In March, after attending a roundtable with industry experts, I realized a common problem becoming more and more prevalent within customer environments where organizations, while trying to harden their infrastructure, are creating a larger disconnect between their own security and QA practices by deploying policies that do not have full visibility by all departments that could potentially be affected.
What are the differences between application security and quality assurance?
From my experience, AST is fundamentally different from other QA types of testing such as functional and performance. Therefore, QA teams are struggling with supporting AST, causing the disconnect when considering or moving forward with any new security policies/changes.
In functional and performance testing, the expected results for test cases are documented and scripted before testing begins, and the QA team looks at if the expected results match the actual results.
Security many focuses on vulnerabilities or weaknesses in the software that could lead to misuse or exploit.
Can security be considered an QA issue?
Security-related defects (in any form) should also be viewed as a QA issue. Security vulnerabilities are more commonly found in software with defects and faults.
Poor code quality leads to unpredictable behavior:
- For a user, that often manifests itself as poor or frustrating usability.
- For an attacker, it provides an opportunity to stress the system in unexpected ways.
Quality and software security should not be considered as two different entities, but rather two sides of the same practice because the bug that manifests as a system failure today could be a vulnerability exploited tomorrow. Software security is just another important part of building good software.
How AST and QA work better together?
QA and security teams define nonfunctional requirements that developers need to adhere to. These nonfunctional requirements are the foundation for building security-minded development teams, and when QA teams work hand in hand with the security team from the beginning, it can be quite powerful.
Automated security testing is seen as a core component in this process, as development management should recognize that quality defects are entry points for vulnerabilities.
SAST, DAST, and interactive (IAST) security testing methods have advantages and disadvantages, which is why multiple methods are often applied to applications. Applied with QA and performance methodologies, an organization can set themselves up for success.
What do you think about the links between safety and software quality assurance? Comment and tell us how you’re handling this!