Data leaks and cyberattacks: With digitalization advancing at a furious pace, attacks on enterprise software are also on the rise. Time and again, we hear about data leakage that puts companies and people at risk. Whether it’s customer data from Adobe, Facebook and eBay or credit card data from major banks – security breaches due to data theft run into the billions. But that’s not all of it! Hackers also leave serious traces in the “real” world: Industrial installations have now become a popular target for malware.  In 2014 for example the control center of a blast furnace in a German steel company was massively damaged. Even the German parliament has been hacked. And even hospitals have been temporarily paralyzed by cyberattacks. These examples show how serious – expensive to life-threatening – software errors and attacks can be. That is why software testing and security testing are so important! To ensure the security of software, companies and people.

What is Software Testing?

Before I go into more detail about Security Testing, I would like to briefly summarize the function and goals of Software Testing. 

Software testing is an important part of software development and plays a decisive role in software quality. This is because testing enables software errors to be detected in advance and fixed in good time. It also verifies that the system complies with the specified requirements, including functionality, performance and reliability. In this way, even before the application goes live, it is checked: Are the requirements met? And does the software work properly? 

Benefits of Software Testing at a glance

Cost efficiency

On-time and continuous testing during development saves money in the long run. This is because fixing bugs earlier in the process usually costs less than fixing them later – not to mention the financial impact on third parties.

Product quality

Every software product aims for high quality. Testing ensures that a quality product is developed and scheduled. Organized software testing is particularly important here.

Security

Software testing creates confidence and security at all levels. Software-related risks, threats and problems are eliminated at an early stage and correct usability is ensured.

Software testing can be done manually as well as automated. In manual testing, test cases are executed manually by a human and without the support of tools or scripts. In automated testing, tests are executed by tools and specific software. In the last case, developers write code that ensures the software code works. There are many ways to test software. Among the most common are:

  • Unit tests (module tests)

  • Integration tests

  • End-to-end tests

  • Performance tests

  • Smoke tests

The type of testing depends on various factors. These include project requirements, budget, time and know-how. The goal is to achieve the highest possible test coverage from installation through functionality and application to maintenance. But be aware: just because a software meets quality requirements in terms of functionality and performance it does not necessarily mean that the software is safe.

Security Testing: Why security testing is important

Security testing is a type of software testing. It includes tests to ensure the proper and flawless functionality of a software or application in software development. Security testing can be used to identify threats and risks of any kind in the system and to identify potential security vulnerabilities with precision. Then software developers can react safely and quickly to fix the security issues by appropriate coding. And that’s more important than ever these days: modern processes, growing mobility and huge volumes of data offer a multitude of attack opportunities for hackers.

Software security: Banks and insurance companies in the focus of hackers

Companies such as banks and insurance companies are particularly in the spotlight, as they hold enormously important and highly sensitive data (e.g. customer data). With this high level of responsibility, appropriate software security goes far beyond the necessary protection. In addition, insecure software endangers the integrity of data and the availability of applications. The goal of security testing is therefore to protect companies and users from the risks that can arise from the use of insecure software.

Security in the enterprise: When is a software secure?

The security of software is a decisive factor for the security of companies. It must function flawlessly and not have any security gaps. But as long as software is still programmed by humans, errors cannot be fundamentally ruled out. This makes professional security testing at all levels even more important. To test 

  • integrity

  • authenticity

  • confidentiality

  • vulnerability and 

  • Continuity

In addition to a universally valid code culture and good team organization, should use appropriate security tools above all. With the right tools, software security is kept high in development as well as in subsequent operation.

Setup Example: Bitbucket Pipelines with SonarCloud

The following example shows how the security software SonarCloud can be integrated into an existing workflow. You can see how fast and easy the whole thing works. You can also use the example as a guide to integrate SonarCloud into Bitbucket Pipelines. There are also some other useful features that SonarCloud brings with it.

Short info for those who don't know SonarCloud yet

SonarCloud is a cloud service offered by SonarSource, based on the open source SonarQube platform. It is used to check and detect vulnerabilities, bugs and code smells in source code, supporting more than 20 programming languages.

Typically, SonarCloud is built into the deployment workflow and serves as a so-called quality gate before a new release goes live.

Example and guide: How it works

1. Open the SonarCloud website
2. Login with your Atlassian credentials
3. Add new project

Bitbucket Pipeline + SonarCloud | Jodocus.io

4. Choose project

Bitbucket Pipeline + SonarCloud | Jodocus.io

5. Choose analysis method

Bitbucket Pipeline + SonarCloud | Jodocus.io

6. Choose ‘I need a pipeline’

7. Go to your Bitbucket repository settings and enable

Bitbucket Pipeline + SonarCloud | Jodocus.io

8. Go to Repository variables and add the SonarCloud Token

Bitbucket Pipeline + SonarCloud | Jodocus.io

Tip

Furthermore you should add:
SONAR_SCANNER_OPTS with the value of -Xmx2048m

9. Add the following to your Bitbucket Pipeline

     image: python:3.8.3 # Choose an image matching your project needs

 

     clone:
                depth: full

 

     definitions:
            caches:
                        sonar: ~/.sonar/cache
            services:
            docker:
                  memory: 2048
          steps:
          – step: &build-test-sonarcloud
                      name: Build, test and analyze on SonarCloud
                      caches:
                      – pip
                      – sonar
                      – docker
                      script:
                     – pipe: sonarsource/sonarcloud-scan:1.2.1
                     variables:
                     DEBUG: ‘true’
                     services:
                     – docker
         – step: &check-quality-gate-sonarcloud
                      name: Check the Quality Gate on SonarCloud
                      script:
                      – pipe: sonarsource/sonarcloud-quality-gate:0.1.4
                       services:
                      – docker

 

     pipelines:
       branches:
           master:
                – step: *build-test-sonarcloud
                – step: *check-quality-gate-sonarcloud
       pull-requests:
              ‘**’:
                – step: *build-test-sonarcloud
                – step: *check-quality-gate-sonarcloud

Tip

  • Below the definitions we need to give Docker 2048mb RAM
  • Below the steps we need to make Docker explicitly known as a service

10. When running the Pipeline SonarCloud analysis your source code in the repository. If SonarCloud finds one of the items listed above, such as a code smell, the pipeline build will fail and you will receive an evaluation within SonarCloud on your dashboard:

Bitbucket Pipeline + SonarCloud | Jodocus.io

11. The problems found here could now still be created individually as defects or bugs inside Jira using automations within SonarCloud.

Ready!

Summary

With increasing digitalization, the attack possibilities for hackers are growing. At the same time, the opportunities to protect yourself in the best possible way are also growing. Especially companies that have a lot of sensitive data should protect their systems optimally. And even companies that are supposedly uninteresting to hackers should not treat their software security lightly. Professional security testing can ensure the proper and flawless functioning of a software or application in software development. In this way, software-related security gaps can be identified and fixed at an early stage. One quick and easy option of many for security testing is the integration of SonarCloud into Bitbucket. While it still doesn’t offer 100% security, it serves as an additional quality gate. The example from this blog post can serve you as a guide. We would also be happy to help you personally to improve software security – and thus the security of the company.