Checking software security bugs at the release stage can cause serious extra costs. It's always expensive to maintain the security of an information system, and the client often undermines its importance. While none of the development stages can be skipped, the client pushes the team to work faster. Clients' concerns are quite reasonable, however.
Also, clients are often reluctant to start testing at the very start of a project, most likely due to planning concerns. It is easier to plan the whole project if you wait and test at the end. However, this is quite risky. A client could get lucky and have no serious consequences. But this “ideal situation” never happens. If no testing occurs early on, the whole project greatly suffers if bug(s) are detected during the release.
The more you invest, the more you save. It's really not a secret. The earlier you find a bug, the lower the resulting expenses. Regardless of the stage, when a bug is found, you have to go to the very start, make corrections and then implement them.
According to the Ponemon Institute, the average cost of a data breach to a company was $3.5 million in 2014. Thus, the earlier a company detects a defect allowing unauthorized users to enter the system, the more costs it saves. It is beneficial to consider all the security parameters in the requirements stage and during architecture development.
If no testing occurs early on, the whole project greatly suffers...”
Complex approach. To avoid software redevelopment, many companies apply a complex security approach. It allows detailed checking of the software at every stage.
These approaches have some stages in common: First, when teaching the team, all project participants get acquainted with basic information security. Once those fundamentals are instilled, the team gets detailed security requirements and the implementation plan. At the projecting stage, participants then build a model of threats and possible vectors of attacks. At this juncture, code scanning by security tools is done in the realization stage. This allows the team to eliminate the number of bugs and avoid extra tests.
Following these steps, at the checking stage, the team validates application performance on devices and performs a final evaluation of system security during the release phase. This, of course, should work in accordance with the established requirements. Reaction, the last stage, is used to check how the plan of reaction is executed in case of an incident.
Not just a theory. Any complex approach is not a panacea, but it does provide a number of recommendations to advance the quality of the future application. It is critical that every team using this security method adopts it to the project needs.
However, do not skip the education phase. Developers and system architects must be very experienced, since the final level of the system security falls on their shoulders.
Aleksey Abramovich is head of the security testing department at A1QA, a provider of full-cycle quality assurance and application testing services.