The last few months I’ve been giving a lot of talks around Clouds and Testing. I’ve even published an ebook about it in June – TMap NEXT®Testing Clouds. But the one question that comes up time and time again is “What about security?” And I almost always answer like this: “That’s a very good question! Security of the cloud can be an issue because you are sharing resources from the cloud provider. But can I ask you why this is of such an importance to you? How good is the security of your current application landscape?”
Most of the time there is no answer! Why? Because they really don’t know. Security is something that’s not ‘sexy’, and yet it should be of far greater importance - as all the security hacks of the last months have shown us. Hackers have hacked into a lot of websites, and the best known group is Anomymous. And the hacks that have been executed have been bold, the most famous being the ‘Sony PlayStation Hack’ in April this year.
Security should be an essential part of application development – from requirements, the design and through to realization. It’s possible to implement application safety in every stage of the application lifecycle. A proactive approach to application security is to introduce it as early as possible in the Software Development Lifecycle. An holistic approach ensures that an organization is compliant with the prescribed regulations, has control over application security, and has covered the necessary risks (as cheaply as possible).
What is more, to demonstrate that the applications are safe - they should be tested! Reasons for these tests are:
- Users of applications expect good quality and confidence that the application is safe. Currently this aspect of testing is not normally integrated into standard testing, and therefore there’s a lack insight into this;
- National and cross-border legislation such as ‘Personal Data Protection Act’, PCI DSS, SAS70 or SOX, mean that there’s a requirement to have application security in order. Proving this and its control can be done by carrying out tests and assessments;
- It’s necessary to demonstrate that the application is sufficiently safe to counter various types of damage. No one wants negative publicity or be confronted with all sorts of claims. Testing shows the status of the security.
NB: One further aspect of security. A lot of organizations call themselves ‘SAS 70 certified’. That cannot be true! SAS 70 is an audit using quite a few evaluation criteria. SAS 70 is not a pre-determined set of standards that a service organization must meet to ‘pass’! When you look at the SAS no. 70 FAQ website, there is answer to the ‘success’ or ‘no success’ criteria. When the service auditor concludes that the above items have been accomplished, the service auditor renders what is referred to as an "unqualified opinion." While a SAS 70 audit is technically not a ‘pass’ or ‘fail’ audit, the receipt of an “unqualified opinion” from the service auditor is often referred to as ‘passing’ the audit.
So the service auditor's report contains the audit opinion, the organization's description of controls, and a description of the auditor's tests of operating effectiveness. It doesn’t set (nor is there any) SAS 70 certification!