Securing software releases by extending the scope of test automation
Expanding the use of test automation beyond standard release pipelines to include security testing can offer major benefits. The question is, how can we integrate security testing into the software development life cycle?
While automation is becoming increasingly common in security testing, tool-supported manual analysis and penetration testing are still the primary ways to identify vulnerabilities. However, for regression testing purposes, test automation is the only viable solution due to the need to execute tests in short feedback cycles. Thus, the tools we deploy in standard release pipelines should also be used and extended to cover security tests.
Security testing as part of software development
Automated functional testing has become a standard practice in software development. We can define organization-wide quality gates for releases based on the results of test automation that can pinpoint failed tests. Moreover, performance and reliability tests allow us to extend overall coverage to non-functional requirements and thus contribute, for instance, towards better user experience.
Security testing has also made its way into software development processes. Organizations have become increasingly aware of the importance of securing new releases against malicious attacks. This is achieved by conducting secure life cycle measures such as threat analysis and vulnerability scans. We can analyze each finding using risk-based methods: does a finding expose customers or end-users to a threat that we have not anticipated? On the other hand, what are the risks to the business if fixing the issue delays the next release?
The security issues we find can be added to the defect management tool so we can track the progress of fixes. When a new release with the fix becomes available, the issue can be closed if the solution has been verified to work. As with functional failures, defect reports should also be developed into automated regression test cases if possible. Such test cases ensure that the issues we resolve do not reappear somewhere in the future as new features are created, system architecture revamped, and key players moved to new positions.
Using the right tools to integrate security testing
While I recommend running security test suites as part of the standard regression testing arsenal, the harder part, and a sign of a more mature organization, is to continuously expand those suites. The truth is that the results of security analyses -- often conducted by external experts -- are too easily forgotten after findings have been studied and corresponding fixes (hopefully) implemented.
However, I believe that the real challenge lies in making teams security-conscious. Such teams can better ensure security by design and implement regression tests along with the code. It also helps them if they can use the same tools for different types of tests. And ultimately, it helps the entire organization seamlessly integrate security testing as part of the software development life cycle.
Qentinel Pace integrates security testing seamlessly as part of the software development life cycle. To find out how, we are happy to show you: