Effective Security Assessments and Testing

Effective Security Assessments and Testing

David Culbreth (St. Mary's University, San Antonio, USA), Adan Guadarrama (St. Mary's University, San Antonio, USA) and Ayad Barsoum (St. Mary's University, San Antonio, USA)
Copyright: © 2020 |Pages: 7
DOI: 10.4018/IJCRE.2020070103
OnDemand PDF Download:
No Current Special Offers


Companies providing technology-driven services are held to the high standard of full availability, integrity, and confidentiality. Achieving even near-perfect availability is an increasingly daunting task, even for these companies with seemingly limitless resources. In order to approach this very challenging goal, strategies must be implemented to ensure that changes and improvements to the provided services do not leave the currently functioning environment vulnerable to attacks or introduce new issues. Systems and processes must be evaluated to ensure their efficient and effective operation. Administrative security controls must be audited to ensure the proper implementation of policies and procedures. A failure to properly evaluate the programs and procedures leaves an organization at risk for a data incident or an attack on the organization's assets. This paper covers some of the most important elements of security assessments and testing.
Article Preview

2. Establishing Product And System Definitions

Documenting the proper behavior of an application is a necessary step for secure and reliable development in every environment. This documentation should include the system behavior and configurations, preferably as a process diagram or as human-readable documentation. The inclusion of testing from the beginning of any development has also proven to be a useful supplement to the user documentation. Using strategies like test driven development (Astels 2003) or behavior driven development (Solis & Wang 2011) provide the opportunity for the project management to define their requirements in a formalized and reproducible fashion, such that the functionality, once developed, is known to work to the specifications and requirements initially produced. At IBM, a development team was able to reduce their defect rate by 50 percent by implementing test-driven development strategies in their retail store solutions (Jarvis & Nilletary 2014). In addition to the dramatic decrease of defects, test-driven development produces a reusable test asset, which is an invaluable tool come the time for regression testing. Product and system definitions provide critical guidance to the developers and users during and after the development period. Test driven development enhances this documentation with functional proof that the product works as intended.

The process by which a change is deployed is just as important as the testing that happens before it. Similarly, the deployment process must also be thoroughly tested and documented, as deploying a change to an application or an infrastructure is perhaps the riskiest portion of the process, as it adds an element of variation to an environment that is likely already functioning. Every step of the deployment process needs to be crafted with care and scrutiny. The tools used to develop the code must be reviewed to ensure proper code is generated. The repositories that store and track the source code must be vetted to ensure the code is not at risk for being leaked to prying eyes. Finally, when the package is ultimately deployed, the configuration must be deployed through a system known and tested to reliably deliver the correct results (Maximilien & Williams 2003). Mature change management will consider many aspects of each individual process. Each change should document its intended effect, and the tests run to ensure that the change executes its purpose with no unintended side-effects. Additionally, the precise actions to deploy the change will be vetted, checking whether this kind of change has failed before, and that there are no other conflicting changes happening at the same time. This list can contain a seemingly endless set of records to document, but a final important piece is the backout plan: what to do when the change goes south, despite your best efforts. Ensuring a functional environment is most frequently more important than implementing the change to it.

Complete Article List

Search this Journal:
Volume 5: 1 Issue (2023): Forthcoming, Available for Pre-Order
Volume 4: 2 Issues (2022): 1 Released, 1 Forthcoming
Volume 3: 2 Issues (2021)
Volume 2: 2 Issues (2020)
Volume 1: 2 Issues (2019)
View Complete Journal Contents Listing