Recent historical milestones have brought with them major disruptions at a global level, which have accelerated digital transformation and prompted a rethink of the cybersecurity sector. What is the role of software testing in all this? What is Pentesting? Why is prevention so important? Gustavo Betarte and Roger Abelenda give their opinion in this article.
By Natalie Rodgers
“I think technology remains vulnerable. So there will be new technology. There will be new vulnerabilities. There will be new exploits and there certainly will be malware that leverages those exploits”, emphasized a few days ago Rohit Ghai, CEO of RSA, at “RSA Conference 2022”, in San Francisco.
“We live in a hyperconnected world, where the physical and the digital is now indistinguishable… How on earth are we going to keep up with this torrent of global disruptions? Well, disruption is a tough but fair teacher in the Darwinian school of survival,” he outlined.
Rohit asked and answered, “In a world enamored with change, why should we care about constants? Well, constants are the basis for scientific progress. If disruption is a tough teacher, constants are that good friend that you can always go to for help. Constants give us a platform to build solutions.”
Cybersecurity is considered one of “the risks that worsened the most since the start of the pandemic” according to the World Economic Forum’s Global Risks Report 2022. According to it, in 2020, malware and ransomware attacks increased by 358% and 435% respectively.
“Ransomware as a service” allows even non-technical criminals to execute attacks, a trend that might intensify with the advent of Artificial intelligence (AI)-powered malware.”
An unprecedented pandemic, a tragic war… Today we see how different historical milestones, combined with relentless advances in technologies, are leaving deep marks. And with them, new ways of breaching digital security are emerging across the globe, forcing a rethinking of cybersecurity.
From the most advanced technology companies to the governments of the most developed countries. From financial institutions to individuals, schools, and hospitals. No one is exempt from being a victim of cyber-attacks. Every second we are vulnerable to new forms of malicious attacks, with effects on our daily lives, economy, and security.
At Abstracta, we are convinced that testing with a focus on software quality is crucial in the path of digital transformation, accelerated by the disruptions, which Rohit Ghai focused on at the RSA conference. Testing should be a constant in the lifecycle of all software, as part of the prevention and co-creation of secure, quality software.
With all this in mind, we interviewed, on the one hand, Gustavo Betarte, CTO of Tilsor, Abstracta’s partner company specialized in cybersecurity; and, on the other hand, Roger Abelenda, CTO of Abstracta.
– How is the Application of Regulations in Relation to Cybersecurity in a Globalized Society?
Gustavo: It’s very difficult. Law requires defining the applicable law and jurisdiction, and many times it is not that of the country where the offense is committed. Or it is, but the perpetrator is not in the territory. Treaties between states and international cooperation are the known solution so far.
– How Can Cybercrime be Prevented from Cybersecurity?
Gustavo: It is not possible to prevent all cybercrime. First, it is necessary to identify the type of cybercrime to which the system to be protected may be exposed. This varies from system to system. There are various prevention techniques and procedures: authentication, access control, encryption of communications, and compartmentalization, among others. On the other hand, the definition, application, and control of organizational security policies are an important complement to the strictly technical ones.
Roger: The main thing is to be aware of the seriousness and risk, and from there, to effectively define and implement appropriate policies and mechanisms to reduce the impact of computer attacks. Something crucial in this aspect is to do it in a way that they are appropriate to the company they are applied to and find a balance between security (with the associated risk) and practicality/efficiency of work. A typical example of this is the security policies implemented in banks versus those needed by our house or a small company with little impact and attractiveness for attackers.
– How is an Incident Managed Once it has Occurred?
Gustavo: The incident management process comprises several stages, each with its own problems and difficulties. To be very schematic and concise: first response stage, containment stage, analysis stage, and remediation stage.
Roger: The first thing is always to stop the incident, block the attack. Then, assess the damage caused by identifying whether new points of attack may have been opened; convey the impact of the attack in order to be transparent with stakeholders (customers, partner companies, etc.); and implement measures to prevent future similar or other attacks that have been detected. These efforts do not necessarily have to be sequential. They can be done in parallel, i.e. being transparent with our customers about what is happening and keeping them informed while it is being resolved.
– What Role does Software Testing play in all this?
Gustavo: Software testing, and in particular the one aimed at verifying correctness from a security point of view, is a preventive mechanism.
Roger: It is fundamental when developing software to take into consideration good practices to avoid attacks and known practices that make the software vulnerable. This requires the alignment and shared responsibility of all those involved in software development: developers, testers, product owners and project managers, sysadmins, etc. Software testing in particular is fundamental as a way to have additional control over what is implemented, either with exploratory testing, manually automated testing, or by using vulnerability scanning tools and/or static code analysis.
– What is Pentesting and why is it Relevant?
Gustavo: While a vulnerability analysis aims to identify the presence of known and already reported vulnerabilities, for example by quickly scanning a range of IP addresses, the penetration test goes a step further and tries to demonstrate how these vulnerabilities can be exploited by a potential attacker to damage the company or organization where the analyzed system is running.
In this type of evaluation, the analyst emulates an attacker’s own activity, seeking to identify ways and methods to breach the security of the system under analysis. For this purpose, automatic tools are used, but also handcrafted works are performed. In addition to detection tools, exploitation tools are used. And if necessary, plugins and/or tools to be used in each particular case are developed.
Roger: Pentesting, also known as penetration testing, is about accessing a system and gaining permissions beyond those expected and allowed. The practice itself attempts to detect potential attack points and then identify how to remediate them. It is like having a personal “hacker” who identifies the holes so that you can then go and plug them. In short, pentesting is relevant as a preventive measure.
– Why is Prevention Important in Cybersecurity?
Gustavo: Because it allows us to anticipate and prepare for possible types of attacks. However, prevention alone is not enough. It must be complemented with detection and reaction mechanisms. It is not possible to obtain a high degree of security in a system using only preventive mechanisms. Why? Among other reasons, that would mean that you are aware of and know how to handle all the vulnerabilities of the system you are trying to protect.
Roger: The main problem with security and all the preventive measures is that until we are attacked we don’t realize the real impact an attack and not having the proper measures in place can have. A computer attack can lead companies to lose customers due to loss of confidence, lead to lawsuits, lead to customers/persons being directly attacked by data leakage, and most importantly, many people to lose their jobs and live very stressful and difficult moments. An adequate prevention policy allows us to sleep more peacefully and carry out our daily activities optimally, without major interferences. It is very important that companies actively invest in this type of measure, as well as that in the development and testing of software we always take into account these aspects and good practices in this regard.
– What are the Main Characteristics of a Good Cybersecurity Strategy?
Roger: It is a priority to have a protocol for potential foreseen attacks, including intervening actors, incident escalation, and timing. In addition, it is always necessary to have a backup plan for unforeseen situations. As with any plan, if you already have one, you can execute it quickly and avoid blind spots. The alternative is to improvise on the spot and under pressure, which can lead to potentially bigger problems than the attack itself. I believe that the main characteristic of a good cybersecurity strategy is to prioritize the human factor because technologies are developed and configured by human beings. So, in addition to testing and other forms of prevention, it is very important to focus on people, to work with them to inform them, and keep them committed to security.
Are you looking for a software testing partner? Abstracta is one of the most trusted companies in software quality engineering. This year, we are ranked #1 of the best software testing companies according to Clutch.
Security Testing with Selenium: OWASP ZAP Integration
How can we test possible security vulnerabilities of a website while running automated functional tests? Is my software functional if it has a security issue? In this article, we detail how to integrate Selenium and OWASP ZAP to achieve efficient and quality security testing with…
Security Testing in Continuous Integration with VAddy
Integrate VAddy with your CI tools for robust security checks, automatically If you have Continuous Integration in place, it’s a great idea to add in some security checks to the pipeline. We all know about the threat that hacks and data breaches pose for every…