How QA and application security are one in the DevOps age

public://pictures/brent.jpeg
Brent Jenkins, Evangelist, Micro Focus Fortify

Every year, Micro Focus surveys hundreds of executives from a variety of industries and dozens of countries to determine the greatest challenges in maintaining software quality for the World Quality Report. In 2018, the survey took the pulse of 1,700 executives across 10 industries in 32 countries.

Security continued to be the main driver of quality assurance (QA) testing, with 47% of respondents stating that security is an important aspect of their IT and QA strategies. However, enhancing the customer's experience came in a close second, with 42% of respondents citing this consideration as a key part of their IT strategy. Finally, producing higher-quality software, better responding to business demands, and optimizing the cost of IT tied for third place, with 36% of respondents citing those factors.

The variety of benefits cited by companies is a marked change from previous reports—security has historically been the raison d'etre for companies' QA programs, with no other considerations coming close. In 2016, for example, security dominated the list of IT strategy considerations, with two-thirds of all companies citing enhanced security as the primary benefit of QA.

In 2018, with more companies pursuing agile development and DevOps software lifecycles, the greatest challenge for software professionals is maintaining quality while increasing development velocity. Improving software quality and catching defects improves many other areas, so many of the objectives of QA testing directly support the main goal: catching defects that could affect security.

Security continues to be the main driver of application testing at many companies, but these other drivers will also convince companies to invest in better quality. In the end, many of the non-security considerations for IT strategy support will bolster product security as well. Here's how.

Application Security Research Update: The State of App Sec in 2018

Responsiveness to business aids security

With the advent of cloud infrastructure and DevOps software development and deployment, companies are increasingly trying to deliver their applications and services faster, cheaper, and with fewer defects. Nearly three-quarters of all applications are hosted in the cloud and, in many cases, in more than one cloud or in a hybrid environment.

Keeping developers in line with business objectives in a fast-moving software development cycle means focusing on QA and business risk at each step. The drive toward more and better automation exemplifies this link. Test automation, when done right, can result in faster software development cycles, more consistent discovery of defects, and improved software quality. Almost one third of companies see the reduction of software development cycle times as a benefit of combining automation and QA testing.

DevSecOps: Doing DevOps right enhances security

Bringing automated test cases into fast-moving agile development and DevOps initiatives means focusing on quality throughout the development and deployment cycle. DevOps—combining development and operations into a single pipeline with a single team—results in faster product cycles, fewer defects in production, and better alignment with business goals. Before DevOps, testing often found a home in centers of excellence and was done after development. DevOps integrates automated testing into the software development process.

Test environments and data, however, are holding back many companies' moves toward agile development. A majority of respondents (61%) had challenges maintaining test data consistency across different systems, while managing the size of test data and developing data from production systems were the second and third most cited challenges. For this reason, companies should take a centralized approach to this challenge, creating smart test environments and data management capable of automated monitoring, provisioning, and maintenance.

[ Webinar: Get Started with Seamless App Sec in a Single Day (Jan. 23) ]

Focusing on cost improves security

Overall, the WQR survey found that QA and testing budgets accounted for 26% of IT spend in 2018, down from the high in 2015 of 35%. Yet the lower budget likely indicates that companies have progressed on their QA programs and have matured enough to move to more efficient quality testing. Nearly three-quarters of all respondents believe that their company increased efforts on quality assurance.

Increasing maturity in testing directly supports security efforts, because it often translates to both better code coverage and the ability to test for a greater variety of security issues. Companies should improve their tracking of testing budgets in DevOps teams, however, to determine whether budget is being spent wisely.

Invest in your DevOps teams

To achieve all these benefits and improve security, application-security teams and developers have to work together. DevSecOps is focused on integrating security into the DevOps process so that software development is not hindered by security requirements but adapts to them. Investing in this integration and maturing DevOps teams should be every company's goal.

Topics: Security