Manage Learn to apply best practices and optimize your operations.

Should security tests be part of a software quality assurance program?

Application security expert Michael Cobb reviews the essentials of any software quality assurance process.

Should security testing be a part of a software quality assurance program, or is the idea of QA more about verifying that a product is functioning properly? In other words, should general software QA be integrated with software security validation?

I often feel the arguments about quality assurance and what should be classified as testing, verification or validation...

detracts from the goal of a software development team; that is a secure, reliable product that does what it is intended to do. In my mind, software quality assurance (SQA) encompasses the entire software development process from start to finish. So the whole progression of evaluating and monitoring the security of an application should be part of a software quality assurance program, along with other processes, such as the design of the software and change and release management.

When it comes to security, the goal of software quality assurance is to confirm the confidentiality and integrity of sensitive data is protected as it is processed, stored and transmitted, and that the application can resist attack to agreed risk levels. This means that threat modeling scenarios and acceptable risk levels need to be established up front so developers and the QA team know what to expect and what to work toward.

Threat modeling, carried out during the application design stage, is the process of identifying and evaluating the risks to an application. The procedure identifies potential threats by categorizing the assets or sensitive information an application accesses. By having your security professionals and developers sit down together to analyze the application from an attacker's point of view, everyone will gain a better understanding of how and why a hacker may attack it and how the vulnerabilities can be removed. Threat modeling should take place when the user requirements for a new application have been gathered and work has started on the architecture and design of the application.

This exercise not only ensures architecture design issues are resolved early on, but it also creates a set of documents that identify and justify the security requirements of the application. Countermeasures can then be implemented and tested to ensure the application doesn't leave sensitive or personal information vulnerable to potential attackers. Any remaining security-related bugs or weaknesses should be tracked with an agreed escalation policy.

The aim of the software-testing stage is to uncover and locate bugs and also validate and verify that the software works as expected and meets the business and technical requirements that guided its design and development. It makes little sense to run security testing and validation as a completely separate process as it would only delay and disrupt the overall change and fix processes. Putting security within the software quality assurance program will ensure that it's not covered as an afterthought or in an ad-hoc fashion. It will also help ensure the security controls implemented meet any necessary security standards and regulations, such as ISO 27001 or the Payment Card Industry Data Security Standard.

Next Steps

QA and testing software determined by needs analysis


This was last published in September 2009

Dig Deeper on Secure software development

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

It should be, but depending on the risk associated with whatever software is being development, it might be wise to have a specialized security tester come in to fulfill that role. We generally don't do that on my team because we develop internal software, therefore our risk is lower. 
I am astonished that security isn't already a major component of software QA. We are, after all, living in a fairly dangerous time; way too many bad guys are lurking behind the door. It's worth keeping in mind that beyond the some minor attention, this should be the work of specialists who focus tightly on security. We no longer have the luxury of letting it slide.
Rather, security supporting programming patterns and practices should be a main part of the quality assurance process. Testing should focus on risk modeling and sampling. Automatic measures should be utilized for checking for known security threats.