There's often a frantic beginning to January. Almost as though we're trying to make up for all that precious time we "lost" over the holidays:)
If you're a software startup, I don't need to ask, I'm convinced that there's a lot on your plate. And as you go about getting a head start on the year, I want to call out four essential types of software security tests that your engineering team should be executing to reduce cybersecurity risk, obtain evidence of due diligence, and accelerate security compliance certifications.
The Key Software Security Tests
1. Static Code Analysis: This involves using tools to automate the discovery of coding flaws as your engineers create in their editor and/or as they commit code to a central repository. Good tools will identify issues, describe why they are problematic, and give recommendations for fixing them. Giving your developers the capability to catch security bugs as they code, and empowering your team to configure rules that block buggy code from getting to production is a game-changer. You'll be training your engineers, producing more secure software, and generating evidence of security compliance
2. Functional Security Testing: This refers to testing that security features in your product behave as intended. For example, does your platform's session timeout feature execute properly? A recommended and seamless way to achieve functional security testing is to run (and wherever possible automate) tests to validate the proper implementation of every security requirement that comes out of the threat modeling process.
To learn more about Threat Modeling and how it determines necessary security features and how they should be tested, please check this video series.
3. Dynamic Analysis: This involves simultaneous testing and analysis of the live app via automation tools. There are two major types of dynamic analysis.:
i) Vulnerability Scanning: In this case, specialized tools are used to execute known exploit techniques against web apps, APIs, or cloud stacks. Some examples of tools you can use for free are OWASP Zap, Burp Suite, and StackHawk (Web apps, APIs); ThreatMapper (Cloud stack including containers, hosts etc.)
ii) Fuzz Testing: Use automation (and machine learning) to generate and run edge, malformed, and unexpected inputs against APIs or input entry points in an attempt to discover vulnerabilities in API design or input validation. Some examples of tools you can use for free are Mayhem for API, Mayhem for Code, and American Fuzzy Lop.
4. Penetration Testing: Engage people or firms with advanced security testing skills to find bugs that break the security model of the application under test. This testing should build be carried out with the knowledge that static analysis, functional security testing, and dynamic analysis have been performed. Its aim is to find the harder-to-discover security bugs that are missed by functional security testing, static analysis, and dynamic analysis. Penetration tests are usually executed at major product milestones (i.e. prior to a production release) or at a specified periodicity (i.e. once or twice a year) to ensure compliance with a security standard or certification. Increasingly, modern software companies also execute agile penetration tests against individual features or components, reducing the tech debt that could accrue with infrequent penetration tests.
Why You Should Care About DevSecOps
You may have heard the terms "DevOps" or "DevSecOps". The latter ties security into the former. The promise is that the first 3 security test types that are described above can be automated into the product development and deployment flow. This greatly reduces the time and cost of identifying and fixing software security bugs.
The 5-Minute Security Assessment for Startups
You may be unsure about where to start regarding the security tests we've covered, or what to prioritize next, or you may not be reaping the rewards of your investments in this area. In either case, please I want to invite you to take our Free 5-Minute security assessment, designed specifically for software startups.
Yes, it really does take only 5 minutes, then we do the rest. Once you complete the short assessment form, we craft two confidential reports - A Security Assessment report that show what your gaps and risks are, as well as A Security Recommendations Report with custom solutions and priorities that your team can either begin implementing or add to your roadmap.