Coming Trends in Security Testing

The need for software and systems testing has never been greater and is still growing. Erik Rutkens and Jasper de Vries shared their thoughts on trends in security testing in TEST Magazine.

Posted on June 4, 2019 in Blog.

 

1. Digital transformation and the supply chain

We’ve already seen the increasing importance of the entire supply chain in security, and how development models are changing. This will only continue as products become more responsive and organizations move away from the waterfall model of software development. Businesses will continue to depend more heavily on third-party services and components, with software as a service (SaaS) predicted to dominate the operations of 73% of organizations by 2020. Testing will need to adapt by taking a more holistic approach to securing the supply chain.  

2. SecOps and Security-by-Design

Security by design is an increasing requirement for compliance with regulations – and is simply a good thing. This can be achieved by evolving system development first into DevOps, and then on into DevSecOps (more frequently now simply known as SecOps).

While the evolution of DevOps into SecOps is a positive trend for security by design, many organizations are struggling to implement it effectively. It involves including security testing into the process of application development. Gartner predicts 80% of development teams will be using a SecOps workflow by 2021; so new solutions will need to emerge to facilitate this.

The difficulty is in establishing and especially maintaining the correct SecOps process. However, with the consultancy aspect of third-party testing, firms together with their versatile testing platforms assisting the transition, will start to see a more secure workflow emerge and security testing will become a vital aspect of security by design.  

3. Vulnerability Scanning and Penetration Testing

Hackers’ success rests in their ability to be one step ahead of security. Although the increase in state-sponsored hacking and the increased accessibility of resources for malicious agents can give them an edge, not everything is trending to their advantage. Resources like the OWASP Top 10 and the NIST NVD make it easier than ever to scan for known vulnerabilities, enabling security testers to focus their attention on identifying and protecting against emerging threats. With the increasing resources available to threat actors, proactive vulnerability testing and penetration testing is likely to become the make-or-break factor. And it is, of course, a compliance requirement for an increasing number of regulations.  

4. Compliance Testing

Compliance testing may very well see the biggest changes over 2019, in large part thanks to the EU’s GDPR. The new data regulations are expansive and complex, providing organizations and testers new challenges, many of which do not yet have an established solution. With the GDPR regulations only being implemented last year, precedents and standards for their interpretation in the real world are still being set. However, standards and frameworks are emerging in some countries such as the Netherlands which enable compliance testing. Lingering uncertainties over the GDPR on national and international levels will reduce over time, but it’s important for testers to stay as up to date on the regulations as possible. This will also apply to the growing number of worldwide privacy and disclosure laws coming into effect – such as the California Consumer Protection Act (CCPA). Other prescriptive regulations, such as PCI, can be more easily tested.  

5. IoT testing

The Internet of Things is perhaps the area in which security is currently failing the most. Consumer IoT products are under-protected and awareness of threats is poor. However, the dangers of compromised IoT devices must not be underestimated, as they pose a significant hazard both to end users and the wider internet. The potential for ‘smart cars’ to be completely taken over from a breach of the entertainment center shows the danger to individuals. 2016’s Mirai botnet shows how businesses and general traffic can be affected. Furthermore, if personal data is being collected, is it done in conformance with relevant privacy protection requirements? Where is it being stored, and is it stored securely?

IoT vulnerabilities are easy to overlook. The device itself may be secure, but has the mobile app used to control it been fully tested? If the app is secure, have all the services and components in the backend undergone sufficient testing? Demand for thorough security testing in the IoT ecosphere is likely to increase, but not just for this reason. Domestic governments may ask for more security testing on foreign-made IoT products considering the increase of state-sponsored cybercrime. It’s also likely that overseas manufacturers will ask for more IoT testing, allowing GDPR compliance to become a selling point for entering international markets.  

6. Big Data

Big data, by its nature, carries one major advantage and one major disadvantage. The advantage is that it only becomes more valuable as a resource over time as more metrics are added and there is more data to draw on. The disadvantage is that it’s only as useful and accurate as the systems that query it. While the big data itself is just data and doesn’t require specific testing, where and how it is collected, and where and how it is stored is important.

The value of data comes from its transformation into actionable information. The accuracy and reliability of the code that queries big data for this purpose needs to be tested. Sometimes, big data comprises personal information collected from internet users. Compliance is obviously a concern here. At other times, the big data is simply the accumulation of in-house system logs, and is used to detect the presence of intruders on the network. This gets into the area of data science, which is beyond the scope of software testing. Nevertheless, the collection and use of big data needs to be tested for both process and logic errors. It is the perfect example of ‘rubbish in, rubbish out’.  

7. User Awareness Testing

An organization’s own staff members have been considered among the biggest security risks of all for over a decade now. It was a known issue in 2007, and a 2017 survey of security professionals still placed employees as the second biggest threat to critical infrastructure. Training for threat awareness is a necessary part of organizational security, or this long-standing trend cannot change. Forward-thinking testers like Edge Testing will make provisions for this, incorporating awareness training, e-learning modules to help proactively detect security threats, and even gamification to keep users engaged.  

8. Method of testing

It’s clear that thorough and comprehensive testing is necessary for strong security, the ability to respond to emerging threats, and to keep the supply chain secure. There are three primary ways that this can be achieved: in-house; ad-hoc; and third-party specialist testing firms. In-house. This would be like maintaining a red team on permanent staff, ready to probe every bit of new software. While it could be thorough, it would be very expensive and difficult to scale. Third-party ad-hoc testing. This involves the employment of outside specialists to test for software and system security flaws. Typically, it includes vulnerability scanning and penetration testing. It is expensive, limited in scope, and accurate only at the time of testing. It is best suited to mid-range companies who need to tick the ‘penetration testing’ box in compliance requirements; or to larger companies that might occasionally want a fresh pair of eyes on their in-house testing solutions.

Specialist third-party security testing firms. There is a growing number of specialist firms. They employ full-time experts to cover the full range of security testing requirements, and act as consultants as well as testers. This approach scales better than in in-house red team, is independent of the day-to-day business of the firm, and can be focused as, where and when required.

The clear advantage for large organizations to use third-party specialist testing providers – especially those that can combine a proprietary testing platform with detailed cybersecurity understanding and knowledge – provides the first trend for 2019. More large organizations will employ specialist testing firms like Edge Testing Solutions, which harnesses the 100-strong Eurofins Cyber Security Division.

Going Forward

Security is a necessity. Good security protects customers from data theft; it protects hardware and software from critical vulnerabilities, and it protects organizations from falling foul of ever more stringent regulations. This is a trend that has only been growing and will continue to grow for many years to come. The first and most important step to ensure good security is to employ good security testing, and as the need for security continues to grow, the need for the best testing solution will grow alongside it.  

Erik Rutkens, Managing Director, Eurofins Cyber Security Erik heads up the team that provides Edge Testing Solutions’ clients with security services in the UK.

Jasper de Vries, Director, Eurofins Cyber Security (Advisory services)  Jasper is one of the managers responsible for Advisory Services.

Edge is part of Eurofins Digital Testing and its Cyber Security division employs over a hundred security professionals, providing clients with a range of services including risk and vulnerability assessments, testing and compliance, advisory and training services.

Erik Rutkens

By Erik Rutkens

CEO and founder Qbit

Any questions about this post or our services? Just Email me or call me on +31 6 53 317 977.

Contact us

The world of cybersecurity is complex and rapidly evolving, we know. Qbit guides you. Feel free to contact us.

Contact us

Newsletter