Software Testing for Security
Any software or web app can have security vulnerabilities – just ask Google, which recently announced that it fixed a bug that allowed hackers to steal passwords from Google accounts.
Case in Point: A Google Bug
In 2013, a security expert discovered a Google but that allowed him to exploit a weakness in the way Google web apps work. The security expert sent a link via email that announced a user's password was stolen and requested they reset their account
When users clicked on the link, they were taken to Google's account reset page. What users didn't see was that after they clicked, they were momentarily taken to the attacker's page, which ran a script that would steal their new password
and authentication data after they entered it. A flaw in Google web apps allowed this mirroring. Unfortunately, if you keep track of cyber security news, you'll read stories like this every week.
The prevalence of security attacks – even at the world's best-known companies – emphasizes how important it is for your business to test software for bugs and security weaknesses so you can avoid the reputational damage and high costs
associated with data breaches.
Security Testing: Vital for Software Companies Handling Confidential Data
In addition to triggering fines for enabling or failing to prevent data breaches,
security bugs in software or web services could lead to cyber liability lawsuits when they cause data leaks. As cyber threats grow, testing software becomes increasingly crucial.
To adequately manage the risks posed by cyber criminals, software testers' risk management plan should do the following…
- Maintain high levels of security. Twitter recently announced that it was enabling forward secrecy encryption for user data.
The social media company is following the recent trend of other web giants (Google, Dropbox, and Facebook), which are taking extra steps to guard user data. Perfect forward security encrypts each session between users and company servers with
a unique encryption key. Because each session is uniquely encrypted, it limits the amount of data hackers can steal and makes data harder to decrypt. As the owner of an IT business, it's your legal responsibility to stay on top of trends
in cyber security, updating security protocols to reflect new developments and prevent new, more sophisticated attacks. Whether that means encrypting data, educating employees, or installing high-quality security software on your computers, you
need to act as a steward for user data, guarding it from hackers and data breaches.
- Test for security. The Google example mentioned above emphasizes how important software testing can be. Software testing can reveal a potentially devastating vulnerability before it's too late, and prevent you from being sued.
But it's important to keep in mind that even after you deliver software to clients, you are responsible for making sure it isn't vulnerable to attacks. What does that mean for small IT companies? You may have to update software in response
to new malware and other threats.
- Protect your business from the fallout from client data breaches. If, despite your best efforts, one of your clients suffers a data breach that can be linked to software you tested, that client might sue you to recover some of the
losses linked to the breach. How much might that be? The Ponemon Institute, a cyber security research group sponsored by Symantec, found that cyber breaches cost $188 per stolen record in 2012. If your client's breach was small – say, 100 records – that would mean a $18,880 bill, which is well beyond what most
software testers can easily afford. Luckily, most Errors & Omissions Insurance policies sold to IT professionals include coverage for lawsuits over client data breaches. This type of protection is called third-party Cyber Liability Insurance.
Next: Software Testing for Deadlines