What did they say about Software security testing?
“Over 70 percent of security vulnerabilities exist at the application layer, not the network layer” Gartner.
“Hacking has moved from a hobbyist pursuit with a goal of notoriety to a criminal pursuit with a goal of money” Counterpane Internet Security.
“64 percent of developers are not confident in their ability to write secure applications” Microsoft Developer Research.
“Losses arising from vulnerable web applications are significant and expensive – up to $60 billion annually”IDC/IBM Systems Sciences Institute.
“If 50 percent of software vulnerabilities were removed prior to production use, enterprise configuration management and incident response costs would be reduced by 75 percent each.”Gartner.
General Statistics
The figures below illustrate that lake of software security allows data breaches. These breaches have been categorized by sector, this has been illustrated in figure [1] and [2].
Source: Based on data provided by OSF DataLossDB (due to rounding, percentages may not total 100 percent)
Source: Based on data provided by OSF DataLossDB
The figures below illustrate that lake of software security allows data breaches. At these figures, these breaches have been categories by cause.
Source: Based on data provided by OSF DataLossDB (due to rounding, percentages may not total 100 percent)
Source: Based on data provided by OSF DataLossDB
Below figure illustrates a type of information exposed in deliberate breaches.
Source: Based on data provided by OSF DataLossDB (due to rounding, percentages may not total 100 percent)
The Impact of unsecured application
The impact of the unsecured software application can vary from organization to another based on the importance of the system and its related data as following:
The potential impact is LOW if:
The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, assets, or individuals.
The potential impact is MODERATE if:
The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, assets, or individuals.
The potential impact is HIGH if:
The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, assets, or individuals.
Types of applications need to have security testing
- Web-applications
- Applications with sensitive commercial or personal information
- Payment and statistic systems
- Applications, sensitive to data distortion
- Social applications
- Applications with expensive licensing
The need for security testing
It is important to recognize that there are three key quality components for software assurance as shown in Figure [6]; reliability, resiliency, and recoverability.
- The reliable software is that which functions as needed by the end user.
- The resilient software is that which is able to withstand the attempts of an attacker to compromise confidentiality, and/or impact integrity, or availability (CIA).
- The recoverable software is software that is capable of restoring itself or being restored to expected normal operations when it has failed in its reliability or resiliency.
Most commonly, when software is said to be of “quality”, it essentially means that the software is working as designed and expected. This is primarily a consideration of software functionality and not its assurance capabilities. However the reliability aspect of software quality today, it is also imperative to take into account the security of the software. This two-pronged approach to software quality testing ensures that software is not only reliable but resilient to withstand attacks that impact CIA.
Therefore, Security testing is necessary because it has a distinct relationship with software quality. The software may meet quality requirements related to the functionality and performance, but it does not necessarily mean that this software is secure. The inverse, however, is true.
So, software called secure when it is software with added resiliency, thus software of higher quality, for example, when the “Add to cart” button on a web page is clicked and the selected product is added to the cart (functionality) in less than the expected two-second requirement (performance). It can be urged that this software met the reliability quality requirements as established by the business, but if the software is not tested for security, there is no guarantee that the product code that is added to the cart has not been tampered by an unauthorized user.
Moreover, poor architecture and implementation of the web application cannot assure the CIA aspect of software assurance.
This was an introduction to software security testing. I will add more posts to illustrate more about the definition of Security testing, its relation to the software developing life cycle, and its techniques.
References
[i]Assuring Software security through testing, White, Black and Somewhere in between by Mano Paul https://www.isc2.org/uploadedFiles/(ISC)2_Public_Content/Certification_Programs/CSSLP/Software%20Security%20Through%20Testing.pdf
Help to do more!
The content you read is available for free. If you’ve liked any of the articles at this site, please take a second to help us write more and more articles based on real experiences and maintain them for you and others. Your support will make it possible for us.
$10.00
Also published on Medium.
Thank you for sharing your views about software security testing.
Thank you as well