Software Security Testing

Who Needs Software Security, Anyway?

Apr 12, 2016 By Andrei Cheremskoy

In recent years, the advent of mobile and cloud computing revolution has brought to light a serious issue affecting both organizations and individuals: software security.

Every day, there’s a new story we hear about some website or application being penetrated, releasing sensitive information that is sold, abused, and exploited. As a consequence, companies lose their credibility (along with hefty financial losses) and customers lose their trust in companies’ ability to secure their personal information.

 

So, it’s a wonder how, in light of this, software security is still not a top priority for software companies – nor is it being taught in computer science courses, as a recent study found. Ask the recent computer science graduates, ISTQB certified QA testers or senior fellow developers at work you know if they’ve been introduced to software security during their education or through work. Chances are, they’ve had little to no security training.

software security

How is this still happening?

 

The answer has to do with the outdated point of view on software development education and underestimating the need for security training for thorough application security. Software security, as we’ve learned, is a practical matter that affects everyone.

 

But software education mostly neglects even basic security concepts. The main concern during software programming education is teaching the importance of code that works.  While testing code is being taught more often, it usually skips over security testing. As awareness surrounding software testing becomes more common, there should be an equal push for awareness of software security concerns.

 

How can we change the status quo for software security?

 

As mentioned earlier, there is an urgent need to place software security courses as a top priority in computer science curriculums, as well as in the professional programming and quality assurance training given at software companies. There is a great need to provide on-site security training for employees and incorporate security considerations in the SDLC from the start.

 

Dynamic testing, penetration testing and static code analysis must also become an essential part of any company that intends to survive in this age of insecurity. Security tools that can be integrated with organizations’ current tools and processes are best suited for a scalable and agile application security program.

 

Where do we go from here?

 

To summarize, as software development and application usage have skyrocketed in recent years,  the number of security breaches in those applications has followed the same trajectory. As a result, security must be taken very seriously and become an integral part of software design and development, testing and maintenance. This way we’ll be able to make this world a cyber secure place gradually one step at a time.

 

Take care – and secure your code.


This blog is the first of our “Checkmarx Professionals Blogger” series. This series introduces additional points of view for application security from the perspective of the professionals on the ground who are building, testing and analyzing software on a daily basis. The series will include blogs written by Checkmarx teams such as security researchers, Developers,  QA engineers, and even business representatives.


 

Andrei Cheremskoy Circle

 

The first post is written by Andrei Cheremskoy, a Checkmarx QA Engineer.

By day, Andrei is a testing engineer and by night he ‘tests’ popular science books and articles on computing and creativity.

 

The following two tabs change content below.

Andrei Cheremskoy

Latest posts by Andrei Cheremskoy (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

  • amit

    Hi Andrei,

    You are absolutely right in identifying the absence of application security training in the curriculum of computer science programs today. This is even more so for the developers that finished their schooling 4 – 5 years ago, and are now software development seniors and team leaders.
    The industry is responding to this by getting security training for their developers, as part of their professional training.

    Cheers,
    Amit

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.