CISA recently released the top 10 reasons for security lapses in well-established enterprises that have strong security posturing. It is interesting to see that the top lapses are because of not following the basics of security. In this article, we will take a look at how to align security testing for software quality.
Here are the top 10 reasons as per CISA for lapses in the organisations:
- Default software and application configurations
- Improper user and administrative user separation
- Insufficient internal network monitoring
- Lack of network segmentation
- Poor patch management
- System access controls bypass
- Weak or misconfigured MFA
- Insufficient access control lists on shared services
- Poor credential management
- Unrestricted code execution
Let us look at how to be effective in security testing for software quality
Security Testing For Software Quality
As you can see, all of the topics above can be thwarted by careful application of proper validation and verification by the product team, especially the security testing folks. It is surprising that even in large enterprises, these kind of vulnerabilities happen again and again, year after year. While human fatigue is shown as the cause in most of the cases, automated checks should be able to catch many of the above. It looks like for better quality, we need to raise the bar for better results.
Let’s take the above top 10 list as a reminder that basic security practices are so important and should be taken care of. Security testing folks should keep this in mind. Security is an important pillar for software quality and let’s always keep that in mind while designing our quality and testing strategy. The strategy should incorporate verification and validation of not just the top 10, but also many other aspects. For detailed discussion on your organisation’s needs on Software Quality, feel free to get in touch with me.