Software development has evolved, but security testing has not. That has to change
In the bad, old days—which, sadly, many are still living in—security testing was tacked onto the end of the development process. Security testing hasn’t been a feature of software engineering for around 15 years now, since agile supplanted waterfall as the primary development methodology. The old idea of security testing as an independent, external audit, where security folks sit far outside the development process, is ineffective at preventing massive data breaches and ensuring developers have the knowledge required to build secure applications.
Until the mid-1970s, the concept of desk-checking software was necessary due to the slow turnaround time of punch cards, compilation and batch job testing. Desk-checking and formal verification are the genesis of the security audit. Though software engineering has developed through timesharing, real-time debugging, individual computers for each developer, waterfall, object-oriented programming, rapid application development and, finally, agile and DevOps, security is still stuck in the mid-1970s. Security professionals are not auditors and security audits are not a viable replacement for sound security engineering.
There is no doubting the need for objective tests along the way, but the construction industry shows us the way here. Any large building project regularly tests random concrete deliveries for compression and tensile strength. While every metaphor breaks down if you push it too far, there is a place for continuous security testing in an agile world. This should take the form of executable tests, rather than reports.
Modern “unicorn” development is proud of the DevOps culture that allows developers to push code into production many times a day. But in the DevOps deployment model, it’s impossible for traditional security practices to keep up. A typical security testing schedule is every 12 to 18 months if you’re lucky, or never if the app is not considered significant. There could be thousands of untested builds in that time.
How do we fix this? How do we scale? The security profession must adopt agile and DevOps processes and use the same tools as developers. It is that simple. However, it’s incredibly difficult for many. Historically, security professionals haven’t come from a development background, and so the concept of delivering security tests as source code is at odds with 40 years of penetration testing.
The first thing that must change is the way organizations receive results. One of the tenets of an early agile methodology called “extreme programming” (XP) is “you ain’t gonna need it” (YAGNI). I posit you “ain’t gonna need” a PDF report. Results should be delivered via APIs, directly into existing development defect trackers, such as Jira or GitHub Issues, or a vulnerability management solution. The worst possible outcome is a 60-page PDF sitting unread in someone’s inbox—or worse, trying to scrape it or manually cut and paste into an Excel spreadsheet. Developers will never see the entire report, as if it is a state secret, and yet they have to fix discovered issues.
I hear screams in the distance! How’s an internal audit going to verify that security is in place and effective without a PDF report? They can and should look at the results of builds. It is that simple. If developers can demonstrate that every build for the last 12 months passed security unit and security tests, that is a job well-done. No one asks accountants to provide a PDF report of the latest reconciliation as proof that reconciliation is working. The evidence is that the numbers are the same in the online accounting and banking systems. If an auditor wants to produce a cover sheet saying that they randomly sampled build testing results over the last 12 months and assert that the results are a true and correct representation of security effectiveness, good for them.
Security professionals are not auditors and should not be writing reports. They should be testing software, sharing knowledge and writing tests. Security professionals should be embedded with developers, helping them understand why a security test has failed and discussing solutions, possibly even coding a potential solution. Security professionals can learn about the enterprise and specific application business risks, and the development team can learn how to fix current issues and protect against security failures in the future.
It’s critical to understand that as executives ponder this change, there will be resistance. The security industry is structured around delivering short-duration, high-skill testing. This type of testing often tests the skill of the assessor and web application firewalls, and not the application itself. Modern security practices—such as the one I lead—have moved to abuse cases, where no web application firewall will protect you. We have offerings and talk with our clients about agile CI/CD pipeline security, but even though what we want to move on to will be utterly obvious to everyone in a year or two, resistance is strong.
How do you move forward in the interim? Ask your security vendors to deliver proof-of-concept unit or integration security test cases to be run in the build pipeline. Provide source code to your apps so they can write the tests in the same codebase to test every build and allow your developers to maintain these tests.
In the meantime, review the effectiveness of your PDF-based security program. Challenge your vendors to come up with something that works with your development teams rather than treating them as adversaries.