Welcome!

@CloudExpo Authors: Elizabeth White, Yeshim Deniz, Liz McMillan, Pat Romanski, William Schmarzo

Related Topics: @CloudExpo, Cloud Security, @DevOpsSummit

@CloudExpo: Article

Testing and Security Measures | @CloudExpo #DevOps #Agile #Cybersecurity

Security testing has always been a top priority for organizations when it comes to implementing technology

How to Address Security Measures While Testing

Cyberthreats have become more sophisticated over the years, improving methods to take advantage of software information and even completely shut down systems to hold data ransom. As a result, developers and testers must be able to ensure that their programs have the necessary protections in place to prevent attacks and keep business information safe. Here are a few tips to help teams address security measures during testing.

1. Designate an expert
Within a team there should be a person delegated to investigate and document all security measures necessary. It's this individual's job to assess requirements facing the industry the app's users operate in. For example, health care has a wide range of strict regulations like HIPAA and other legislation that dictates how patient information should be stored and secured. Nearly every sector must also contend with PCI DSS, a law that helps protect payment card information and financial data. Since most organizations accept credit and debit cards, this regulation is the most widespread.

However, it's not enough to have just one expert. TechTarget contributor John Overbaugh noted that all team members must be educated on these security needs in order to test effectively. Once team members have a better understanding of what to expect, they will be able to strategize on how to better address protection requirements using agile testing methodologies.

"The test manager plays one other important role in ensuring security measures are followed," Overbaugh wrote. "This role is to encourage, enforce and pattern compliance with internal security guidelines both of the company as well as guidelines given by the company's customers. Security is everyone's responsibility, but managers carry the duty to be examples to their teams and to ensure their teams follow security requirements."

2. Simulate attacks
As noted earlier, there's a wide variety of attacks that an organization may experience, but QA teams can prepare for these events by simulating these threats. If a known strain of malware is rising up, for example, testers should evaluate their app against this threat in a secure environment. Although real-world situations may not proceed the same way, exploratory testing can reveal a significant amount of information concerning what areas go down first and how well the app responds to certain stressors.

It's virtually impossible to plan for everything or to foresee the types of sophisticated attacks on the horizon, but it's still worth it to simulate known and emerging attacks to understand your vulnerabilities. Security Innovation Europe's Alan Pearson suggested using static and dynamic testing tools to improve security by weeding out false positives and identifying real threats. With quality testing tools, testers can better detect what areas need to bolster their protections and what steps to take to improve security overall.

3. Test after each change
Under agile operations, it's expected and even encouraged that teams will make continuous innovations to a project to enhance functionality and provide a quality experience. However, each change made also introduces a certain amount of risk that it will open up a vulnerability. Teams must do extensive testing after each adjustment to not only ensure that the app still functions as expected but that security measures continue to cover everything. Ongoing code reviews will be critical to maintaining protection and confirming that features have been configured correctly.

"It's vital that you remember that your testing environment is different to the real world: even after all your testing, unexpected errors or vulnerabilities can crop up during deployment that you hadn't anticipated," Pearson wrote. "One of the biggest risks is misconfiguration during deployment. To protect against this, you should have a dedicated member of staff overseeing deployment who is responsible for checking for any configuration errors to mitigate the risk."

Security testing has always been a top priority for organizations when it comes to implementing technology and ensuring that they maintain compliance with industry regulations. By establishing a security expert on your team, simulating attacks and testing code after each code change, groups can maintain protection throughout the application lifecycle and effectively prevent a breach. Strategies will need to constantly evolve to address current threats and vulnerabilities that will emerge in the future.

More Stories By Sanjay Zalavadia

As the VP of Client Service for Zephyr, Sanjay Zalavadia brings over 15 years of leadership experience in IT and Technical Support Services. Throughout his career, Sanjay has successfully established and grown premier IT and Support Services teams across multiple geographies for both large and small companies.

Most recently, he was Associate Vice President at Patni Computers (NYSE: PTI) responsible for the Telecoms IT Managed Services Practice where he established IT Operations teams supporting Virgin Mobile, ESPN Mobile, Disney Mobile and Carphone Warehouse. Prior to this Sanjay was responsible for Global Technical Support at Bay Networks, a leading routing and switching vendor, which was acquired by Nortel. He has also held management positions in Support Service organizations at start-up Silicon Valley Networks, a vendor of Test Management software, and SynOptics.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


CloudEXPO Stories
With the proliferation of both SQL and NoSQL databases, organizations can now target specific fit-for-purpose database tools for their different application needs regarding scalability, ease of use, ACID support, etc. Platform as a Service offerings make this even easier now, enabling developers to roll out their own database infrastructure in minutes with minimal management overhead. However, this same amount of flexibility also comes with the challenges of picking the right tool, on the right provider and with the proper expectations. In his session at 18th Cloud Expo, Christo Kutrovsky, a Principal Consultant at Pythian, compared the NoSQL and SQL offerings from AWS, Microsoft Azure and Google Cloud, their similarities, differences and use cases for each one based on client projects.
In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, provided a fun and simple way to introduce Machine Leaning to anyone and everyone. He solved a machine learning problem and demonstrated an easy way to be able to do machine learning without even coding. Raju Shreewastava is the founder of Big Data Trunk (www.BigDataTrunk.com), a Big Data Training and consulting firm with offices in the United States. He previously led the data warehouse/business intelligence and Big Data teams at Autodesk. He is a contributing author of book on Azure and Big Data published by SAMS.
Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also received the prestigious Outstanding Technical Achievement Award three times - an accomplishment befitting only the most innovative thinkers. Shankar Kalyana is among the most respected strategists in the global technology industry. As CTO, with over 32 years of IT experience, Mr. Kalyana has architected, designed, developed, and implemented custom and packaged software solutions across a vast spectrum o...
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to advisory roles at startups. He has worked extensively on monetization, SAAS, IoT, ecosystems, partnerships and accelerating growth in new business initiatives.