The Security Innovation Europe Blog

Why Organisations Should Run Security Tests More Often

Posted by Marc Dunlop on Jan 9, 2017


security-test-frequencyMany organisations stick to a rigid process of security testing, running costly manual tests on an infrequent basis. Whilst a handful of critical applications do require in-depth security testing, most applications would benefit from a more frequent, but less resource-intensive, approach to security.

The Benefits of Frequent Security Testing

By incorporating frequent security testing into the development process, organisations can fix a greater number of vulnerabilities, in a shorter amount of time.  Developers will be able to notice problems as they happen, during development, and enact fixes when it’s most cost-effective – before release.

  • Improved bug fixing. Attempting to retroactively repair code can make bug fixing a costly and potentially damaging pursuit, with a much greater chance of breaking the application in the process. Ongoing testing makes it much easier to effectively remedy bugs and security vulnerabilities, as developers will be able to work on their own code, whilst it’s still fresh in their mind. They’ll also gain live feedback from their fixes - making it immediately clear when the problem is solved.

  • Better security awareness. Having access to continuous security feedback will also help developers to immediately learn from their mistakes. This makes for a more efficient development process, both in the short-term and the long-term, as security practices are continually improved - reducing future expenditure on bug fixing and remediation of vulnerabilities.

  • More secure Agile development. The use of Agile development processes necessities ongoing security testing. With so many software changes made during development, it becomes incredible easy for emerging vulnerabilities to go unnoticed - and end-up built into a finished product. Ongoing security testing will allow each stage of the development process to be continually monitored and analysed, with new issues identified and addressed before they threaten the security of the entire application.

The Need for Prioritised Testing

Whilst the benefits of frequent security testing are clear, most organisations will find their capacity to conduct regular tests constrained by time, resources and budgets. In order to determine a security testing schedule that fits your organisation, it’s important to understand the factors that will influence both your need for regular testing, and your ability to perform tests.

  • Changes to your environment. If your applications exist in a fast-moving environment, frequent security testing will become a necessity – helping to minimise your organisation’s exposure to emerging threats and vulnerabilities.
  • Size of your environment. The larger and more complex your environment, the harder it becomes to comprehensively test. In order to protect your organisation, tests need to be deployed in a structured and prioritised manner.
  • Available budget. Conducting security tests requires a degree of financial input. If your organisation isn’t assigning enough resources to testing, it’s time to evaluate your organisation’s security culture.
  • Compliance. PCI adherence requires organisations to conduct a security test whenever changes are made to cardholder data environments, in addition to annual security checks. Other laws and regulations may require similarly rigorous security compliance.

Implementing Tiered Security Testing

In order to overcome resource restraints, and create a personalised approach to testing that’s right for your organisation, it’s a great idea to prioritise your security testing. By assigning applications to one of three ranked tiers, resources can be allocated to the applications that require the greatest depth of security testing. Low-priority applications can make use of basic automated testing, and critical applications can be prioritised for manual penetration testing and threat modelling.

Below is an example of a three-tiered testing system, with the most critical applications assigned to Tier 1, and the least critical to Tier 3. Non-critical applications are tested with basic Dynamic Analysis Security Testing, requiring a minimal input of resources. Highly-critical applications receive a much-wider array of testing measures, extending as far as manual penetration testing and threat modelling.

Security Test Tier 1 (Critical) Tier 2 Tier 3 (Non-Critical)

Manual penetration test

Y

Y

-

Security code review

Y

Y

-

Threat modelling

Y

-

-

Dynamic Analysis Security Test (DAST)

Y

Y

Y

Static Analysis Security Test (SAST)

Y

Y

-

Business logic testing

Y

Y

-

 

What are your thoughts on security testing frequency and prioritisation? Share them in the comments below. biggest information security mistakes