Coming trends in security testing
Criminal hackers, now supplemented by elite nation-state groups, are increasingly able to locate and exploit bugs – and any company, whatever their size, niche or level of security testing – is a target.
The rush towards digital transformation is rapidly expanding the world’s code base – but that same rush is introducing bugs in the code. Bugs lead to breaches, and breaches lead to loss of data and IP, interruptions to production, and regulatory fines. The need for software and systems testing has never been greater and is still growing.
The source of bugs
There are three primary sources for the introduction of bugs into code. Understanding these is important to understanding where bugs might lurk, and what software and system testing is necessary to find them. The first is the increasing focus on a shorter time to market. To be able to meet the markets’ fast-delivery demand, business leaders pressure coders to deliver more, and to do so faster.
The result here can be simple cross-site scripting, code injection and stack overflow bugs – or process weaknesses that allow hackers to manipulate the process rather than hack the code.
In addition, software development is focused at delivering functionality. Security is, most of the time, not an integral part of the development cycle. The second is the increasing use of open source and third-party code. This is the software supply chain.
In 2018, Synopsys reported that of 1,100 commercial code-bases analysed, 78% included at least one open source vulnerability.
A total of 4,800 open source vulnerabilities were reported in 2017. An example of the danger in not testing third-party supplied code can be seen in the 2018 Ticketmaster breach. The hacking group Magecart did not attack Ticketmaster directly, but instead breached the software supplier, Inbenta. Magecart laced bespoke code meant for Ticketmaster with their malware, and it was run without testing, and in the wrong places, by Ticketmaster.
A more serious example is the worldwide NotPetya wiper outbreak. This started from compromised servers with accountancy software firm M.E.Doc in Ukraine. Malware was sent with software updates to clients, and then spread worldwide via the stolen NSA EternalBlue exploit.
The third is a failure of due cyber diligence in mergers and acquisitions. Two examples will illustrate the problem. Firstly, CCleaner, a Windows maintenance tool, was compromised by hackers probably in early July 2017. This was just before its acquisition by Avast – the world’s most popular anti-malware tool. The acquisition gave CCleaner access to a much larger audience; and 2.27 million people downloaded the infected software.
Secondly, the largest breach of 2018 occurred with Marriott Hotels, affecting 500 million guests. Forbes believes it could ultimately cost Marriott just short of $9 billion. The story probably started, however, in 2014, with the Starwood Group of hotels. It is thought that Starwood was compromised by Chinese hackers in 2014.
In 2016, Marriott acquired Starwood, including Starwood systems and data. A failure to adequately check the code it acquired meant that Marriott failed to detect the Chinese hackers – which it also acquired. It wasn’t until 2018 that they were discovered.
Trends & predictions for security testing
Digital transformation and the supply chain: We’ve already seen the increasing importance of the entire supply chain in security, and how development models are changing. This will only continue as products become more responsive and organisations move away from the waterfall model of software development.
Businesses will continue to depend more heavily on third-party services and components, with software as a service (SaaS) predicted to dominate the operations of 73% of organisations by 2020. Testing will need to adapt by taking a more holistic approach to securing the supply chain.
SecOps and Security-by-Design: Security by design is an increasing requirement for compliance with regulations – and is simply a good thing. This can be achieved by evolving system development first into DevOps, and then on into DevSecOps (more frequently now simply known as SecOps).
While the evolution of DevOps into SecOps is a positive trend for security by design, many organisations are struggling to implement it effectively. It involves including security testing into the process of application development. Gartner predicts 80% of development teams will be using a SecOps workflow by 2021; so new solutions will need to emerge to facilitate this.
The difficulty is in establishing and especially maintaining the correct SecOps process. However, with the consultancy aspect of third-party testing firms together with their versatile testing platforms assisting the transition, organisations will start to see a more secure workflow emerge and security testing will become a vital aspect of security by design.
Vulnerability Scanning and Penetration Testing: Hackers’ success rests in their ability to be one step ahead of security. Although the increase in state-sponsored hacking and the increased accessibility of resources for malicious agents can give them an edge, not everything is trending to their advantage.
Resources like the OWASP Top 10 and the NIST NVD make it easier than ever to scan for known vulnerabilities, enabling security testers to focus their attention on identifying and protecting against emerging threats. With the increasing resources available to threat actors, proactive vulnerability testing and penetration testing is likely to become the make-or-break factor. And it is, of course, a compliance requirement for an increasing number of regulations.
Compliance Testing: Compliance testing may well see the biggest changes over 2019, in large part thanks to the EU’s GDPR. The new data regulations are expansive and complex, providing organisations and testers new challenges, many of which do not yet have an established solution.
With the GDPR regulations only being implemented last year, precedents and standards for their interpretation in the real world are still being set. However, standards and frameworks are emerging in some countries such as the Netherlands which enable compliance testing.
Lingering uncertainties over the GDPR on national and international levels will reduce over time, but it’s important for testers to stay as up to date on the regulations as possible. This will also apply to the growing number of worldwide privacy and disclosure laws coming into effect – such as the California Consumer Protection Act (CCPA). Other prescriptive regulations, such as PCI, can be more easily tested.
IoT Testing: The Internet of Things is perhaps the area in which security is currently failing the most. Consumer IoT products are under- protected and awareness of threats is poor. However, the dangers of compromised IoT devices must not be underestimated, as they pose a significant hazard, both to end users and the wider Internet.
The potential for ‘smart cars’ to be completely taken over from a breach of the entertainment centre shows the danger to individuals. 2016’s Mirai botnet shows how businesses and general traffic can be affected.
Furthermore, if personal data is being collected, is it done in conformance with relevant privacy protection requirements? Where is it being stored, and is it stored securely? IoT vulnerabilities are easy to overlook. The device itself may be secure, but has the mobile app used to control it been fully tested? If the app is secure, have all the services and components in the backend undergone sufficient testing?
Demand for thorough security testing in the IoT ecosphere is likely to increase, but not just for this reason. Domestic governments may ask for more security testing on foreign-made IoT products considering the increase of state- sponsored cybercrime. It’s also likely that overseas manufacturers will ask for more IoT testing, allowing GDPR compliance to become a selling point for entering international markets.
Big Data: Big data, by its nature, carries one major advantage and one major disadvantage. The advantage is that it only becomes more valuable as a resource over time as more metrics are added and there is more data to draw on. The disadvantage is that it’s only as useful and accurate as the systems that query it.
While the big data itself is just data and doesn’t require specific testing, where and how it is collected, and where and how it is stored is important. The value of data comes from its transformation into actionable information. The accuracy and reliability of the code that queries big data for this purpose needs to be tested.
Sometimes, big data comprises personal information collected from Internet users. Compliance is obviously a concern here. At other times, the big data is simply the accumulation of in-house system logs, and is used to detect the presence of intruders on the network. This gets into the area of data science, which is beyond the scope of software testing.
Nevertheless, the collection and use of big data needs to be tested for both process and logic errors. It is the perfect example of ‘rubbish in, rubbish out’.
User Awareness Testing: An organisation’s own staff members have been considered among the biggest security risks of all for over a decade now. It was a known issue in 2007, and a 2017 survey of security professionals still placed employees as the second biggest threat to critical infrastructure.
Training for threat awareness is a necessary part of organisational security, or this long-standing trend cannot change. Forward-thinking testers will make provisions for this, incorporating awareness training, e-learning modules to help proactively detect security threats, and even gamification to keep users engaged.
Method of testing: It’s clear that thorough and comprehensive testing is necessary for strong security, the ability to respond to emerging threats, and to keep the supply chain secure. There are three primary ways that this can be achieved: in-house; ad-hoc; and third- party specialist testing firms.
In-house: This would be like maintaining a red team on permanent staff, ready to probe every bit of new software. While it could be thorough, it would be very expensive and difficult to scale.
Third-party ad-hoc testing: This involves the employment of outside specialists to test for software and system security flaws. Typically, it includes vulnerability scanning and penetration testing. It is expensive, limited in scope, and accurate only at the time of testing. It is best suited to mid-range companies who need to tick the ‘penetration testing’ box in compliance requirements; or to larger companies that might occasionally want a fresh pair of eyes on their in-house testing solutions.
Specialist third-party security testing firms: There is a growing number of specialist firms. They employ full-time experts to cover the full range of security testing requirements, and act as consultants as well as testers. This approach scales better than in-house red teams, is independent of the day-to-day business of the firm, and can be focused as, where and when required.
The clear advantage for large organisations to use third-party specialist testing providers – especially those that can combine a proprietary testing platform with detailed cybersecurity understanding and knowledge – provides the first trend for 2019. More large organisations will employ specialist testing firms.
Going forward with security testing
With the GDPR changing the compliance landscape and accelerating digital transformation changing the development landscape, 2018 has sown the seeds of significant changes in trends that will continue throughout 2019. Perhaps the biggest of these changes is the expansion of scope in testing requirements. Source code verification and vulnerability testing, while still crucial, are becoming just two pieces of a larger puzzle.
Software is what allows hardware to live up to its potential. Therefore, companies should consider software testing to be everything that isn’t hardware testing. For the most effective, comprehensive software testing, more organisations will require deeper, more holistic software testing. The Internet of Things, big data, user awareness, SecOps and compliance are becoming more and more dangerous to overlook.
The best solution is from a vendor that can provide all aspects of software testing, to ensure that nothing is missed. Specialist testing providers will (rightly) grow in strength and popularity as businesses see the need for the best possible security and need to find the best and most cost- effective solution for it. Automation will grow in scope and efficacy, but still will not be able to cover all necessary areas of testing.
Security is a necessity. Good security protects customers from data theft; it protects hardware and software from critical vulnerabilities, and it protects organisations from falling foul of ever more stringent regulations. This is a trend that has only been growing and will continue to grow for many years to come. The first and most important step to ensure good security is to employ good security testing, and as the need for security continues to grow, the need for the best testing solutions will grow alongside it.
Founder and CEO of Qbit Eurofins Cyber Security
Jasper De Vries
CRO Of Qbit Eurofins Cyber Security