In my last post I wrote about protecting the supply chain and how strong bricks make strong walls, referencing how creating software with strong internal components and securely crafted code adds strength to the enterprises using that software. When considering any component being added into an environment, evaluating its security posture and attack surface is an important part of the purchasing equation. Vendor security reviews have become a critical control in supply chain security and asking the right questions helps ensure that the components placed in an enterprise add strength and not weakness.
When I described strong bricks, I answered a few questions around the crafting of software and what goes into it – source code and third-party libraries. In this article I’ll look at another question: How do we ensure that the built software – the bricks – are as strong as they need to be? In other words, the parts that went into building the software are sound, but what about the assembled whole?
What I Learned from Commercial Breaks: Stress Tests and Crash Test Dummies
There was a common trope in commercials not so long ago, of products being tested in entertaining ways: gorillas abusing luggage, things being subjected to extreme heat and cold, and a PSA featuring mangled crash test dummies imploring us to wear our seatbelts. While comically absurd, these ads had some basis. Commercial products are tested for quality and to ensure they perform as expected and as intended. Software is no different – along with testing to ensure features and functionality do what they are supposed to do, quality assurance also includes making sure the software is safe to use, i.e., secure.
Testing a physical product can be incredibly destructive. The crash tests for automobiles destroy the very thing it’s meant to test, but in the service of protecting the most important thing: the people inside the vehicle. In the software industry, we do something similar, subjecting applications to requests, inputs, and manipulations it wouldn’t face under normal use.
What we’re trying to determine through this testing is whether we’re still able to protect the most valuable thing under these conditions – the data. These tests also help us build resiliency into the applications and understand how the system operates under stress and unpredictable situations. As with other types of testing, the goal is to find weaknesses in the system and remove or mitigate them.
Returning to the theme of creating strong bricks for strong walls, it’s not enough to use high-grade components. These components also need to be assembled in a way that ensures the final product stands up to the rigors of use and abuse. We don’t want to just put the brick in the wall and hope for the best, we need to make sure it strengthens the wall, lest the whole thing crumbles when put to the test.
How Fortra Builds Strong Software
How does the testing metaphor translate to Fortra’s managed file transfer solution, GoAnywhere MFT? Like physical products, we also put our software to the test, simulating what an attacker might do to break or break into the software. We do this from two different perspectives, an outside independent one and an internal view. The other aspect of testing is frequency. Software changes often, so it’s important to continually test to find any weaknesses that may have been introduced with new, changed, or removed code. Fortra conducts an internal and third-party test at least once a year to validate the software remains strong and resilient.
Testing consists of multiple approaches. Automated scans are used to provide a broad understanding of the software and areas of weakness, fuzz testing endpoints by sending different types of inputs to see if the software reacts adversely, and lastly, manual testing uses the information gained to go deeper on areas of potential weakness found through automation.
Third-Party Security Testing
It’s important to get an outside, independent perspective when testing software. This allows for a fresh perspective and helps avoid any blind spots or assumptions that may be held. These tests may use different tools, tactics, and techniques to allow for a broader amount of coverage. Anything learned from these tests gets incorporated back into the software to shore up any weak spots. Third-party testing is also an important control in our compliance efforts and is reflected in our compliance reports.
Internal Security Testing
Internal testing provides a unique view into the product which is unavailable to a third-party tester. These internal testers have access to source code, internal security scan results, a direct line to developers, and the ability to tailor testing toward areas of concern to our developers. This allows for more depth along with the breadth of coverage desired. Having an internal testing team also means we can put software to the test more frequently so changes that happen between third-party tests are incorporated into the scope. This two-pronged approach provides additional assurance that the software we are building is as strong as we can make it.
GoAnywhere MFT: Trusted, Tested, Secure File Transfer
GoAnywhere MFT is a secure file transfer solution that’s rated highly by third-party industry analysts as well as users. See what the latest Info-Tech report has to say about GoAnywhere’s features, benefits, and validation claims. Then, schedule a live demo to see how the security features in GoAnywhere can help protect your organization’s most valuable asset – your data.
