Welcome!

@DevOpsSummit Authors: Elizabeth White, Zakia Bouachraoui, Pat Romanski, Liz McMillan, Yeshim Deniz

Related Topics: @CloudExpo, Cloud Security, @DevOpsSummit

@CloudExpo: Article

Testing and Security Measures | @CloudExpo #DevOps #Agile #Cybersecurity

Security testing has always been a top priority for organizations when it comes to implementing technology

How to Address Security Measures While Testing

Cyberthreats have become more sophisticated over the years, improving methods to take advantage of software information and even completely shut down systems to hold data ransom. As a result, developers and testers must be able to ensure that their programs have the necessary protections in place to prevent attacks and keep business information safe. Here are a few tips to help teams address security measures during testing.

1. Designate an expert
Within a team there should be a person delegated to investigate and document all security measures necessary. It's this individual's job to assess requirements facing the industry the app's users operate in. For example, health care has a wide range of strict regulations like HIPAA and other legislation that dictates how patient information should be stored and secured. Nearly every sector must also contend with PCI DSS, a law that helps protect payment card information and financial data. Since most organizations accept credit and debit cards, this regulation is the most widespread.

However, it's not enough to have just one expert. TechTarget contributor John Overbaugh noted that all team members must be educated on these security needs in order to test effectively. Once team members have a better understanding of what to expect, they will be able to strategize on how to better address protection requirements using agile testing methodologies.

"The test manager plays one other important role in ensuring security measures are followed," Overbaugh wrote. "This role is to encourage, enforce and pattern compliance with internal security guidelines both of the company as well as guidelines given by the company's customers. Security is everyone's responsibility, but managers carry the duty to be examples to their teams and to ensure their teams follow security requirements."

2. Simulate attacks
As noted earlier, there's a wide variety of attacks that an organization may experience, but QA teams can prepare for these events by simulating these threats. If a known strain of malware is rising up, for example, testers should evaluate their app against this threat in a secure environment. Although real-world situations may not proceed the same way, exploratory testing can reveal a significant amount of information concerning what areas go down first and how well the app responds to certain stressors.

It's virtually impossible to plan for everything or to foresee the types of sophisticated attacks on the horizon, but it's still worth it to simulate known and emerging attacks to understand your vulnerabilities. Security Innovation Europe's Alan Pearson suggested using static and dynamic testing tools to improve security by weeding out false positives and identifying real threats. With quality testing tools, testers can better detect what areas need to bolster their protections and what steps to take to improve security overall.

3. Test after each change
Under agile operations, it's expected and even encouraged that teams will make continuous innovations to a project to enhance functionality and provide a quality experience. However, each change made also introduces a certain amount of risk that it will open up a vulnerability. Teams must do extensive testing after each adjustment to not only ensure that the app still functions as expected but that security measures continue to cover everything. Ongoing code reviews will be critical to maintaining protection and confirming that features have been configured correctly.

"It's vital that you remember that your testing environment is different to the real world: even after all your testing, unexpected errors or vulnerabilities can crop up during deployment that you hadn't anticipated," Pearson wrote. "One of the biggest risks is misconfiguration during deployment. To protect against this, you should have a dedicated member of staff overseeing deployment who is responsible for checking for any configuration errors to mitigate the risk."

Security testing has always been a top priority for organizations when it comes to implementing technology and ensuring that they maintain compliance with industry regulations. By establishing a security expert on your team, simulating attacks and testing code after each code change, groups can maintain protection throughout the application lifecycle and effectively prevent a breach. Strategies will need to constantly evolve to address current threats and vulnerabilities that will emerge in the future.

More Stories By Sanjay Zalavadia

As the VP of Client Service for Zephyr, Sanjay Zalavadia brings over 15 years of leadership experience in IT and Technical Support Services. Throughout his career, Sanjay has successfully established and grown premier IT and Support Services teams across multiple geographies for both large and small companies.

Most recently, he was Associate Vice President at Patni Computers (NYSE: PTI) responsible for the Telecoms IT Managed Services Practice where he established IT Operations teams supporting Virgin Mobile, ESPN Mobile, Disney Mobile and Carphone Warehouse. Prior to this Sanjay was responsible for Global Technical Support at Bay Networks, a leading routing and switching vendor, which was acquired by Nortel. He has also held management positions in Support Service organizations at start-up Silicon Valley Networks, a vendor of Test Management software, and SynOptics.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@DevOpsSummit Stories
Adding public cloud resources to an existing application can be a daunting process. The tools that you currently use to manage the software and hardware outside the cloud aren’t always the best tools to efficiently grow into the cloud. All of the major configuration management tools have cloud orchestration plugins that can be leveraged, but there are also cloud-native tools that can dramatically improve the efficiency of managing your application lifecycle. In his session at 18th Cloud Expo, Alex Lovell-Troy, Director of Solutions Engineering at Pythian, presented a roadmap that can be leveraged by any organization to plan, analyze, evaluate, and execute on moving from configuration management tools to cloud orchestration tools. He also addressed the three major cloud vendors as well as some tools that will work with any cloud.
A valuable conference experience generates new contacts, sales leads, potential strategic partners and potential investors; helps gather competitive intelligence and even provides inspiration for new products and services. Conference Guru works with conference organizers to pass great deals to great conferences, helping you discover new conferences and increase your return on investment.
With more than 30 Kubernetes solutions in the marketplace, it's tempting to think Kubernetes and the vendor ecosystem has solved the problem of operationalizing containers at scale or of automatically managing the elasticity of the underlying infrastructure that these solutions need to be truly scalable. Far from it. There are at least six major pain points that companies experience when they try to deploy and run Kubernetes in their complex environments. In this presentation, the speaker will detail these pain points and explain how cloud can address them.
Containers and Kubernetes allow for code portability across on-premise VMs, bare metal, or multiple cloud provider environments. Yet, despite this portability promise, developers may include configuration and application definitions that constrain or even eliminate application portability. In this session we'll describe best practices for "configuration as code" in a Kubernetes environment. We will demonstrate how a properly constructed containerized app can be deployed to both Amazon and Azure using the Kublr platform, and how Kubernetes objects, such as persistent volumes, ingress rules, and services, can be used to abstract from the infrastructure.
SYS-CON Events announced today that Silicon India has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Published in Silicon Valley, Silicon India magazine is the premiere platform for CIOs to discuss their innovative enterprise solutions and allows IT vendors to learn about new solutions that can help grow their business.