Application security used to be something for a small « elite » of companies processing financial data. But the growing concern about personal data protection and about companies’ e-reputation is pushing more and more companies to invest time and money in website and application security.
Who should contribute to strengthen web and mobile application security? Security specialists or QA teams? And how can they both work together?
Security is part of Quality Assurance
If security has been far from software managers’ priorities for a long time, that is because security was perceived as too complicated and inaccessible as a skill. But in fact security is a facet of QA. It can be part of testing and validation processes: functional tests, performance tests, security tests.
With the growing number of cyberattacks and the growing pressure to strengthen data protection, more and more software companies are performing security tests on their applications before release.
Involving QA teams into application security
QA teams can be involved into a 1st level of security testing. Having a testing checklist about most common flaws can help preventing many vulnerabilities from being left in the code.
This means that QA teams need security trainings, however they do not necessarily need to master all the skills that pentesters have.
Being able to find OWASP top 10 flaws, like SQL injection, has a significant impact on risks reduction.
Furthermore, testing logical flaws – which is part of security testing – is also part of functional testing. QA teams can also take care if this aspect if they learn how to think “logic abuse” instead of “validation”.
Getting QA and pentesters to work together
Of course, pentesters are needed for ensuring a more in-depth security of applications.
A pentester can transfer some part of their knowledge to QA teams, and delegate a first level of basic testing. Then they will have to perform advanced security tests.
In addition to their expertise, they will also bring an external look at the application being tested (this is especially true when people doing quality assurance are developers which is a common situation when a company has no dedicated QA team).
Moreover having QA teams and security specialists working together helps them to better know each other. Everything that makes security less mystic and better understood has a positive impact on the security of BtoB and BtoC solutions that we use in our everyday life.