What did they say about Software security testing?
“Over 70 percent of security vulnerabilities exist at the application layer, not the network layer” Gartner.
“Hacking has moved from a hobbyist pursuit with a goal of notoriety to a criminal pursuit with a goal of money” Counterpane Internet Security.
“64 percent of developers are not confident in their ability to write secure applications” Microsoft Developer Research.
“Losses arising from vulnerable web applications are significant and expensive – up to $60 billion annually”IDC/IBM Systems Sciences Institute.
“If 50 percent of software vulnerabilities were removed prior to production use, enterprise configuration management and incident response costs would be reduced by 75 percent each.”Gartner.
The figures below illustrate that lake of software security allows data breaches. These breaches have been categorized by sector, this has been illustrated at figure  and figure .
Figure (2) Average number of identities exposed per data breach, by notable sector
Source: Based on data provided by OSF DataLossDB
The figures below illustrate that lake of software security allows data breaches. At these figures these breaches have been categories by cause.
Below figure illustrate type of information exposed in deliberate breaches.
The impact of unsecured software application can vary from organization to another based on importance of the system and its related data as following:
The potential impact is LOW if:
The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, assets, or individuals.
The potential impact is MODERATE if:
The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, assets, or individuals.
The potential impact is HIGH if:
The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, assets, or individuals.
Types of application need to have security testing
- Applications with sensitive commercial or personal information
- Payment and statistic systems
- Applications, sensitive to data distortion
- Social applications
- Applications with expensive licensing
It is important to recognize that there are three key quality components to software assurance as shown at Figure ; reliability, resiliency, and recoverability.
- Reliable software is that which functions as needed by the end user.
- Resilient software is that which is able to withstand the attempts of an attacker to compromise confidentiality, and/or impact integrity, or availability (CIA).
- Recoverable software is software that is capable of restoring itself or being restored to expected normal operations when it has failed in its reliability or resiliency.
Most commonly, when software is said to be of “quality”, it essentially means that the software is working as designed and expected. This is primarily a consideration of software functionality, and not its assurance capabilities. However the reliability aspect of software quality today, it is also imperative to take into account the security of the software. This two-pronged approach to software quality testing ensures that software is not only reliable but resilient to withstand attacks that impact CIA.
Therefore, Security testing is necessary because it has a distinct relationship with software quality. Software may meet quality requirements related to the functionality and performance, but it does not necessary mean that this software is secure. The inverse however is true.
So, software called secure when it is software with added resiliency, thus software of higher quality, for example, when the “Add to cart” button on a web page is clicked and the selected product is added to the cart (functionality) in less than the expected two-second requirement (performance). It can be urged that this software met the reliability quality requirements as established by the business, but if the software is not tested for security, there is no guarantee that the product code that is added to the cart has not been tampered by an unauthorized user.
Moreover, poor architecture and implementation of the web application cannot assure the CIA aspect of software assurance.
This was an introduction for software security testing; I will add more posts to illustrate more about definition of Security testing, its relation with the software developing life cycle, and its techniques.
[i]Assuring Software security through testing, White, Black and Somewhere in between by Mano Paul https://www.isc2.org/uploadedFiles/(ISC)2_Public_Content/Certification_Programs/CSSLP/Software%20Security%20Through%20Testing.pdf