Old hands from the last millennium know that whenever a manufacturer brought a new application or a new version of an application onto the market, users were often abused as beta testers. This was primarily because there was a lack of opportunity to test a large codebase effectively and efficiently. Because users didn’t know there was an alternative, they accepted this situation grudgingly, and the consensus formed that there was no such thing as bug-free software.
Times have changed and today’s users are much less tolerant of bugs, especially security vulnerabilities in hosted applications. Currently, anyone offering an application online rarely has to wait long for hackers to examine its weaknesses. Finding these security weaknesses in, for example, e-commerce applications or online booking systems, is highly attractive to hackers because of opportunities for identity theft or to issue ransomware that may damage the company’s sustainability.
Hackers don’t just target the obvious bugs in applications. Distributed Denial of Service (DDoS) attacks are increasingly aimed at an application, rather than the network infrastructure, often making the application unavailable to legitimate users.
CSOs must ensure both they and their team understand the importance of security and load testing over the application development lifecycle. To deliver more secure products to market, CSOs must identify the aspects of development that can harness security faults, and address these challenges with increased time and support for development teams to perform at their best.
Insufficient time for security testing
With such serious consequences, security defects must be avoided as much as possible. This requires intensive testing and the right tools. Time is also precious, and time-to-market is often a critical success factor for new applications. For IT decision-makers, it’s necessary to balance these security concerns and time pressures with an organisation’s appetite for risk, and its allocation of resources.
In addition, IT leaders need to look at the effectiveness and agility of their security testing. Agile software development decreases the period in between software releases from months to days or even hours. It is widely acknowledged that the classical iterative, develop-test-develop process for troubleshooting takes too long, so is often overlooked. As a result, security defects often still find their way into software versions and must be eliminated later, which involves higher costs. For example the cost per defect in the development stage is US$80; but quickly jumps to US$960 per defect in the testing stage, and US$7600 in production. The American National Institute of Standards and Technology (NIST) estimates that these costs amount to almost US$60 billion annually in the US alone.
It’s important to note that developers are aware of these growing challenges with security testing. In a recent Ixia survey of 363 developers, a clear majority of respondents nominated security testing as the most critical component of the development cycle. In fact, 93 per cent report they subject their applications to security testing during the development process early, and continuously. And yet, two-thirds of the respondents admitted to delivering products with bugs and/or security flaws. Subsequently, eliminating these defects via patches or updates is at least four times more expensive than addressing them during development.
Test early and often
A range of comprehensive security testing solutions are emerging to integrate security testing more closely with the development cycle. These solutions give developers powerful and comprehensive test environments to carefully monitor application behaviour in response to DDoS attacks, malicious traffic, and automated attacks, which lets developers identify bugs or vulnerabilities at the encoding stage. These tools also generate realistic traffic for load and safety tests, to simulate a wide range of protocol mixes and traffic patterns. In addition, these solutions include development tools such as integrated debuggers that import and replay recorded packet captures.
By using REST APIs (Representational State Transfer Application Programming Interfaces) and a rich command line interface, these integrated security testing solutions work with a range of continuous integration/continuous deployment (CI/CD) frameworks. These agile CI/CD frameworks streamline discovery and resolution of issues found in different phases of the application development lifecycle.
These solutions also streamline communication and reporting within multifunction teams via a range of community features such as referrals, real-time feedback, and task allocation. Using a completely virtualised solution also lets IT decision-makers improve security testing across the application lifecycle while minimising any hardware or infrastructure investments. Plus, this flexible approach helps distributed teams to collaborate effectively.
The chance to increase a development team’s agility and speed while improving application security is making many IT decision-makers sit up and take notice. With company boards requiring IT departments to respond more quickly and effectively to technology opportunities, IT leaders are seeing the benefits of this new way of working that combines the twin priorities of agility and security.
CSOs should work with their developer teams to ensure new applications and updates undergo rigorous and realistic tests before they are released to market to face the mercy of hackers. Using commercial tools and systems for security and load tests helps to determine the behaviour of applications under different stress loads. It also helps developers deliver products to market in a more cost effective, timely, and agile manner.