Security issues are usually the most infamous of all, since they commonly involve economic losses, credit card theft, the release of private data, etc., bringing about negative press and devastating business consequences.
One recent real world example that no one can forget is the massive Equifax data breach in July 2017 in which 99% of its customers’ (146 million people) social security numbers were exposed. The company revealed that it had known about the security hole since March of the same year, yet failed to protect its customers’ highly sensitive personal information. As a consequence, by September 2017, the company lost $4 billion.
And, breaches don’t only occur within giant corporations like Equifax or the financial sector, but also in healthcare, retail, education, and government, among others. The number of U.S. data breach incidents tracked in 2017 hit a new record high of 1,579 breaches, according to the 2017 Data Breach Year-End Review released by the Identity Theft Resource Center® (ITRC) and CyberScout®.
Hence, why it is so important to keep security testing in mind!
The OWASP group provides many good guides as well as tools that allow checks to verify the typical security problems, such as cross site scripting, injection, known vulnerabilities, etc.
Each organization’s security risk will be different. It is important to determine the potential impact of a security breach on your organization in order to assess how much time and resources should be devoted to this area of quality. The more critical the security of your application, the more mature your testing will be if you take the proper measures to prepare for a breach.
Having at least some basic security checks running periodically allows teams to consider this aspect of quality and over time, improve their set of controls.
Everything teams need to know to shift-left testing and reach the level of maturity in their quality engineering processes to enable CI/CD.