“Testing is no longer just testing for bugs in code. It must include testing of both processes and people”
Worldwide digital transformation means that more businesses need more code more quickly. But hasty code means buggy code; and buggy code leads to poor systems, vulnerabilities, exploits, and failed compliance, writes Richard Mort, Director at Edge Testing Solutions.
Hasty code – driven by business’ need to get product to market before anyone else does – is just one of the three primary routes for the introduction of software bugs. The second is the increasing use of open source and third-party code (again, often to save time). Last year, a study of 1,100 commercial code bases by Synopsis found that 78% included at least one open source vulnerability.
The danger in third-party code can be seen in last year’s Ticketmaster breach. The hacking group Magecart breached a software supplier (Inbenta) and laced a script with malware. The script was downloaded and run by Ticketmaster; and Ticketmaster was compromised. The eventual cost to Ticketmaster is not yet known – but at least one law firm is accepting no-win, no-fee claims against Ticketmaster. In January 2019, HayesConnor Solicitors stated, “63% of all the clients we took on suffered multiple fraudulent transactions on their payment cards.”
The third route is by importing vulnerabilities through mergers and acquisitions. The breach of Marriott Hotels disclosed at the end of 2018 is classic. Marriott bought Starwood Hotels in 2016, but did not perform due diligence on the security of Starwood systems. It turns out that Starwood was already compromised (thought to be by Chinese hackers) in 2014 – but in 2016 the problem became Marriot’s, and wasn’t discovered until November 2018.
The full cost to Marriott has been estimated by Bloomberg at up to $1 billion, including regulatory fines, court-related and notification costs.
Competent Software Testing
In all these situations, the solution is competent software testing – but it’s neither as simple nor straightforward as it sounds. The traditional method is one of three approaches: in-house; ad hoc third-parties (such as penetration testers); and the use of a third-party specialist.
Small companies are suited to doing their own testing. Small to medium companies might select ad-hoc testing. But medium to large companies – especially those with multiple and international operations – should consider the use of a specialist firm. Here, the same drive towards digital transformation is taking software out of isolation and making it a fundamental part of a single holistic system: the business.
The internet of things (IoT) is one example. The exponential growth in embedded systems is bringing a host of new problems. A manufacturer will increasingly need to test compliance with new regulations. A user will need to test for security in the device, the apps that control and communicate with it, and the security and privacy protection requirements of data gathered by it.
The EU’s General Data Protection Regulation (GDPR) is a good example. Compliance is no longer just about the protection of data, it also involves the business processes (inseparable from the software) involved in the collection, storage, use, accessibility, visibility, discovery and elimination of that data.
In January 2019, Google (an American company) was fined €50 million by CNIL (the French GDPR regulator). There was no breach involved, no failure of code. It was, according to CNIL, a violation ‘of the obligations of transparency and information’. CNIL announced, “the information provided by GOOGLE is not easily accessible for users.”
Testing is no longer just testing for bugs in code. It must include testing of both processes and people. Business processes need to be tested to avoid compliance pitfalls. In January 2019, international law firm DLA Piper, commented, “we anticipate that 2019 will see more [GDPR] fines for tens and potentially even hundreds of millions of Euros.”
And staff security awareness needs to be tested so that jobs are performed efficiently, security and compliance mistakes are avoided, and the business remains safe.
So, while software testing is still best described as software testing, it is edging closer and closer toward business testing. That implies two things. Firstly, it must be driven from the top of the organisation – holistic software testing requires boardroom buy-in.
Secondly, while it is theoretically possible to achieve all this in-house, we have already discovered through our new Cyber Security Division that it is unlikely that many companies will have the staff resources and expertise to engage all the different aspects of modern software testing.
Exploitation of Software Bugs
A part-solution that can be driven from in-house is to switch from waterfall in-house app development to agile development by first adopting DevSec principles, and then expanding it to DevSecOps. This increases the efficiency of app development and is an important part of the ‘security by design’ principle. But while the principles behind DevSecOps (or SecOps) is relatively easy to understand, establishing and maintaining a working process is a different matter – it requires expertise and constant oversight.
That oversight is best undertaken by a third-party testing specialist firm – as indeed is the whole concept of holistic testing. While security has become a major concern for boardrooms – driven by breaches such as Ticketmaster, Marriott Hotels and so many more – a survey by Thycotic in January 2019 demonstrates that senior leadership doesn’t understand how to transform that concern into meaningful action. Fifty percent of companies do not have a CISO with a seat on the board.
Implementing company-wide holistic testing, to include in-house SecOps app development, imported code, IoT installations, user security awareness, compliance of code and practices with multiple regulatory bodies such as GDPR, CCPA, PCIDSS and financial regulations, would test the ability of any boardroom.
A third-party specialist, however, would have access to experts in all these disparate areas, and experience in tying everything together. It understands the different languages used by IT/security staff, and business people; and can generate the right metrics for the latter from the work undertaken with the former. It can perform holistic testing, and demonstrate the results to senior management in a meaningful manner.