Software testing and cyber-security: The forgotten defence

null

Cyber-attacks can take a variety of forms from compromising personal information to capturing control of computers. Companies big and small have been affected over the past 12 months and the reason these attacks spread so quickly is because they can often be hard to spot.

Cybercriminals are individuals or teams of people who use technology to commit malicious activities on digital systems or networks with the intention of stealing sensitive company information or personal data, and generating profit.

They are known to access the cybercriminal underground markets found in the deep web to trade malicious goods and services, such as hacking tools and stolen data. Cybercriminal underground markets are known to specialise in certain products or services.

Understanding cyber threats and cyber-attacks is only part of the information needed to protect yourself. You must also know how cyber-attacks occur. Most attacks are a combination of semantic tactics used syntactically or, in simpler terms, an attempt to change a computer user's behaviour through some shady computer tactics.

For example, data hacks are a means to break down a company’s server to gain access to its customers personal data from email address, home address and even financial details. Highly-skilled computer experts will be behind the attacks and can be hard to stop, which is a scary thought.

In cyber security, all vulnerabilities are basically bugs; like any bug, the longer it goes unfixed, the costlier that fix will end up being.

If you talk to cybersecurity experts they will tell you that it’s not a question of if, it’s a question of when. Cyber criminals today are ahead of the game and it’s very difficult to stop them. You’ve got to be prepared for the worst.

That being said, there is one critical way by which you can stay one-step ahead and that’s by ensuring your defensive software is doing its job.

Software testing is essential

Integrating reliable software should be the usual axiom for every company but sadly this isn’t the case. Organisations should strive to understand the kind of security testing that they can benefit from in their battle to prevent cyber-attacks.

Take Dixons Carphone for example after they were recently victims of a major cyber-attack, which saw a huge breach involving 5.9 million payment cards and 1.2 million personal data records.

It said an investigation indicated there was an attempt, going back to July last year, to compromise data on credit cards in one of the processing systems of Currys PC World and Dixons Travel stores.

It said 5.8 million of these cards had chip and pin protection and the data accessed contained neither pin codes, card verification values nor any authentication data that would enable cardholder identification or purchases to be made.

However, it said 105,000 non-EU issued payment cards which do not have chip and pin protection had been compromised. Dixons Carphone immediately notified the relevant card companies so that they could protect customers.

It’s worrying that major cyber-attacks like this are still so common and that nothing seems to be done to prevent them from happening – especially in global firms.

Cyber criminals are finding it easier to access personal data and Dixons Carphone must now look at whether their defensive software is doing its job properly. A repeat of what happened would be a mortal blow to their business.

The only way to prevent that happening again is to properly integrate and test the software.

People are too overly-focused on scanning for known vulnerabilities in software after it has been released, and under-focused on poor software development practices that lead to vulnerable applications that hackers can exploit.

This is where thorough software testing is essential. Pulling software testing into company’s practices doesn’t have to be difficult. A good starting point is to bring in software experts and security engineers into planning sessions. Next, ensure each phase of your pipeline has a quality gate and software quality criteria that should be met in order to move to the next phase of your pipeline.

A small step goes a long way

A good way to ensure there are no holes in the defence is through ethical hacking, which gives you a lawful way to assess a target system’s weaknesses and vulnerabilities, with the goal of educating and protecting you.  Instead of introducing risk, this approach mitigates the risks currently in practice within target systems.  A real-world approach discovers how your system would perform if attacked by a malicious hacker, using the same tools and knowledge they might use.

Penetration testing is designed to assess your security before an attacker does. Penetration testing tools simulate real-world attack scenarios to discover and exploit security gaps that could lead to stolen records, compromised credentials, intellectual property, personally identifiable information, cardholder data, protected health information, data ransom, or other harmful business outcomes. By exploiting security vulnerabilities, penetration testing helps you determine how to best mitigate and protect your vital business data from future cybersecurity attacks.

A penetration test is a crucial component to network security. Through these tests a business can identify security vulnerabilities before a hacker does, gaps in information security compliance, the response time of their information security team and the potential real-world effect of a data breach or cybersecurity attack.

Through penetration testing, security professionals can effectively find and test the security of multi-tier network architectures, custom applications, web services and other IT components. These penetration testing tools and services help you gain fast insight into the areas of highest risk so that companies can effectively plan security budgets and projects. Thoroughly testing the entirety of a business's IT infrastructure is imperative to taking the precautions needed to secure vital data from cybersecurity hackers, while simultaneously improving the response time of an IT department in the event of an attack.

A simple and cost-effective process like this goes a long way to making a big difference in ensuring cyber safety can be the difference between a business thriving and facing an existential threat to its reputation and business model. At the moment, it’s just too easy for hackers to take advantage of organisations.

Jeff Wheat, Director of Cyber Operations, QualiTest
Image Credit: Den Rise / Shutterstock