Yesterday I did two presentations at the TMap Day 2011. It was the event where new trends and developments around testing and TMap were presented. I myself did one of the central presentations, together with Rik Marselis, on PointZERO. And another interactive session in a debate around what the Cloud can mean for testing. Other tracks given were about Mobile App Testing, (Fr)Agile, Test Data Management, Quality in Control, Infrastructure Testing, Model Based Testing and partner sessions from HP, Microsoft and IBM.
The whole day was a success as far as I could tell. But I know two highlights on the day. Both of them were done in the central sessions. On of that was the closure of the morning. We had a puppeteer to recap the morning. Too bad he swatted Rik and me but a great entertainer. The other one was a clip on the presentation Rik and I did about PointZERO. Rik showed a movie that got people thinking (and laughing) about ‘watching’ for specific defects.
At the time of writing, a two-day international conference is underway in London UK, focused on the threat from cyber-security attacks. It’s true that cyber-security is a threat to the whole online community. We’ve seen a lot of hacks from groups like Anonymous Hackers. These hacks can be used for malevolent purposes, but also maybe for good – like in this video:
The Anonymous Hacker Group threatens Mexico’s Zetas Drug Cartel to release information on their members. I don’t agree on the things Anonymous does, but I certainly don’t agree with drug cartels. But let’s think of this. The drug cartel is holding an Anonymous member hostage and as a response Anonymous threatens to release personal data on the Zetas Drug Cartel. The result will be that the identity of the cartel members will be made public, so everybody will know who they are. It seems it’ll solve a problem that intelligence agencies cannot solve.
But there’s maybe one question. Who checks the data? Anonymous? What if the data is incorrect? Innocent people will be associated with the drug cartel. And what if an Anonymous member has a grudge against someone like you or me?
But hacker groups like these are not the main threat for most companies. Hacker groups can help companies by showing them the flaws in their systems – and when these companies don’t listen, the hackers try and break in – to prove the point. The bigger problems are the sub groups surrounding these hacker groups. Intelligence is often shared with these groups who have a different (and less well meaning) motivation. They try and break into systems whether on your mobile, your tablet, your laptop, your server or even your data centre. Their objective is to make life miserable for you because they just want to have fun.
In my personal opinion, it’s almost impossible to defend against a group like Anonymous Hackers; if they want to break in, they can and they will. This is the same for your house or office. If a real burglar wants to break in, he/she will. But there are also ‘wannabe’ burglars and ‘wannabe’ hackers. They know only a little but they use this knowledge for their own advantage. But you can keep these ‘wannabes’ out – out of you home/office and out of your systems. But how?
Well there are many ways to keep them out, but before you keep them out, you need to know what to protect. Just a lock on the door isn’t enough. That’s why you need to know how secure your application is. Or how safe it should be. Security should be an essential part of the quality of a business process and should therefore be part of all applications developed. So you need to have insight in the security of applications, and this can be done by testing the security.
In the development and maintenance of applications, security should be an essential part of requirements, design and development. And to demonstrate that applications are safe, security should be tested for. Why?
Users expect good quality and have the confidence that the application is safe. When no insight into the security risks exists it’s not possible to tell this to the users.
From legislation and rules like Privacy Acts, PCI-DSS, SAS70 or SOx, it’s a requirement that security is in order. The proof for this can be found by executing tests.
Sometimes it’s necessary to demonstrate that the application is sufficiently safe for various forms of damage. No one wants negative publicity or be confronted with all kinds of claims. Testing shows the status of safety.
Note: Testing provides insight into the quality, but doesn’t improve the application. When bottlenecks are found they are identified and improvements made.
Testing for security risks encompasses many types of tests or reviews including these options:
A ‘spotlight security scan’ provides a limited indication of the security of an application. This is a one-or two-day scan on the most critical part of the application, which provides good advice on further steps in application security, particularly to follow-up on any issues uncovered;
‘Functional security testing’ has a strong focus on what the application should not do, and looks at how it might be misused;
A ‘code review’, a static security test that looks at the source code. It can be highly effective because it’s done early in the development process, when the application has not been completed (this is the same with Static Analysis). The code review scans the code to show security weaknesses and when done early in the process, creates awareness among the whole project team and stakeholders which can lead to early improvements and major savings for the remainder of the project.
A full ‘security assessment’ or penetration testing is a thorough investigation that provides insight into the safety of the application., but also the network activity and the infrastructure.
By gaining more insight into application weaknesses it’s possible to keep the ‘wannabee’ out and create a safer application.
The cloud is full of the thought it propagates. It’s not about a new idea of providing computing power, but a business model around offering standard, metered services. But maybe the trend is that the cloud is fading; full of hot air. In Gartner’s newest ‘Top 10 Strategic Technologies for 2012’ Cloud computing has fallen from the top spot it had the last 2 years to number 10. But what comes out of this article is that its ideas will stand. Like for instance with the launch of Apple’s iCloud it was clear to me that there is a connection between mobile apps and cloud. And also with, for instance, the efficiency of data centres and big data. These all uses the principle of the cloud.
In my opinion the future will result to a complete fade of the cloud. The cloud will merge with other developments in the future. Most IT will dissolve into services like that of Utilities (water, gas and electricity). And therein lies also its fallback. These ‘utility services’ have to cover a specific need, like the apps now do on your smartphone or tablet. And it needs to cover only those needs. When a greater need is covers it can only go wrong; there’s either a shortage of functionality or a surplus of it.
Because of those ‘delimited’ services, a whole different way of working arises in the world of Software Developers. These companies need to evolve into Service Integrators; there services don’t directly have to be related with cloud computing. But it will support another way of working; working in short cycles for standard work packages.
How do I see this? Well at first there is the fusion of services already in place. Google Apps (like Gmail) and Hotmail are already ‘in the cloud’ and nobody thought about it, or even worried about it. People are using applications like Evernote that are based in the cloud and the content is downloaded to your ‘app’ when you open the application. And now with Apple moving data into its iCloud it accelerates it even more.
In the near future more and more mobile apps will be dependent on an Internet connection to get the data or computing power it needs. Not only by downloading it, but by using it real time. Like updates on your flight schedules, but also your phone bill and even bank accounts. Those things will not stay on your phone or tablet, but have a small client running and using the cloud as its back office. It even looks like we are moving back to the client-server model, but with a better usage of the back office…
Tip: Keep your eyes open when using these cloud-based applications. There can always be a risk!
Thus, the cloud itself will increasingly fade the background, but its ideas will be incorporated in more and more applications.
