Your Software’s Security Is Only as Good as Your Last Test

What about running tests takes so long that you don't want to run them? As Senior Director of QA at Unqork, there's a rule I’ve lived by throughout my career: no exceptions.

Earlier this year, I sat down with the hosts of Sauce Labs’s Test Case Scenario podcast to discuss all things cybersecurity, from the proliferation of third-party services in software to the evolution of QA in cybersecurity. I’m all too familiar with the challenges that come with balancing speed and thoroughness, but I also believe everyone — even those outside of QA — should be. 

The software development life cycle (SDLC) provides the structure around the app or piece of software, which should provide absolute security, right? But what if that door is left cracked open? Having multiple tollgates in place, or security measures, helps strengthen your pipeline in the event a door is accidentally left open, for instance. 

Whether you’re one of a few developers on a small team, a QA tester or engineer at a large organization, or a director — there should be no exceptions. Security should always be prioritized. But the pressure to push code quickly, and sometimes at the expense of quality, can make that difficult. 

I’ll share a few ways I’ve learned to integrate security into my workflow.

When you order a pizza, you don’t invite the delivery person into your home while you’re away (or even at home) and ask them to take your credit card off the kitchen table, do you?

The same logic applies to the security of software and its applications. 

Over the past few years, I’ve seen a huge increase in the use of third-party services in software. Now, every company’s needs are different, so I do not want to condemn third-party software. People use third-party services for a variety of reasons. But it’s so easy to overlook the necessity of security at the time of implementation, even long before the decision to use a certain tool is made.

Unqork’s codeless capabilities give developers back the time needed for more challenging projects. Sauce Labs provides a one-stop-shop, automated platform to easily test their code on. One year ago, both organizations, aligned on security protocols and certifications, joined forces to help developers optimize app delivery.

I say all this not to market to you, but to drive home the difference in convenience and holistic security. For Unqork and Sauce’s customers, yes, sporting a SOC 2 certification is great, but it also demonstrates we practice what we preach: security should not be left up to the cybersecurity professionals alone, but represent a comprehensive way of doing things across a business. 

Going back to the “no exceptions” approach to testing, in 2021, an executive order was passed to improve software supply chain integrity across the United States. If you’re an individual contributor you might ask, "Why should I even care about security? Isn’t that what organizational leaders are for?" It might help to think of the executive order as a decree to all who are involved with the delivery of software that declares: your impact is strong, it is felt, and it is needed. So why not ensure software quality and safety? 

Shifting-left is a fantastic practice. Now reimagine the same concept of integrating security sooner rather than later in the application and software development phase, but baked into the entire process throughout. Whether an individual, team manager, or leader, everyone has the ability to ensure our pizzas are delivered safely and at our doorsteps (not beyond).

Don’t underestimate the power of equipping developers with reusable good agents so they can iterate on what’s proven itself more secure. This way of working is more than a “shift left” approach, but an encapsulation.By bolstering the tools developers use with more secure and powerful features, quality is cushioned from the start. 

Pair reusable components with the use of uniform software versions, and it's easier to reduce the complexity behind performing tests; and trust me, you want to perform all the rigorous tests you can  – API unit testing, functional testing, end-to-end testing, non-functional etc.

Issues may be identified through your scheduled and triggered testing pipelines, or through strategic testing on a new feature, and when the bug can be traced to a reusable component the fix can be applied to all areas of risk. 

For instance, if there’s a bug in the radio button component, a component that’s in hundreds of applications, it’s most likely to be logged because everyone is on the same version. All praise goes to feature toggles (also known as feature flags or switches) for this, as they allow developers to turn off access to a singular system without eliminating the functionality of an entire application to isolate that weakness, ensuring stability for other areas.  

Having the peace of mind in knowing that only the best components — or the ones that have been rigorously tested — are being reused, is a great way to accelerate the testing process.

The entire goal of Continuous Integration and Continuous Delivery and/or Deployment (or CI/CD) is to accelerate and streamline the SDLC. 

A common myth in CI/CD in security is that CI/CD will automate itself. Automation does not create itself. There are people behind it that need instruction and criteria for success. Healthier, more seamless collaboration between development, QA, and security. It’s easy to say that (something) is bad and hand it off to QA. But QA doesn’t set the standard for what security looks like – going back to the purpose of the Executive Order in the first place — it’s a team effort. QA, security, developers and leadership must be on one accord. 

As one person, there are ways you can arm yourself that will empower your colleagues, and ultimately your organization, to work more securely:

The open source Java-based application, OWASP WebGoat, is a great way to get your hands dirty and experiment with testing for vulnerabilities. All you have to do is download and run on a local machine and get started hacking away — no pun intended.  

OWASP is constantly being updated and new challenges are being added daily. Diving into this is a fantastic way to figure out how to be more secure in your web development practices,  not to mention, it’ll enhance your resume.

Pulling security down from its place in the Ivory Tower is one thing. Integrating it into current software development practices that so many different development teams have been accustomed to is another. 

But the solution to this is simple: Don’t forget to test — but automate it to make life easier.