Why is security testing so important for companies and their software?

Data leaks and cyber attacks: With rapidly advancing digitalization, attacks on business software are also increasing. Time and again, we hear about data theft that endangers companies and people. Whether customer data from Adobe, Facebook and eBay or credit card data from large banks — security breaches due to data theft run into the billions.

But that's not all of it! Hackers also leave serious consequences in the "real" world: Industrial installations have now become a popular target for malware. In 2014, for example, the control center of a blast furnace at a German steel company was massively damaged. Even the German parliament has been hacked. And even hospitals have been temporarily paralyzed by cyberattacks.These examples show how serious - expensive to life-threatening – software errors can be. And that is exactly why software testing and security testing are so important! To ensure the security of software, companies and people.

What is Software Testing?

Before I go into more detail about Security Testing, I would like to briefly summarize the function and goals of Software Testing.

Software testing is an important part of software development and plays a decisive role in software quality. This is because testing enables software errors to be detected in advance and fixed in good time. It also verifies that the system complies with the specified requirements, including functionality, performance and reliability. In this way, even before the application goes live, it is checked: Was programmed what was requested? And does the software work properly?

Benefits ofSoftware Testing at a glance

Cost efficiency

On-time and continuous testing during development saves money in the long run. This is because fixing bugs earlier in the process usually costs less than fixing them later - not to mention the financial impact on third parties.

Product quality

Every software product aims for high quality. Testing ensures that a quality product is developed and scheduled. Organized software testing is particularly important here.

Security

Software testing creates confidence and security at all levels. Software-related risks, threats and problems are eliminated at an early stage and correct usability is ensured.

Software testing can be done manually as well as automated. In manual testing, test cases are executed manually by a human and without the support of tools or scripts. In automated testing, tests are executed by tools and specific software. In the last case, developers write code that ensures the software code works. There are many ways to test software. Among the most common are:

  • Unit-Tests (module tests)
  • Integration tests
  • End-to-end tests
  • Performance tests
  • Smoke tests

The type of testing depends on various factors. These include project requirements, budget, time and know-how. The goal is to achieve the highest possible test coverage from installation through functionality and application to maintenance. But be careful: just because a software meets quality requirements in terms of functionality and performance does not necessarily mean that the software is safe.

Security Testing: Why it is so important

Security testing is a type of software testing. It includes all tests to ensure the proper and flawless functionality of a software or application in software development. Security testing can be used to identify threats and risks of any kind in the system and to identify potential security vulnerabilities with precision. Then software developers can react safely and quickly to fix the security risks by appropriate coding. And that's more important than ever these days: modern operating processes, growing mobility and huge volumes of data offer a multitude of attack opportunities for hackers.

Software security: Banks and insurance companies in the focus of hackers

Companies such as banks and insurance companies are in the focus here, because they hold enormously important and highly sensitive data (e.g. from customers). With this high level of responsibility, appropriate software security here goes far beyond the necessary protection of the company itself. In addition, insecure software endangers the integrity of data and the availability of applications.The goal of security testing is therefore to protect companies as well as users from risks that can result from the use of insecure software.

Security in the enterprise: When is a software secure?

The security of software is a decisive factor for the security of companies. It must function flawlessly and not have any security gaps. But as long as software is still programmed by humans, errors cannot be fundamentally ruled out. This makes professional security testing at all levels even more important. To test

  • integrity,
  • authenticity,
  • confidentiality,
  • vulnerability and
  • continuity.

In addition to a universally valid code culture and good team organization, should use appropriate security tools above all. With the right tools, software security is kept high in development as well as in subsequent operation.

Setup Example: Bitbucket Pipelines with SonarCloud

The following example shows how the security software SonarCloud can be integrated into an existing workflow. You can see how fast and easy the whole thing works.You can also use the example as a guide to integrate SonarCloud into BitbucketPipelines. There are also some other useful features that SonarCloud brings with it.

Info for those who don't know SonarCloud yet:
SonarCloud
is a cloud service offered by SonarSource based on the open source SonarQube platform. It is used to check and detect vulnerabilities, bugs and code smells in source code, supporting more than 20programming languages.

Typically, SonarCloud is built into the deployment workflow and serves as a so-called quality gate before a new release goes live.

Example and guide: How it works

Link to myGit Respository on Bitbucket

1. Open the SonarCloud webseite
2. Log in with your Atlassian access data
3. Create anew project

Jodocus Bitbucket project

4. Choose a project

Jodocus Bitbucket project analysis

5. Choose your analysis method

Jodocus Bitbucket analysis method

6. Click ‘I need a pipeline’
7. Go to your Bitbucket repository settings and enable Pipelines
8. Go to the repository variables and add the SonarCloud token

Jodocus Bitbucket repository variables

9. Add the following to your Bitbucket Pipeline

    image: python:3.8.3 # Choose an image matching your project needs

    clone:
               depth: full

    definitions:
           caches:
                       sonar: ~/.sonar/cache
           services:
           docker:
                 memory: 2048
         steps:
         – step: &build-test-sonarcloud
                     name: Build, test and analyze on SonarCloud
                     caches:
                     – pip
                     – sonar
                     – docker
                     script:
                    – pipe: sonarsource/sonarcloud-scan:1.2.1
                    variables:
                    DEBUG: ‚true‘
                    services:
                    – docker
        – step: &check-quality-gate-sonarcloud
                     name: Check the Quality Gate on SonarCloud
                     script:
                     – pipe: sonarsource/sonarcloud-quality-gate:0.1.4
                      services:
                     – docker

    pipelines:
      branches:
          master:
               – step: *build-test-sonarcloud
               – step: *check-quality-gate-sonarcloud
      pull-requests:
             ‚**‘:
               – step: *build-test-sonarcloud
               – step: *check-quality-gate-sonarcloud

Advice

  • Below the definitions, we need to give Docker 2048mb RAM
  • Below the steps, we need to explicitly announce Docker as a service

10. While Pipeline is running, SonarCloud Analysis analyzes your source code in the repository. If SonarCloud finds any of the items listed above, such as a code smell, the build of Pipeline fails and you get an evaluation within SonarCloud on your dashboard:

Jodocus SonarCloud Analysis

11. The issues found here could now still be created individually as defects or bugs within Jira using automations within SonarCloud.

Done!

Summary

With increasing digitalization, the attack possibilities for hackers are growing. At the same time, the opportunities to protect yourself in the best possible way are also growing. Especially companies that have a lot of sensitive data should protect their systems optimally. And even companies that are supposedly uninteresting to hackers should not treat their software security lightly.Professional security testing can ensure the proper and flawless functioning of a software or application in software development. In this way, software-related security gaps can be identified and fixed at an early stage.One quick and easy option of many for security testing is the integration ofSonarCloud into Bitbucket. While it still doesn't offer 100% security, it serves as an additional quality gate. The example from this blog post can serve you asa guide. We would also be happy to help you personally to improve software security – and thus the security of the company.

Do you have any questions or would you like to learn more about Security Testing? Just contact us — we're happy to help you.

Popular articles