Securing the supply chain
As products become more responsive and organisations move away from the waterfall model of software development, businesses will depend more heavily on third-party services and components. Software as a service (SaaS) is predicted to dominate 73% of organisations’ operations by 2020. Testing will need to adapt by taking a more holistic approach to securing the supply chain. By using testing to identify and understand any potential risks, and to ensure the functionality of each production stage, the overall supply chain’s security and resilience is enhanced, reducing downtime and costs, while increasing revenue.
DevSecOps vital in Security-by-Design
Security-by-design to meet specific compliance regulations can be achieved by implementing agile methodologies to speed up system delivery. DevOps combines software development and information technology operations to shorten the systems development, but DevSecOps (or SecOps) takes that process one step further by integrating security practices. Many organisations struggle to implement SecOps effectively, as it involves security testing in the process of application development. With the consultancy aspect of third-party testing firms together with their versatile testing platforms assisting the transition, organisations will start to see a more secure workflow emerge. Security testing will become a vital aspect of security-by-design.
Proactive testing to stay ahead of hackers
Resources like the OWASP Top 10 and NIST NVD make it easier to scan for known vulnerabilities, enabling security testers to focus their attention on identifying and protecting against emerging threats. As a compliance requirement for an increasing number of regulations, proactive vulnerability scanning and penetration testing is likely to become the make-or-break factor in staying a step ahead of would-be hackers.
Emerging frameworks and standards
Compliance testing may see the biggest changes over 2019, thanks to GDPR. The new data regulations are expansive and complex, providing new challenges, many of which do not yet have an established solution. However, new standards and frameworks are emerging in some countries such as the Netherlands which enable compliance testing, so testers should stay as up to date on all regulations as possible.
IoT Testing and GDPR compliance as a selling point
The Internet of Things is perhaps the area in which security is currently failing the most. Consumer IoT products are under-protected and awareness of threats is poor. IoT vulnerabilities are easy to overlook as the device itself may be secure, but has the mobile app used to control it been fully tested? If the app is secure, have all the services and components in the backend undergone sufficient testing? Demand for thorough security testing in the IoT ecosphere is likely to increase and it’s also likely that overseas manufacturers will ask for more IoT testing, allowing GDPR compliance to become a selling point for entering international markets.
Big Data testing and security
Big data becomes more enriched and therefore valuable as a resource asset as additional metrics are added and there is more data to draw on. It is also only as useful and accurate as the systems that query it, so while big data itself is just data and doesn’t require specific testing, where and how it is collected, and where and how it is stored does. Big data can be comprised of huge volumes of personal information collected from internet users, so compliance is a concern. On the other hand, in-house system logs will also be accumulated and these can be used to detect the presence of intruders on the network. This form of data science is beyond the scope of software testing, but the collection and use of big data needs to be tested for both process and logic errors.
Threat awareness training
Employees have been named among the biggest security risks for over a decade now. Training for threat awareness is a necessary part of organisational security and forward-thinking testers like Edge Testing make provisions for this by incorporating awareness training and deploying e-learning modules to help proactively detect security threats, and even using gamification to keep users engaged.
Testing is necessary for strong security
Thorough and comprehensive testing is necessary for strong security, the ability to respond to emerging threats and to keep the supply chain secure. GDPR has changed the compliance landscape and accelerating digital transformation is changing the development landscape. 2018 saw the seeds of significant changes in trends that will continue throughout 2019 and perhaps the biggest of these is the expansion of scope in testing requirements.
Specialist testing providers will (rightly) grow in strength and popularity as businesses see the need for the best possible security, and finding the best and most cost-effective solution for it. Automation will grow in scope and efficacy, but will still not cover all necessary areas of testing needed for true security.
Security is a necessity in protecting customers from data theft, hardware and software from critical vulnerabilities, and organisations from falling foul of ever more stringent regulations. To ensure good security, employ good security testing and, as the need for security continues to grow, the need for the best testing solution will grow alongside it.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.