Compliance, once heralded by compliance officers, lawyers and auditors as the answer to information privacy and...
security challenges, has trickled down to virtually all aspects of business. Do what the government -- or industry -- regulators say or else. I'm not convinced that those in charge of managing software testing need to get caught up in all the details of the various regulations. It's nice to know the high points, and those are easily summed up here:
- Know what's at risk
- Document security policies and plans that will help minimize your risks
- Enforce your policies and facilitate your plans with technology (i.e., security controls in your software)
- Continually analyze your risks and work to make things better
If you manage or perform software testing, it'd be great to review the requirements of each regulation your organization is responsible for, such as PCI DSS and HIPAA. Once you understand the spirit of the law, you'd be best served by focusing on what you do best: finding and fixing the flaws in your software and tweaking your development, QA and security testing processes to minimize the security issues going forward. If you understand the security fundamentals (those laid out in the regulations or in standards such as ISO 27002) and end up with secure software, you'll have "compliant" software as well.
Security and compliance standards are continually evolving. HIPAA recently underwent some significant changes. The same is true for PCI DSS, which is currently in version 3.0. The various NIST Special Publications are continually updated as well. However, these changes and updates are more for clarity than for changing the spirit of the information security basics they're outlining. I recommend staying in touch with what's going on in the world of compliance, but don't obsess over it. You're just as well off reading James Martin's book Security, Accuracy, and Privacy in Computer Systems. It was published in 1973.
Dig Deeper on Software Security Test Best Practices
Related Q&A from Kevin Beaver
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Several vulnerabilities were recently discovered in Android bootloaders via the BootStomp tool. Kevin Beaver explains how they work and what risk ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.