Little is expected to escape the weighty security blanket being pulled over every aspect of the FIFA World Cup 2010. Everything from electricity to transport, the public and stadiums will receive protection in some form or another as the world arrives to revel in the finest soccer spectacle on the planet. Soccer aside, the revellers will expect state-of-the-art online banking, booking and other services. So how prepared are SA service providers for the onslaught of data about to hit our shores? And, just how secure are their applications which will process this data?
Haydn Pinnell, MD of Gallium (an EOH company), is a strong proponent of integrating security testing into the application development process. He says security-minded organisations have long deployed specialists to perform “penetration tests” or simulated attacks on their production-ready applications. But, this type of testing has a fundamental glitch – security issues are discovered late in the development process, when fixing them is expensive, disruptive and often requires extensive re-coding.
“It’s a given that data security has to be a fundamental corporate priority for 2010. However, the real question is how best to make data security an on-the-ground reality. Security issues are often deeply rooted in an application’s code and developers have to go into the software’s core components to fix vulnerabilities. As such, the later these vulnerabilities are discovered, the more difficult and expensive they are to address and the more likely they are to cause business-critical software release schedules to slip.”
HP QAInspect, from HP Software, lets QA professionals execute automated web application security testing scripts as part of the QA process. As QAInspect is integrated with HP Quality Centre software, companies don’t need to purchase additional servers to run the tool and staff won’t need to become familiar with a new interface. As a result, implementation costs are minimal and setup is streamlined.
Examples of the kind of issues QAInspect can identify are SQL injection vulnerabilities, which can be exploited by hackers to trick databases into returning unauthorised information via web form queries.
There are a number of common vulnerabilities for which fixes are readily available, Pinnell says. QAInspect identifies them early in the development cycle so that they can be fixed more cost-effectively. It’s a powerful adjunct to other security processes like penetration testing, with the potential to significantly reduce the risk of unplanned development issues.
Most importantly, QAInspect helps businesses protect their data and their customers.
By using HP Software to integrate data security testing into their software QA processes, a QA department can identify, early in the Software Development Life Cycle (SDLC), application and data security issues more easily, allowing the delivery organisations to address them earlier and more cost-effectively.
“The real solution to data protection is to make security testing an integral part of the software QA process and to do security testing early in the application development cycle. Companies have learned to perform functional testing on an ongoing basis during software development because it enables them to identify functional issues early, when they are easier and less expensive to fix. Integrating security testing into QA is smart for precisely the same reasons,” Pinnell concludes.
Haydn Pinnell, MD of Gallium (an EOH company