It's easy to believe that cyberattackers must be using cutting-edge technology or some sort of AI-powered social engineering attacks to break your defences and get at your data.
But the reality is a lot more mundane. Most criminals are adept at slipping through small gaps in your software environment and exploiting them. According to the US Department of Homeland Security, 90 percent of reported security incidents exploit defects in software design or code.
The solution is to test your code before a criminal does. And with the Australian Cyber Security Centre observing a 25 per cent increase in the number of publicly reported software vulnerabilities year-on-year, it's clear testing needs to be a priority. But what kind of software testing are we talking about? And how does testing impact cybersecurity?
Tests come in many different forms
Software tests can be automated or manual, scheduled or one-off, and undertaken before, during or after development. The key approaches relevant to security include:
Penetration testing, a simulated attack against a network or application in which the tester acts as a hacker would
End-to-end testing, which compares the interactions between different modules or processes to search for vulnerabilities
Configuration management testing, which checks systems are configured correctly
Fuzzing, in which invalid or random data is entered into a program so the response can be assessed
Generic scans can be useful, but will never be as effective as a test that is specific to your software and threat landscape. And that testing does not begin and end with your networks. Third-party code is widespread and can be a major security risk, while partner organisations’ credentials and processes should also be assessed. Other areas to focus on include encryption tools, which are not always reliable or fully implemented, and API vulnerabilities.
Penetration tests, in which security testers attempt to breach your organisation, use many of the same techniques a real attacker would. Compared with generic or automated tests, pen testers use their human ingenuity and experience to try to break stuff, and will produce an audit report afterwards. This report offers vital information for improving your software, hardware, processes and training. It can also help check compliance boxes and reassure stakeholders about the state your security.
Penetration testing has many strengths, but comes with human flaws
As powerful as it is, penetration testing has its blind spots. So what are its pitfalls, and how can you use it best?
A pen test is a snapshot of your defences at a given point in time: for long-term security, it must be conducted frequently
There’s no point doing tests if you’re not making changes as a result of them; the findings must be given due consideration
Pen tests are time limited: they may miss legacy hardware or software that’s harder for testers to access. It might exclude processes and data held in the cloud or by third parties.
Your staff will often know when a pen test is imminent and prepare accordingly. This would skew the results, making your network appear more secure than it actually is
If limitations are placed on testers (to avoid outages, for example), the results will also be limited
None of this means pen tests should be neglected. They can be crucial in finding security gaps, backdoor accounts and credential vulnerabilities in individual pieces of software and across your network. But if you’re relying on them as your only test, you’re leaving gaps for the bad guys.
Relying on automation or manual testing alone isn’t enough
Automation is often presented as a silver bullet for cybersecurity. Techniques such as static analysis (a review of your code), dynamic analysis (in which code is examined while processes are running), in series (in which tests block deployment until they have been passed) or in parallel (where tests run alongside deployment) do offer speed, scalability and repeatability.
But, despite the increasing sophistication of AI tools, automation has its limits. Top-level analysis is best performed by human experts. Automated testing is also notorious for returning large numbers of false positives, which can bog analysts down in follow-ups, or mean they get used to ignoring them. Tweak testing and configuring tools properly are vital steps in building automation that properly complements manual tests and analysis.
Software testing should cut across silos
Integration is important, and testing as a whole should be integrated with development from the word go. One of the few heartening effects of the breaches that have swept the world in recent years is the increased visibility of cybersecurity. CISOs should use this impetus to ensure that security is an important part of every department’s role.
In particular, DevSecOps, which integrates security into the development lifecycle, can completely transform your cybersecurity stance. By implementing proactive security strategies throughout the development lifecycle you can strengthen software’s security before it becomes operational. Exposing and tracking vulnerabilities alongside other development issues (and stressing the benefits that testing brings to the bottom line) can also help ensure they are seen as essential processes, not side issues that occasionally emerge to block the pipeline.
Keep working – and mind the gaps
Well-designed and structured testing can become a virtuous circle, as testers share feedback, issues are resolved and trust in the process grows. Testing should be ongoing, and you should:
Not only look at systems not working, but also systems that are. Techniques such as formal verification can assess alignment with specific security standards
Audit your tests to see if any can be removed due to redundancy or duplication
Continually assess whether existing tests should be automated to increase speed and efficiency, and whether new tests should be brought in to look for emerging issues
Assess where security experts are using their expertise – could they provide more value by focusing on other areas of testing?
Share results with relevant departments so they can share their insights and experience
Software vulnerabilities are a huge threat, and it’s vital not just to test, but to do it well. Once-in-a-blue-moon penetration tests or in-house silos that prevent tests being fully carried out can leave gaps that attackers will exploit. Ignoring third-party code or APIs, or getting the wrong balance of automation and human analysis are other ways testing can fall short. The best strategy is to use a blend of approaches, share the results, and continually assess where improvements can be made. Cyberattackers never stop, and neither should your testing.