The 5 Myths of Security Testing You Should Stop Believing
Per an earlier research report from Gartner, “By 2016, 40 percent of enterprises will make proof of independent security testing a precondition for using any type of cloud service.” And it is happening.
So there’s an inherent need for security testing of all sorts of applications. But then, there’s a whole bunch of myths that surround the arena.
An organization that wants to establish credibility in today’s world — whether in the field of IoT, Mobile Apps, or the regular (but much needed) Software Development — has to invest in its security Testing department. This is not an option, but the need of the hour. To survive — and to beat the competition — an app has to have fool proof security.
That said, a lot of organizations still do not get the business-criticality of the need and tend to ignore or do little about the provision of security testing. One of the reasons could be the misconceptions all-a-plenty surrounding the best practices that ought to be followed for security.
While the offices of the compliance and risk (CSO), the chief technology officer (CTO), and the chief information operations (CIO) hold the responsibility for ensuring security of applications, their approach usually is not consistent with each other.
Myths, ironically as it may sound, are usually a result of too much focus being put on the so-called “best practices” available for every function and role. Organizations that have a blind faith on these myths oft fall prey to wastage of efforts and resources — and end up with products that are not as secure as they ought to be.
This blog lists five of these common myths and tries to debunk them.
#1: Penetration Testing Finds (and Solves) all Major Weaknesses
Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.
That said, pen testing is not something that can (or will) solve all problems related to software security — and it should not be treated as a one-stop shop for all your vulnerabilities. Even after a pen test is performed, a few issues may remain well hidden only to resurface at a later point in time, when it will be far more costly to resolve them.
Pen test will surely come in handy if done in parallel while reviewing the design and code at the initial stages itself.
#2: Security is the Solo Responsibility of Developers — or a Single Department
Not at all. The reality is far from this. Security Testing is not the responsibility of a single group. Rather, a group of people from the development, quality, and testing departments must come together — a la DevOps — and create a software security group (SSG). Core groups like these must then work hand-in-hand with the core development group, and the both together must be responsible for the overall health of an applications security.
#3: Perimeter (read Network) Security is Enough to Defend Applications
Though a multiple layer of Firewalls can monitor real-time environments, apart from safeguarding networks from malicious attacks in as much as warding off selected traffic from accessing your system — they do not deal in any manner whatsoever with the problem of insecurity of the applications themselves.
The real solution is to make sturdy, fully-secure applications that may cannot be hacked into.
#4: Compliance with Internal Standards Is a Guarantee of Security
This is a very misinformed interpretation of the whole need, requirement, and goals that relate to International standards. These standards are in no way related to testing, nor confirming, the vulnerabilities of any application. Most standards only touch the surface of the aspect of security as they have been laid down to achieve some other, very specific goals.
Add to this, some organizations feel that the auditors for these standards may help them identify the security issues. In reality, nothing can be farther from the truth.
#5: “We don’t have a software security problem.”
This myth — rather misconception — is by far the worst and can prove to be the reason behind the downfall of an organization. Organizations that do not feel the need to invest in security testing just because they have never faced any attacks, or they do not have web-based applications, or do not fall under (or require) any international compliance standards, are bound to fail in the long run. Because Organizations such as these tend to ignore the importance of Security Testing, they will never be prepared when something wrong really happens with their applications. In fact, organizations that do not pay heed to the security needs in fact are endangering a huge amount of private data — which may result in an irreplaceable loss of trust and confidence of the customers.
Get a free 30-minute consultation
with our Security Testing Experts & find out how we’re helping businesses minimize security risks & save costs
Originally published at www.cigniti.com on March 3, 2016.