You are here

How to overcome common objections to automated security testing

public://pictures/Tony-Bradley-Editor-in-Chief-TechSpective.net_.jpg
Tony Bradley, Editor-in-Chief, TechSpective.net
World Quality Report 2018-19: The State of QA and Testing

One of the principal elements of DevOps is automation. Any routine or repeatable task that can be automated, should be. Automation ensures consistency in those routine tasks and frees up personnel to focus on more important things. Yet, although more than 40 percent of software testing is now automated, most security-related application software testing is still performed manually—often late in the development lifecycle.

Why is this? What are the concerns regarding security testing that make organizations and developers reluctant to embrace automation? The flip side to the question is also important: What are the benefits to organizations if they automate security testing and move it earlier in the development lifecycle?

A matter of perception

“For many companies, there are perception issues. There is a perception that automated testing can't be a replacement for manual testing,” says Andrew Storms, vice president of security services at New Context. “And while that is the case, at least some amount of testing can be automated, which means manual testing can be more specifically focused and be more valuable.”

Aside from the perception that automated testing isn’t good enough or can’t be trusted, there is also the belief that implementing automated security testing is expensive or hard. This isn’t entirely true, though, especially given the number of readily available automation suites and tools that provide APIs. As Storms sees it, many organizations "feel like it’s a daunting task and just aren't motivated or simply don't see automated testing as a priority.”

And a practical matter, too

One of the big problems in IT right now is that security and compliance are generally handled at runtime and are not part of the entire software development workflow. Security and compliance are an afterthought rather than an active part of the development lifecycle. Before the digital revolution, security was a manual and reactive function: When something broke, work halted, and IT experts looked into the problem and fixed it.

In today’s world, a reactive approach means you’ll be left in the dust—that is, it’s no longer "before the digital revolution." So why are so many companies still stuck using old, manual methods?

According to Justin Arbuckle, vice president of worldwide transformation and chief enterprise architect at Chef, “One of the primary reasons many enterprises hold onto manual security testing is the concern with verifiable and auditable trails. Companies want to have someone reviewing every line of code to make sure it’s up to regulation standards and there aren’t any holes leaving a company open to breaches. But this slows down the speed at which companies can operate, and in the end isn’t as secure as baking security checks and testing into every step of production.”

Arbuckle adds that another reason there is still significant manual investment of effort is the age-old issues of trust and control. People default to wanting control over an area as sensitive as security, leading to countless manual reviews. And while automated approaches are both tested and proven, it will take time—and more breaches—to move the majority toward trust for an automated way.

Tradeoffs? It's mostly benefits

Aside from expedience and consistency, what are the benefits organizations can expect from automating testing of security-related functions?

Security testing should be treated like any other aspect of software delivery. It should be configured from a checklist of pretested options that are repeatable. When developers are able to bring security and compliance into the software pipeline, it removes laborious processes involving paper trails, reviews, and multiple sign-offs spanning weeks and months. Companies incorporating automated security testing into the workflow see added benefits of consistency, immediacy, and increased velocity.

“With automation, security testing is completed the same way every time and there is nothing subjective about passing or failing frameworks. This also allows for comparison and communication between previously separate teams, to ensure an entire company, not just one division, is compliant and protected,” says Arbuckle. “Moving security testing earlier in the cycle and deploying test automation means teams have instant feedback. There’s no more waiting for reports to run or manual calculations to take place, and teams can identify and fix vulnerabilities immediately, providing greater safety to data and information.”

Adopting automated testing keeps companies compliant and protected even as standards and hackers evolve, without needing to start over an audit process from the beginning. Not only does automation increase the speed at which a company can operate and push out updates (also referred to as velocity), it also makes it possible to consistently apply regulatory requirements and security protocols in large-scale environments that may include many thousands or tens of thousands of servers.

Storms points out that one of the mantras of security in general is that any little bit provides at least some value. It all contributes to reducing or minimizing risk over time. “Even if a company implements small amounts of automated security testing in the [software development lifecycle] at first and increases code coverage over time, they will eventually find themselves in a much better position than before.”

Bottom line: Automated testing offers consistency

The reluctance to trust automated processes makes sense on some level. Security is crucial, and it’s hard to trust something as important as security to an automated test. The simple fact, however, is that automated testing is conducted more consistently and frequently and the results are typically much better overall security with significantly less manual effort.

There will still be issues that arise that require manual input or human intervention. Automated testing takes care of the 80 percent of tasks that are routine and repeatable, though, so that IT security professionals can focus on the 20 percent that cannot be properly managed or resolved through automated testing.

In the end, the organizations that embrace automated software testing will be more secure and have a strategic advantage over Luddite competitors that insist on doing things the old-fashioned way. 

Do you agree? What are some other ways to overcome objections to automated security testing? Add your comments below.

[ Partner Resource: Learn more about key trends in performance testing. Attend the PerfGuild online conference, which runs from April 8-9. ]

[ Conference: ADM Summit 2019: Optimize Your Deployment Pipeline ]

Article Tags