The Crowdstrike outage from a few weeks ago is still a fresh memory. Global chaos caused by one faulty update. Still, when we think about developing new software, the terms quality assurance and security often seem to belong to different worlds. But do they have to? Maybe this was part of the problem that caused it. Should we integrate our security into our QA processes or is it just a league of its own? In other words, does security also need to shift to the left?
Our QA-brain went: “Integrate security with QA?”
Just as excessive exposure to UV radiation can lead to skin cancer, insufficient security of your digital systems can cause serious damage to your business. Applying the shift-left principle for cybersecurity helps identify security risks earl. Traditionally, companies wait until the website/application is live before checking for security issues. Unfortunately, this is like applying sunscreen after you’ve already been in the sun for an hour; it helps, but it’s still going to hurt.
Incorporating security checks into QA can have several benefits:
- All-inclusive quality
When looking at quality, we must have the helicopter view to see past functionality only. In that view, a secure product is part of what makes software truly high-quality. - Early detection of security issues
Small problems stay small before they can get big. It is much cheaper to fix security flaws in the early stages of the SDLC than in production. This saves you time and money. - Building user trust
By ensuring that security is a core part of your quality assurance process, you build trust with your users. Trust helps your reputation as a company, which helps your relationship with customers. - Streamlined processes
Instead of having separate phases for security and quality checks, combining them saves time and resources. This makes your development process more efficient.
Our security-brain went: “Wait a minute…”
Besides these reasons, there are other arguments for keeping security testing a separate discipline.
- Specialized expertise
Security testing requires a specialized skill set that QA professionals cannot fully possess. The field of cybersecurity is constantly evolving, with new threats and vulnerabilities emerging daily. Keeping up with these requires continuous learning and specialization. - Resource allocation
Security testing often involves more detailed and time-consuming procedures compared to functional testing. Combining the two could result in longer testing cycles and increased costs.
- Different objectives
QA and security testing have different primary objectives. QA focuses on ensuring that the software meets specified functional requirements and performs well, while security testing is concerned with identifying and mitigating potential vulnerabilities. Also, the methodologies and approaches can be different. - Risk management
When keeping security separate, organizations can ensure that security assessments are unbiased and not influenced by the same team responsible for the software’s development and functionality. - Regulatory and compliance requirements
Certain industries have regulatory requirements. This means that for these industries and companies, integrating security into QA does not meet these regulatory requirements. In other cases, organizations need an audit trail to prove to regulators and auditors that comprehensive security testing has been performed.
Let QA and cybersecurity meet in the middle
So, say that you are (in) one of those 99% companies that doesn’t have a security expert lined up in every team. There might be some practical, non-technical steps that can still help you raise the bar on your security level within you QA process:
- Train your team in security basics
Ensure that everyone on your team understands the basics of software security. You don’t need to turn everyone into security experts, but a fundamental understanding of common threats and best practices can go a long way. - Use (automated) security tools
There are many user-friendly security tools available that can be integrated into your QA process. Automatically scan your code for potential vulnerabilities without requiring deep security expertise. - Collaborate with security experts
Collaborate with security experts who can provide guidance and support. This could be an in-house security team or external consultants who can help integrate security practices into your QA process. - Include some security in your QA checklist
Make security a standard part of your QA checklist. Ensure that security considerations are included in every stage of your testing process, from planning to execution.
Conclusion
In an ideal world, both QA and security testing receive the focus and expertise they require. Unfortunately, most companies do not live in an ideal world with unlimited resources and time. So, covering everything is an impossible task.
And while combining QA and security might seem a good idea, it can only be done until a certain point. Each field has its own expertise and deserves its own respect. Our advice? Make security a focus point for all people of the organization. If QA can add quick security wins by adding automated checks to their pipeline, why wouldn’t you do it?