When should you consider investing in security testing? How can you benefit from security testing...
Prevention is ideal, but detection is a must
"Prevention is ideal, but detection is a must" is a well-known phrase by Dr. Eric Cole, originally related to network security. Not all harmful events can be prevented, so the most important thing is to detect when they occur and respond accordingly. This mindset is familiar from fire safety: rather than attempting to prevent all fires from starting, the focus is on detecting them quickly and stopping them from spreading.
In cybersecurity work, whether it involves risk management or threat modeling, the goal is often to prevent or eliminate threats. However, this is unrealistic: for example, we cannot prevent cybercriminals from sending phishing emails, but we can aim to recognize them and act in a planned manner once they are identified.
From Fire Safety to Application Security
Security vulnerabilities can be compared to smoldering fires that can flare up into full-blown blazes under the right conditions. Programming errors are inevitable, but the key is to detect them early and fix them efficiently. Testing is a critical tool for identifying such errors. However, fixing security flaws should be more than just patching individual mistakes—it is essential to analyze how and why the error occurred and ensure that similar issues do not appear elsewhere. This approach fosters learning and improves prevention efforts.
Fixing Is Not Free
From a product manager’s perspective in software development, developers' time should primarily be used for creating business-critical features. Balancing between writing new code and fixing errors is an ongoing challenge. Therefore, at the process level, investing in prevention is worthwhile to avoid repeatedly fixing the same mistakes.
From Security to Quality Assurance
Cybersecurity and quality assurance processes both revolve around continuous learning and improvement. However, there are differences. For example, in fire safety, the final product is not assessed in the same way as in software development—a fire either happens or it doesn’t, whereas software quality involves certain tolerances. In software security, prevention means dynamic filtering mechanisms or quality control that continuously evaluates and improves itself over time.
A fire alarm can indirectly indicate how well fire prevention efforts have succeeded—similarly, detection mechanisms in software development can also report on their own effectiveness.
Security Is a Process of Continuous Improvement—And Quality Assurance Is at Its Core
Developing secure software is challenging, which is why security must be considered early and often. As the saying in computer games goes: "Save early, save often"—the same applies to software testing: "Test early, test often."
Cybersecurity is not just a technical problem. To paraphrase Einstein: "We cannot solve problems with the same thinking that created them." When issues arise in error correction, the solution often requires viewing the process from a new perspective.
Security, therefore, is not merely about risk management but fundamentally about quality assurance. Conversely, requiring quality assurance is an essential part of risk management. This link between security and quality assurance highlights something even bigger—the model of continuous improvement.