29) Does your organisation have a testing process to test business critical applications before they are deployed, to ensure there is no adverse impact on operations or security?
Answer yes if your organisation has a robust testing process implemented to appropriately test the deployment of applications to mitigate any adverse impact this may have on the operation or security of your IT estate. Please describe the nature of the testing process in the notes or provide a supporting document (as a PDF file) as evidence.
What is the control?
Whenever new applications are developed, there is the possibility of issues and unexpected behaviours. This is somewhat natural as the applications have not yet been used and therefore issues remain often undiscovered.
Testing gives an opportunity to replicate certain real-world conditions to eliminate as many issues as possible before the application enters production, reducing the likelihood of incidents which could impact availability of services or lead to a security breach.
Why should I have it?
New applications could present both functional and security issues for a number of reasons including the sheer complexity of applications, different parts of the application being developed in silos, functions not validating input, or unexpected behaviours due to circumstances the developers did not anticipate.
It’s therefore important to have a robust testing process to ensure that applications are sufficiently resilient and secure before going live, especially in business-critical functions. Without these, the real world becomes the test environment, and any issues are likely to carry material consequences with significant costs.
As a customer, it is of course a significant concern if a supplier does not perform adequate testing prior to releases, potentially putting the customer’s data or the availability of the service at risk.
How to implement the control
Create a policy that all application should undergo functional and security testing.
Security testing can be performed in a number of ways including Static and/or Dynamic Application Security Testing (SAST & DAST) and Interactive Application Security Testing (IAST), as well as manual code reviews.
Functional testing should also be performed where all possible functions of the application are tested, with every input and function subjected to malicious input to check their correct functioning in terms of validating input.
All of these testing approaches should be used as part of your development process, and you should have a testing programme that ensures the tests are as effective as possible by constantly receiving input from findings to tune what is tested and how over time.
There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
