Security testing tools can be godsends for software developers and the quality assurance teams that support them. Automation is a big thing in this world of incremental releases and instant gratification, after all, and digital security for mobile and Web apps is just as large a concern as it's ever been. Tools allow us to achieve the former and pay much closer attention to the latter, often without devoting significant resources to the drudgery implicit in manual testing.
The problem? A multitude of tools doesn't guarantee a secure product. In fact, the more tools you utilize in the process of building an application, the more problems you can potentially encounter. Here are several reasons you might want to think twice before adding extra testing tools to your existing processes.
1. They Can Be Tricky to Install (and Use Effectively)
It shouldn't surprise anyone that testing tools are unwieldy. Anything designed to take over human behavior in the development world is pretty much guaranteed to be difficult to install and use properly. The issues arise when that unwieldiness has an impact on productivity. Learning and installing a new security testing platform can result in some seriously diminishing returns: The more time and resources you spend, the less valuable the tool is — especially if you're in the middle of developing a product while you implement. Our suggestion: Keep it simple, or keep it out of your repertoire.
2. They Can Cause Compatibility Issues — and Headaches
If you've used your existing suite of security testing tools, you're likely certain that they work with your chosen development environment, code management tools, and so on. With a new addition, there are no such guarantees — there are tons of variables in the different tools/environments software developers use to create apps, and no single security testing tool can account for them all. Because of this, each tool you introduce to your process has the potential to create a compatibility issue that's just waiting to bite you in the proverbial butt.
3. They're Only as Strong as the Employee Using Them
Security testing tools don't fix problems — they catch them. It seems like a small distinction on paper, perhaps, but it's huge in practice: If a tester's tool catches an issue but the tester himself isn't able to exploit it, there's a very good chance the problem will be marked a false positive. That can result in a host of problems even nastier than the one the tester missed. As with compatibility issues, every new tool you bring on is another chance for someone to slip up, and slipups are much more frustrating when they involve problems that should have been caught right away. This point in particular highlights the importance of bringing in security experts for your products, either in a full-time capacity or as part of a security testing platform.
4. They Take Time
There's no shortage of "baked-in" downtime in software development, and security testing tools can certainly require some in order to work properly. Every tool has different goals and takes a different amount of time, but the basic facts apply no matter what: Whether you're taking half an hour to run a quick scan or half a day to test the newest addition to the trunk from every angle, each tool you run can potentially cost people valuable time. Adding security testing tools to your stable, then, only increases the amount of time spent — wait for it — doing security tests.
5. They (Often) Only Cover Certain Parts of the Software Development Life Cycle
Security awareness and testing should be full-time focuses for your company, not afterthoughts to be considered once everything else is done. Many security testing tools can only be used during certain parts of your app's life cycle, making it much harder to focus on the safety and security of your product as you develop it. While penetration testing and the like certainly have their advantages, catching and repairing potential security exploits as they arise makes a heck of a lot more sense than waiting for the very end of the process to find and fix them.
Before You Add Tools, Add Expertise
Don't get us wrong. There's a time and place for testing tools, and we'd be lying if we said they weren't useful. Our point? They're not a panacea. Human experience is necessary in this new digital world, and so is a dedicated focus on security from the start.
In other words, they're called tools for a reason. Make sure the people using them know enough about security to find them useful, not necessary. As always, security is everyone's responsibility — one that should be delegated from the start.
Photo Source: Wikimedia Commons