Development Through Secure Operations and Balanced Practices

This lesson reflects on the critical aspects of security and operations concerns. So far, we have created an application that is well-engineered and has very low defects. Our user experience feedback has been positive—it is easy to use.

Securing applications

An application that is not running does not exist. The discipline of operations—often called DevOps these days—aims to keep applications running in good health and alert us if that health starts to fail.

Security testing—also called penetration testing (pentesting)—is a special case of manual exploratory testing. By its nature, we are looking for new exploits and unknown vulnerabilities in our application. Automation does not best serve such work. It repeats what is already known; to discover the unknown, human ingenuity is required.

Penetration testing

Penetration testing is the discipline that takes a piece of software and attempts to circumvent its security. Security breaches can be expensive, embarrassing, or business-ending for a company. The exploits used to create the breach are often very simple.

Note: Security risks can be summarized roughly as follows:

• Things we shouldn’t see.

• Things we shouldn’t change.

• Things we shouldn’t use as often.

• Things we should not be able to lie about.

This is an oversimplification, of course. But the fact remains that our application may be vulnerable to these damaging activities—and we need to know whether that is the case or not. This requires testing. This kind of testing must be adaptive, creative, devious, and continually updated. An automated approach is none of those things, meaning security testing must take its place as a manual step in our development process.