Welcome to our Testing Titans interview series!
Our interviews are meant to bring attention to the unsung heroes of the software development world, Software Testers. Our goal is to raise awareness of software testing by conducting in-depth interviews with thought leaders and conference speakers working in QA, test automation, and cybersecurity.
Check-in regularly with this blog or follow on our social media channels as we continue to shine a light on the concepts, tools, and people that shape the quality assurance world. Read more of the series interviews on the Testing Titans page.
In this third instalment of the Testing Titans series, we spoke with Data Protection Officer, privacy specialist, and director of the cybersecurity consultancy firm Digital Interruption, Saskia Coplans.
Thank you for taking the time to speak with us Saskia. Could you tell us a little about yourself? Like who you are, what you do, and how you got started?
I’m a Data Protection Officer (DPO) and a privacy specialist. I have over ten years of experience in information security and governance, along with standards and policy development. I have worked across Europe and Central Asia for Governments, NGO’s, Regulators and the Private Sector.
I set up Digital Interruption in 2017 with Jahmel Harris because we wanted to create a consultancy service that was accessible to everyone. We’ve designed a practice specifically for the needs of startups and SME’s (small and medium enterprises)who need security. We were the first consultancy to advertise our prices, which we still do, and offer fixed price testing; this removes much of the cost barrier for smaller organisations. We also work with businesses to integrate security into their pipeline by providing the tools and skills for developers and software tester to take on the role of security champions. This makes security attainable and scalable for many smaller organisations.
I help Jahmel run the Manchester Grey Hats a community group in Manchester that runs free workshops and events to teach security skills to people learning security. I’m a founder of the Infosec Hoppers, a group of women confronting the gender gap in InfoSec by working together to highlight diversity issues in the industry and make conferences, events and meet-ups more accessible. I also sit on the board of OWASP Manchester.
Given the current issue of the coronavirus forcing many employees to work remotely, what is the biggest impact on this from a cybersecurity perspective?
We’ve noticed that in the race to move everyone to home working the general security hygiene of many smaller companies lapsed as it is harder to enforce remotely. We found issues such as VPN’s not having been stress-tested so, in understandable frustration, employees were bypassing them to access systems. Some companies didn’t have work from home, or own device policies, which additionally could put their data at risk. In response, we put together a guide to help smaller companies which has been shared through the GM Cyber Advisory Group, on which we sit on and through varies social media channels. We have provided guidance to many of our clients on how to migrate to home working safely.
We, and other researchers, have found some security flaws in software such as Zoom, that have seen a massive upturn in use as a result of changes in behaviours stemming from lockdown. Zoom fixed these flaws within a week of reporting, possibly as there was speculation that a UK Government Cabinet Meeting had been Zoom Bombed after the Prime Minister inadvertently shared the call ID on Twitter. However, this may be an issue across many platforms which will be pushing out software changes such as online queueing systems for pharmacies and supermarkets or releasing poorly tested solutions to respond to the lockdown situation.
Cybersecurity is in the media and on the minds of a lot of businesses due to the increase in cybercrime and the implementation of GDPR. Have you noticed any prevalent misconceptions that people have about cybersecurity or what penetration testing can provide them?
The most common misconception of GDPR is that it bans the processing of all personal data, rather than regulates how it is processed. Many businesses see GDPR as a blocker. I’ve been asked several times if a specific software would mean they could bypass GDPR. The answer is always no. If you process data that is identifiable and relates to EU citizens or residents, then you must follow the regulation.
Security is still often seen as a nice to have, and penetration testing is overlooked or seen as an unnecessary expense. Although I don’t advocate penetration testing as the only measure used for security, it does play an important part in the security toolkit. Its purpose is to uncover vulnerabilities so they can be fixed before release, but all to often a pen test isn’t acted on or is seen as a certificate of heath, so clients have asked us to remove high-risk vulnerabilities we have discovered from the report (which we can’t do.) We will of course re-test following fixes to validate that the vulnerability is no longer there.
It seems that most of the cybercrimes taking place are low-skilled hackers installing ransomware on small-and-medium business targets. Is this mostly the case? What’s the best way for these businesses to protect themselves from this kind of attack?
It’s really hard to tell where an attack has come from, and in the end it doesn’t really matter. If you’ve been breached, you’ve been breached. If someone burgled your house or stole your car, would you care if it was an organised criminal gang or some kids who found out how to do it on the internet? The outcome would be the same, your house is still burgled or car stolen.
Instead of focusing on the who, we advocate focusing on the how. If you use tools such as threat modelling you can start to unpick the potential threats to your assets and understand how to better protect them. We use gamification, such as Microsoft’s Elevation of Privilege card game, to help teams of developers, software testers, UX designers and security champions to model their own assets and integrate the findings into the pipeline so they can integrate security as a functional requirement.
Has the adoption of GDPR and the UK’s Data Protection Act influenced more businesses to act? Or is still the case of people acting more reactively rather than proactively?
Most businesses will have gone some way to adjusting for the GDPR, but where we would hope situations such as the Cambridge Analytica and Facebook scandal would be prevented by the adoption of the GDPR, this does not necessarily translate to safer software. The GDPR is a regulation rather than a framework, so it’s not prescriptive and requires interpretation. It basically says you must take reasonable measures to secure data, but reasonable is a subjective term. It also says a significant breach must be reported immediately, but again what constitutes significant.
This means businesses are more likely to take a risk-based approach to fines relating to data breaches rather than a risk-based approach to the impact of security flaws. A breach of the NHS could have devastating consequences far more impactful than a fine. The Ashley Madison breach, for example, resulted in two suicides, and the Lion Air Boeing 737 Max 8 jetliner that crashed into the Java Sea off Indonesia, killing all 189 passengers and crew, was due to what investigators described as a “glitch” in the plane’s flight-control software.
Outside of a cybersecurity expert/ethical hacker, how do you see the QA tester role adopting cybersecurity testing? Can they sufficiently learn the skills to become an all-round tester?
QA testers are brilliant at security. They are our cousins. We are both naturally inquisitive and both poke at things until they break. Non-technical QA testers can advocate for good security and utilise things like threat modelling to work with developers and designers to integrate security. More technical QA testers can run test cases themselves using integrations in tooling they are already using. There is a wealth of information available on security as well as bespoke training. We have trained hundreds of developers and QA testers on all aspects of security over the last three years, which has helped embed security directly into the pipeline, rather than as a separate department. In fact, QA testers can often be better at finding some vulnerabilities, as they have a better understanding of and relationship with their software than we do Also, as our tests are contained to a number of days, QA testers will have more time to test and re-test software as it is developed.
Should QA testers be proficient in using tools like ZAProxy or Burp Suite or should they have a deeper knowledge of the OWASP Top 10 and further?
In my opinion, anyone who creates software should have at least some understanding of security and the OWASP Top 10, but Zap and Burp are hacker tools. They have been created for hackers, not developers and QA testers, and this makes them challenging and time-consuming to use. We think security tools designed specifically for developers and QA testers are far more useful, which is why we created REX and would like to see more security integrations into existing tools such as Selenium.
How do you see the rise of DevOps affecting security in the development process? What challenges do you see in security being integrated into the DevOps framework?
We have been advocated of DevSecOps for years and have spoken at both DevOps Days Chicago and DevSecOps Days London. DevOps is the enabler for DevSecOps as DevSecOps embeds security in every part of the development process. This means automating core security tasks by embedding security controls and processes early in the DevOps workflow.
The rise of DevOps should mean greater integration with security, but there are two main challenges we tend to see; the first is lack of security tooling. It’s difficult to integrate current security tools into a DevOps pipeline because they are designed for hackers and pen testers. We are starting to see a slight change, such as an API available in both Burp Suite and ZAP, but they are still not quite suitable. The second issue is culture; the security community can be a difficult one to work with sometimes, and since DevSecOps is about removing the silos, we need to see the security industry communicating better with all teams.
What do you predict to be important trends in cybersecurity in the next 2 to 5 years? AI? Machine Learning? Zero-trust?
Some parts of security will never change, which is especially obvious given we’re still finding SQL Injection vulnerable after 21 years of it first being written about.
What I do see happening though is a change of methodologies such as a push towards DevSecOps and better security integration into organisations. As more people become involved with security, we’ll start to see an interesting increase into the types of skills available to us, including Machine Learning. On the one hand, this is a good thing as we’ll be better able to perform security testing, but on the other it can be dangerous. We’re already starting to see an increase in Deep Fakes (AI used to create fake videos). I think we may also see a move away from passwords as these are very error-prone and a bad password is one of the easiest ways for us to penetrate a company. Instead, we may start seeing more token-based authentication where we use a hardware device or mobile apps to authenticate with services.
Thank you, Saskia, for your thoughts cybersecurity, GPDR, how the coronavirus is affecting this sphere.
If you enjoyed what you just read be sure to check out the rest of the Testing Titans series blow as well the rest of our blog.
Welcome to the second instalment in the Testing Titans series! The goal behind these interviews is to lift the veil on the software testing world
Welcome to Testing Titans! Consider this the first in a series of many in-depth interviews with movers and shakers in the software testing and quality