Security testing should be on every DevOps team’s Black Friday checklist

The holidays are a time for shoppers to reap the benefit of online deals—and for hackers to leverage software vulnerabilities in retail systems and applications. In order to prepare for this year, IT monitoring experts suggested developers and operations teams incorporate adequate security testing as part of their holiday preparedness checklist.

The biggest mistake organizations make when preparing for holiday sales is decreasing the required amount of security testing of their web and mobile applications in favor of tight release deadlines, said global director of application security strategy at Checkmarx, Matt Rose.

“Proper security testing is a must and should not be overshadowed by the need for enhanced features or functionality that may not even be utilized if an application is hacked or down to a DDoS attack,” he said.

(Related: How DevOps security is lacking)

Organizations might look to cut testing processes because of their shorter release deadlines. Sometimes, security testing is cut because “cool” application features are seen as generating revenue, whereas security testing is not, said Rose. It’s a narrow-minded view, because if the application has security issues, the new revenue-generating feature may never be available to the user, he said.

Different organizations can assign different levels of responsibilities to developers during the holiday season, but all companies should review how developers would support operations during critical times like Black Friday and Cyber Monday, according to Michael Butt, senior product marketing manager at BigPanda. And, just like those in operations, developers need to understand how much stress peak shopping times will have on systems during the holiday season, he said.

Developers can also prepare for the holiday season by properly testing their applications for stability and security, because the “potential for unanticipated load or exposure to hackers is a real threat,” said Rose.

If developers fail to do this, retailers can expect worst-case scenarios like being blacklisted by users, he said, especially if they fear that a platform is unstable and their personal information is at risk.

“The holiday selling season is a very short time period, and any downtime or instability of their web or mobile applications could potentially have very damaging implications to a retailer’s bottom line,” said Rose. “If an application fails to meet the consumer’s expectations, they will simply take their business somewhere else.”

Mobile applications have changed the world of digital business and e-commerce, and now that organizations are going to a mobile-first world, all of that mobile traffic adds to the holiday load, said Butt.

Just the nature of these mobile applications and how they have developed opens a new category for risk, said Rose. Many organizations outsource mobile application development to third parties, and if these third parties do not know if proper security testing was done to applications, it increases the chances of hackers attacking, according to him.

“The third parties are paid to develop these mobile apps based on a set of functionality criteria,” said Rose. “If security requirements are not properly defined by the outsourced development teams, they will probably not be included in the application, which is a huge risk to organization contracting the third party.”