Building Security Into the Application Development Process
Building security controls into the application development process is more cost-effective than fixing bugs once the software is in use. According to Veracode, application developers can either perform manual or automated testing during the app development process. Even though manual testing has its place, it can be time-consuming and error-prone. A recent survey by Dimensional Research and Sauce Labs found just 13 percent of respondents rely purely on manual testing methods. Of those using automation, many are now using a combination of manual and automated testing.
Why Manual Still Matters
Even though manual testing can be time-consuming and error-prone, it still has its place in a complete application testing strategy. One of the most common types is penetration testing, which is often performed prior to an application going into production. This method provides a detective security control but doesn’t prevent bugs appearing in software. While it can help to determine whether an application is vulnerable to attack, fixing any bugs found at this stage is expensive. Penetration testing can’t scale at this level and requires considerable human expertise.
The Dimension Data and Sauce Labs report concludes that organizations can still do much more to use automated testing methods earlier in the development process so that bugs can be identified as early as possible to reduce the time it takes to find and fix them.
Looking Toward Automated Methods
Companies can pursue either static or dynamic automated testing. Static testing examines the source code, byte code or application binaries. Developers look for vulnerabilities that indicate a security weakness that could be exploited. They analyze the application structure rather than how well it will function.
Dynamic application testing examines the functional aspect of applications. Developers analyze applications while they’re running and simulate attacks to determine how they’ll react. Compared to penetration testing, dynamic testing can be performed earlier in the application development cycle and focuses primarily on code.
Each of these testing methods has its place in the application life cycle. Companies should find the combination of methods that works for their needs so that development teams can ensure applications are secure against attack and resilient to downtime right out of the gate.