With the move to e-commerce and remote working forced on businesses, IT departments have had to take IT Security even more seriously. Opening up infrastructure and systems to remote access has broadened the attack surface for potential hack attacks and malware considerably.
You can deploy state-of-the-art hardware and software to improve IT Security, but the price of safety is eternal vigilance. Not all attacks can be detected automatically, even using advanced Ai techniques. Often it is the skill and experience of a warm-bodied observer that raises the alarm.
A second step is regular testing of security procedures. This is essential because new attack vectors and malware threats arise every day. Implementing a software upgrade can inadvertently introduce a new opening for a threat.
That is why training your QA team and testing your security defences is essential in the war against hackers and malware.
Why is it essential to include Security in QA?
Traditionally, QA was concerned only with ensuring that systems as developed met the requirements as set out in the original, or modified, specification. QA started at the design stage to make sure the design conformed with corporate policies, practices and procedures. It came into its own during testing when the systems as developed were tested for completeness and accuracy and again that they were in line with specifications.
Today, when the security of personal and corporate data is of paramount importance, QA has moved into the area of IT security, covering the hardware and software and security policies and procedures.
In many jurisdictions, there are regulatory and compliance requirements, such as the GDPR. Failure to meet these requirements can open up an organisation to civil and criminal penalties. These penalties are often not just a slap on the wrist, they can severely affect business operations.
Security breaches could, in the worst-case close down a business, and at the very least cause severe reputational damage.
How to Implement QA Security Testing with the QA Team
The Security Strategy
The first step is for the QA team to understand the security strategy. They need to know what it is, and most importantly, the known gaps in it. It will never be possible to have complete protection against hacking and malware. To paraphrase Donald Rumsfeld, ”We know what we know, we often know what we don’t know, but there are things we don’t know we don’t know”. That in this context means that an entirely new type of threat could come out of left field at any time, and we have no protection against it. There will always be gaps in the security wall.
The strategy must include procedures for dealing with new and unknown threats.
The Security Infrastructure
The QA team need to work closely with IT to document the existing infrastructure and regularly update it with upcoming changes, This covers hardware, software and any physical considerations.
Create a Threat Matrix
The overall objective of IT Security is to prevent malware and hacking attacks.
The first step is to carry out research into current malware trends and vulnerabilities based on the current infrastructure.
With that information, QA can draw up a matrix setting out possible vulnerable points liable for attack, potential threats that could attack those points, and the consequent downstream effects on the organisation.
This document is often created as two complementary documents, one setting out potential Threat Profiles and the second, a Traceability Matrix.
The Threat Profile document assesses the threats. It examines their characteristics, how they can be identified and how they can be countered, The Traceability Matrix looks at their effect on other elements of the infrastructure and business systems.
Tools and Documentation
Once you know all of this, you can select and implement the tools and documentation that will support the QA testing environment. A combination of continuous automated tests and manual testing is ideal.
QA testing is not a one-off exercise. It needs to be carried out continuously as systems evolve, new threats appear and business objectives change.
The QA team need to keep up with new threats and counter-measures, as do the IT department network staff. This means a regular programme of updates, use of technical and social media, and a close link with the suppliers of the IT Security hardware and software.