If you're a regular blog reader, you've likely read a few of our interviews with the
Director of Quality and Testing (Q&T) and Global Head of Strategy, Ioana Petrescu. As the leader of our Q&T team, Ioana is part of the R&D department, which means cybersecurity is an important element in the work she does. We recently caught up with her about cybersecurity from a Quality and Testing perspective. Here's the interview.
How do you integrate cybersecurity considerations into your testing strategies and methodologies?
Cybersecurity starts from the code storage principles to our testing setups and the configurations we use in testing. There are a variety of ways in which cybersecurity is part of day-to-day activities and not only our deliverables.
How critical is penetration testing to ensure our software is "Secure by Design?"
Our Security by Design is an end-to-end approach to product development that builds in security from the beginning. Our PEN testing is done by experts and a dedicated team and is an ongoing cycle that helps us make sure our software is cyber-secure.
Can you explain how penetration testing differs from other testing activities and why it's essential for identifying vulnerabilities in software?
PEN testing is different, first of all, because it is done by a team of experts. Second, because it looks for a different kind of vulnerability in our software than regular testing does. The PEN testing team will behave/think like hackers to see how the system could potentially be entered. From their findings, they will close any possible vulnerabilities.
How are cybersecurity issues reported or handled differently than bugs or feature requests?
Usually, there is a report after the PEN testing that also reflects the impact of the issues found. From there, the business decides how urgent the fixes need to be handled by the R&D team. In a way, it's quite similar to the usual bugs and features process, but the priority of these issues is always considered higher.
Have you used or contributed to the FIN Framework IT Hardening Guide?
As the lead of the Q&T department, I have contributed by explaining in more detail some of the functionalities of the product to be able to identify all the possible details that should be included in the Hardening Guide.
What advice would you offer to organizations looking to strengthen their software security testing practices?
I think anyone serious about cybersecurity with systems that connect to the internet needs to consider their security strategy before going to market to prevent critical attacks on their system. By utilizing software like FIN Framework, which is "Secure by Design," their products and services will be inherently cybersecure.
