Software and application security is a matter of a day-to-day issue as software systems and apps daily become the targets of penetration. The bad news is that many of them fail to sustain the attacks. According to Gartner, in 2017 75% of released apps will fail security tests and won’t meet standards for security hygiene.
In most cases, it happens because the security features are not set right. Any software system or application should comply not only with industry security standards but also cover three simple security principles:
- Confidentiality,
- Integrity,
- Availability (here mean that information is available only to authorized users).
To ensure this and deliver software systems or applications compliant with security requirements, the companies should heavily invest in security testing. The ultimate purpose of security testing is to detect vulnerabilities and gather the information about flaws. Properly performed security testing can provide an objective view of the software state to let its owners understand the risks.
There are various approaches to security testing. Here at Intetics, we combine manual and automated testing. This allows us to get the in-depth analysis of the vulnerabilities.
Basically, all the tests that we run can be divided into the next major groups according to the severity level: Critical, High, Medium, Low, and Info. The ratio of the informational tests to critical and non-critical is quite high. They collect the software and hardware vulnerability information, for example, the number of open ports, number of logged in accounts, SSL certificate expiry date, everything that helps to see the overall system state.
Leaning on the gathered information, security professionals create a basic report that gives a general statement about project security level and detailed description of every detected vulnerability. At Intetics, manual security testing relies on OWASP methods, approaches and application security assessment standards. OWASP Top 10 list is a powerful awareness document used by security professionals all over the world. On passing the auto and manual test every vulnerability gets a score – we use CVSS industry standard vulnerability metric as a scoring system, which reflects the risk the vulnerability may pose.
The test results, scores, the vulnerability information and analysis results combined give the big picture. With these facts in hands, the company or the product owner can decide how mature the product security policy is and how it should be enhanced.
However, security assurance does not end on testing, and evaluation. It’s a continuous development and improvement of security assessment approach. Microsoft says that 71% of companies admit they fell victim to a successful cyberattack in 2014, leading them to increase their security investments. Imagine what can be expected in 2020. This is, actually, a proof of the unquestionable fact – security assurance is a never-ending task. Software systems are daily under the risk of attack or damage. As, for example, AV-TEST Institute confirms that by registering over 390,000 new malicious programs every day.
Therefore, security should be tested continuously. Intetics security consultants recommend checking software security every second iteration. Naturally, if only the color of the “Contact” button was changed, there is no need in security testing, Still, if the team rollouts some updates or makes changes in the system core, testing is a must. In line with that, it is a good practice to check the overall system security state several times per year.
What every product owner should keep in mind is that, unfortunately, 100% secure software exists only in an ideal world. However, the company or the product can ensure a relatively high level of security. Which is not only about multi-level authentication but also about an exquisite level of encryption, data access, information transfer and many other things.
Quite often it happens that software development teams overlook simple things, that result in painful security breaches. For example, if a user logged into a system once and doesn’t need to log in during next sessions. It is a security breach! When the app allows entering password several times and does not block the user after the third incorrect attempt, it is a security breach! If the user can access the system via different devices without authentication and devices registration, it is not a decent level of security. The cases like those are quite common. Often they lead to serious software defects and business losses.
Of course, the provided level of security depends on the type of software systems or apps and the services they deliver. Nevertheless, it would be wrong to neglect security requirements at all. It’s necessary for a company of any size to have its own security policy and run check-ups regularly to protect the data. Product owners should remember that security testing and security assurance are one of the most important and complicated parts of any software delivery process. We at Intetics check our products for compliance with common vulnerability standards, databases, and vocabularies: CVE, CERT, CWE, OSVDB, OWASP.
The bottom line that security has a non-negotiable matter for companies, they’ll have to keep an eye on it gradually. To make it efficiently, security professionals recommend following a few principles:
- Test Often
Frequent reassessments and continuous improvements help deliver better products to the market.
- Do Not Search for A Silver Bullet
There is no single test that will find all the vulnerabilities once. Run multiple tests instead. This helps to discover various types of vulnerabilities.
- Train Up
Training created around common vulnerabilities can greatly aid the development and testing teams. They’ll learn how to avoid making the same mistakes and understand how to detect them.
These simple principles can lie in the core of the security policy. They can ensure a strong software security level that will help the software to sustain any malicious actions.