the PCI Penetration Testing Standards Report by completing the form below:
Evaluating Error Messages
Testers should also be involved in the evaluation of error messages produced by login attempts. Many times, helpful information is inadvertently presented to an attacker through these error messages. By carefully evaluating error messages, it’s possible to reduce the chances of a data breach. Login error messages should also be evaluated, along with your default error messages, which can similarly contain information that might assist unwanted 3rd parties.
QA professionals have a lot to bring to the table to ensure a successful software outcome. Bringing them into the loop from the beginning can make everyone’s job easier and more effective. ResultsPositive has been working with HPE for over a decade to design and implement custom business software solutions that help organizations like yours mitigate risk and increase the likelihood of positive outcomes. Contact us today about a free trial to HPE Fortify On Demand and let one of our software security experts walk you through how to set up a metric reporting structure in HPE ALM to monitor issues uncovered with HPE Fortify.