2016 Issue #3 | ASTQB Website | Certified Tester Lookup | Request Info | FAQ

As if software defects weren't scary enough, bad actors are constantly trying to exploit those defects. Learn below why security testing is so important to your company, and your career.

Articles in this issue:

  • Testing to Secure Your Security
  • See the "Testing to Secure Your Security" ASTQB Webinar
  • Build Your Career through the ASTQB Career Center
  • News and Offers from ASTQB Accredited Course Providers
  • See Us at Upcoming Events
Testing to Secure Your Security

By H. Taz Daughtrey and Randall Rice, CTAL Full, CTFL-AT, CMT

The villain threatens our hero with the menacing "We can do this the easy way, or we can do this the hard way."

What the villain wants is some information our hero is reluctant to reveal. The "easy way" is for our hero to relent and share the secret. The "hard way" implies some pain will be inflicted in attempting to extract the information.

Safeguarding computerized data is a similar challenge, with plenty of villains trying to pry loose the information. In this case, although the "easy way" is initially painless, it is not truly easy or painless. The villain infiltrates our hero's system and happily does his worst, often undetected for weeks and months. Only when the breach has been discovered and the losses tallied does the pain begin.

The "easy way" of neglecting security - or neglecting to assess security - is sure to lead to payment later, often in the most unscheduled and unbudgeted manner. Paying - or rather investing - upfront in security measures may seem the "hard way" but in the end should spare much of the pain that would otherwise be felt.

What have you got to lose?

Security breaches are derelictions of duty ... the duty to safeguard what was entrusted to you.
Security breaches cost, both in monetary and reputational terms.
Security breaches invariably make the headlines.
Security breaches may put you out of business.

For example, if your business needs to comply with the Payment Card Industry (PCI) Data Security Standard, some but not all of the monetary costs may come from:

  • a mandatory forensic examination
  • notification of customers
  • credit monitoring for affected customers
  • PCI compliance fines
  • liability for fraud charges
  • card replacement costs
  • upgrade or replacement of POS system
  • reassessment for PCI compliance.

On the non-monetary side, ongoing costs may accumulate from:

  • damage to your brand and business reputation
  • bad publicity that will probably persist indefinitely in social media
  • loss of payment card privileges
  • your time and attention.

In a 2014 study on breach notification [1], 57% of the people who had received a breach notification letter from a business said they lost trust and confidence in the organization. Worse, 29% of those surveyed said they terminated their relationship with the responsible organization.

Commissioner Luis A. Aguilar of the U.S. Securities and Exchange Commission reports [2] that small and medium-sized businesses (SMB) are finding it increasingly difficult to recover from attacks. He cites a National Small Business Association survey [3] that a growing number (up to 33 percent) of firms take at least three days to recover from an attack. And, in an especially dispiriting development, the survey found that SMBs that were the victims of a cyberattack were more likely to be targeted again. A not-insignificant proportion (some [4] claim as much as 60 percent) of small firms go out of business within six months of a data breach.

What's the Problem?

The novelty and difficulty of the problem can be illustrated by considering the source of defects in software. Traditionally, software quality practitioners, including testers, have dealt only with accidentally injected defects that will be discovered accidentally, that is in the normal course of using the system. The assurance task has been first to prevent and then to detect and remove such defects before the user encounters them.

But now malicious agents are seeking out these accidentally injected defects. These are the bad actors who seek to exploit buffer overflows or lack of input checking for their own purposes. More worryingly, defects are being injected deliberately. Whether they then intend to take advantage of these vulnerabilities themselves or wait for an unsuspecting user to trigger some exploit, software quality is definitely endangered.

These bad actors are mastering ever-more subtle and successful ways to highjack, pervert, or plunder computer-based resources. Their criminal activity takes many forms such as extortion through ransomware or disruption through defacement or denial-of-service attacks. And it always seems the offense is a step or two ahead of defensive measures. Software no longer simply "breaks on its own," and those who depend on it must be aware of, and responsive to, these attacks.

What is to be done?

Is it enough to add explicit security requirements and then test against them? Can anyone elaborate all the cases where one specifies "The software shall not do thus-and-so under such-and-such conditions"? Unlikely in the extreme.

As illustrated below,  most acceptable behaviors of a system can be specified, but the full range of unacceptable behaviors is beyond practical enumeration. Thus security testing has to mean much more than simply testing against security requirements.

Testing can provide a significant contribution to the assurance of system acceptability. Yet its value is greatly dependent on the capabilities of those designing and conducting the tests. As systems become more complex and more dependent on the (essentially invisible) element of software, specialized knowledge and informed judgment are increasingly required of testing personnel. Further, to meet robust security demands, systems need to be tested not only for what they will do but also for what they will not do.

Security testing has not been properly addressed. Last year, for example, while compliance with all other PCI Data Security Standard requirements had increased, the compliance rate for security testing actually declined - to only 33% of surveyed companies [5]. And these requirements really represent only a lower boundary of what testing can and should be done.

Tester qualifications are built up by means of individual education and experience. These qualifications may then be measured against professional community consensus standards expressed in a body of knowledge. The certification examination should ideally consist of questions that address the full range of expertise from identification and application all the way to analysis and synthesis.

The International Software Testing Qualifications Board (ISTQB) recently approved a new certification for security testers [6]. It would be most helpful for those testers already working to address security issues or individuals trying to develop specialized expertise in security testing.

What are some of the typical business objectives that a certified security tester would be expected to accomplish?

  • Plan, perform, and evaluate security tests
  • Align security test activities with project lifecycle activities.
  • Effectively use risk assessment techniques to identify security threats and their severity.
  • Evaluate effectiveness of established security policies, procedures, and mechanisms.
  • Help the organization build information security awareness.
  • Analyze and select candidate security test tools.
  • Select and apply appropriate security testing standards and guidelines.

Certified Security Testers should be able to demonstrate their skills in performing tasks such as:

  • Evaluate an existing security test suite and identify any additional security tests needed.
  • Identify security test objectives based on functionality, technology attributes, and known vulnerabilities.
  • Analyze a given situation and determine which security testing approaches are most likely to succeed in that situation.
  • Demonstrate the attacker mentality by discovering key information about a target, performing actions on a test application in a protected environment that a malicious person would perform, and understand how evidence of the attack could be deleted.
  • Analyze and document security test needs to be addressed by one or more tools.

The wide range of insight and involvement required of a security tester is reflected in the content of the certification syllabus [7].

  • The Basis of Security Testing addresses risks, policies and procedures, and the role of auditing in testing.
  • Defining objectives, evaluating different test approaches, and identifying stakeholders are some of the concerns under Security Test Purposes, Goals and Strategies.
  • Test planning, design, execution, and maintenance are detailed as Security Testing Processes.
  • It is clear that security must be "built in" during system development and not "tacked on" at the end, so there are many specifics of Security Testing Throughout the Application Lifecycle.
  • Testing Security Mechanisms assesses the appropriateness and strength of defensive measures such as system hardening, encryption, malware scanning, and intrusion detection.
  • Defenders needs to know what they are defending against, so Human Factors in Security Testing includes material on threat analysis and social engineering.
  • The importance of Security Test Evaluation and Reporting are documents, as is the proper selection and use of Security Testing Tools.
  • Given the constantly evolving threats and expectations one needs to remain conversant with Standards and Industry Trends on an ongoing basis.

Investment in security testing is a proven means of reducing the likelihood and severity of security failures. The greatest return on that investment comes when the testing is done with maximum efficiency … and that, in turn, depends on testers who are skilled and knowledgeable in the most up-to-date threats and countermeasures.

Individuals pursuing ISTQB certification as a security tester are enhancing their own professionalism and value. A company employing certified security testers is positioning itself to better weather the storms that are only going to strengthen in the future.

  • The Security Tester certification is positioned as a "specialist" certificate at the Advanced Level, meaning a candidate must first submit proof of Foundation certification (CTFL) and a resume and/or employer verification of 3 years experience.
  • The exam for Advanced Level "Security Tester" has 45 multiple-choice questions to be completed  in two hours. Value of the questions is weighted on the basis of their difficulty as measured by knowledge level (corresponding to Bloom's taxonomy of the cognitive domain).
  • Further information is available at https://www.astqb.org/advanced-tester/ and exam registration may be done at https://www.astqb.org/get-certified/istqb-software-tester-certification-exam-registration/

[1] www.ponemon.org/local/upload/file/Consumer Study on Aftermath of a Breach FINAL 2.pdf

[2] "The Need for Greater Focus on the Cybersecurity Challenges Facing Small and Midsize Businesses" at www.sec.gov/news/statement/cybersecurity-challenges-for-small-midsize-businesses.html

[3] National Small Business Association, 2014 Year-End Economic Report, 16 (2015), available at http://www.nsba.biz/wp-content/uploads/2015/02/Year-End-Economic-Report-2014.pdf

[4] National Cyber Security Alliance, America's Small Businesses Must Take Online Security More Seriously (Oct. 2012), available at www.staysafeonline.org/stay-safe-online/resources/small-business-online-security-infographic

[5] http://www.csoonline.com/article/2895772/data-protection/verizon-report-security-testing-compliance-down-from-last-year.html

[6] http://www.istqb.org/certification-path-root/advanced-security-tester/advanced-security-tester-contents.html  

[7]  https://www.astqb.org/documents/Advanced-Security-Tester-Syllabus-GA-2016.pdf

See the "Testing to Secure Your Security" ASTQB Webinar

If you enjoyed the above article, you'll really enjoy the free webinar about the new ISTQB certification for security testers featuring H. Taz Daughtrey and Randall Rice, CTAL Full, CTFL-AT, CMT.

This webinar will show you why the new ISTQB Security Tester Certification can help both you and your company secure your future. While there are a limited number of seats for the live webinar on September 27, 2016 from 1:00 PM - 2:00 PM EDT, you may see the recorded version of the webinar when it is posted a few days later. There is no need to request information about the recorded webinar, as we will send an email broadly when it is available. If you are ASTQB certified, you may register for the live webinar until it is full: https://www.astqb.org/account/webinar.php

Build Your Career through the ASTQB Career Center

One of the great advantages to becoming ISTQB Certified through ASTQB is the "ASTQB Software Testing Career Center." It has everything you need to build your software testing career:

And for those of you seeking to hire quality testers, the ASTQB Career Center lets you search for ISTQB certified testers or post a software testing job.

Learn more right now at the ASTQB Software Testing Career Center

News and Offers from ASTQB Accredited Course Providers

SQE Training: Experience the Power of a team consisting of ISTQB-certified individuals. Let SQE Training partner with your organization to design a training plan that meets your team’s learning and development objectives. We create certification and training roadmaps for the different roles and areas of expertise - Foundation Level, Agile, Mobile, Advanced Level - and can deliver the training at your location with On-Site Training or offer special pricing for groups of three or larger. Learn more at sqetraining.com/power.

Rice Consulting Services: Rice Consulting Services is offering a special bonus on ISTQB Foundation Level e-learning for teams of five or more people. Enroll five or more people in CTFL e-learning courses and get one extra registration free, including exams. Use code "ISTQB6" at www.mysoftwaretesting.com when purchasing the 5-person enrollment version. (GSA discounts are also available for federal, state and local government agencies.) This offer expires on October 7, 2016.

RBCS: Schedule any RBCS ISTQB or ASTQB certified tester course to take place onsite, at your organization, between now and December 31, 2016 and receive a 16% discount off of all training delivery fees (does not apply to exam fees or expenses). Contact info@rbcs-us.com or call +1 830-438-4830.

ALPI: SAVE with multi-person discounts for ISTQB training / certification, Microsoft test tool training, and HP test tool training / certification. Get peace of mind with our exclusive "ALPI Free Refresher Guarantee." Contact our Training & Education team for details at training@alpi.com or by calling (301) 654-9200 ext. 403. Choose from DC Metro, Denver Metro & Live, Virtual classes. This offer expires September 30, 2016 so email or call right now.

See Us at Upcoming Events

Stop by the ASTQB booth at these upcoming events! Say hello, learn about the latest certifications, and make new connections.

  • STP Con Fall September 19-22
  • STARWEST October 2-7 (get a free expo pass for Thursday, October 6 here)
  • Better Software East November 13-18

What Would You Like to Learn About?
As always, we welcome your feedback and criticism. Let us know what we can do to help make you and your company better at software testing at info@astqb.org.

About ISTQB Certification News
ISTQB Certification News is a free software testing newsletter from ASTQB providing news, analysis, and interviews for the software tester community. Feel free to forward to colleagues or ask them to subscribe at: http://www.astqb.org/sections/newsletter.php

Non-profit, non-commercial publications and Web sites may reprint or link to articles if full credit is given. Publication, product, and company names may be registered trademarks of their companies.

Copyright 2016
American Software Testing Qualifications Board, Inc. (ASTQB)
15619 Premiere Drive, Suite 101
Tampa, FL 33624 USA
Phone 813.319.0890
Fax 813.968.3597
ISTQB is a registered trademark of the International Software Testing Qualifications Board.

If you want to change your address, use this link: http://www.astqb.org/sections/information.php