Testing Governance and Data Management The lie of the land: results of a survey conducted in May 2008 Jon Collins Freeform Dynamics Ltd +44 1285 771 433 [email_address] www.freeformdynamics.com
Agenda <ul><li>Live data use in application development and testing </li></ul><ul><li>Security and the development and test cycle </li></ul><ul><li>Where can we look for improvements? </li></ul>
Thinking of your IT systems, how much does your organisation make use of the following? There’s plenty of custom application development going on
If you are using live data (e.g. from application databases), is this for any of the following reasons? Live data is a necessary part of the equation for a number of good reasons. The question is, though, how well is it controlled?
Is live data used during development or testing? (Those who knew) We are told by those that know, that live data is used in development and/or testing in almost three out of four organisations.
Knowledge of whether test data is used during the development or test cycle “ Those that know”: Many of those in the business responsible for risk and compliance are unaware of how live data is used in IT
Sanitisation of data for use in development/testing (Those who knew) About of third of organisations use data straight out of live systems, though many sanitise or anonymise data before use.
Who has primary responsibility for security policy in relation to application development and testing? The IT function is largely left to figure out and implement its own security policies in relation to application development and testing. The last bastion of the technical?
How are your IT systems teams resourced? To begin with, we must understand who is involved, and it is clear that in the majority of cases, we need to consider external as well as internal staff.
Where does the majority of systems development and testing take place? The physical location and distribution of development and testing activity adds another interesting dimension to the consideration of lifecycle security.
Considering implementing new systems or significant upgrades to existing systems, how usual is it for you to set up development, test and live environments in the following ways? Then there is the question of how much development, test and live environments are separated during the lifecycle.
Some of the risks we know about... <ul><li>Abuse of intellectual property </li></ul><ul><li>Knowledge of system/process vulnerabilities falling into the wrong hands </li></ul><ul><li>Engineering of vulnerabilities into applications for later exploitation </li></ul><ul><li>Sabotage for personal or political reasons, and/or financial gain </li></ul><ul><li>Unauthorised access to live systems or data </li></ul><ul><li>Legal and compliance aspects of live data use </li></ul>
What priority do you give to improving the following aspects of your testing? The top two areas of improvement are both directly relevant to the use of live data. Policy is unclear from a business perspective and poor data test data management indicates a big potential risk.
What priority do you give to improving test data management? Ironically, those with more to lose (i.e. those using live data) are the ones who highlight the need for most improvement. This is no doubt in part due to a heightened awareness of the issues.
Where can we look for improvements? <ul><li>Use of sanitised data is preferable, but will not always be a requirement (or indeed, an option) </li></ul><ul><li>Policy and regulation – carrot and stick </li></ul><ul><li>Process, process, process </li></ul><ul><li>Better linkage with the business </li></ul><ul><li>Prioritisation of tools and technologies </li></ul>
Do policies exist to deal with the way in which information is used and accessed? A mix of policy is the best bet for organisations using sanitised data.
Is your organisation subject to a lot of regulation with regard to record keeping? Note how “specific regulation” leads to higher use of sanitised data than more general regulation.
Is your organisation subject to a lot of regulation with regard to record keeping? (Priority given to improving test data management) Plus, more regulated organisations recognise the need to improve how they manage their test data.
How much do you agree or disagree with the following: ‘We have a single set of testing processes that we apply stringently to all of our testing’? Stringent application of testing process is more applicable in environments where data is sanitised
Turning specifically to software development and testing, which of the following statements fits your organisation? (Priority given to improving test data management) We can also see how important it is for business involvement to lead to test data management improvements.
What specific technical capabilities do you feel would make the most difference? Gaps in tooling that are consistent with the need for improvements in test data management and sanitisation of live data are clear.
What specific technical capabilities do you feel would make the most difference? Two thirds of those who use live data during test and development highlight the need for better tools to sanitise extracts.
Conclusions <ul><li>App dev is still left to its own devices w.r.t. security and data risk – and the business lacks knowledge of what IT is up to </li></ul><ul><li>After business linkage, test data management is the biggest area that organisations are looking to improve </li></ul><ul><li>Considering test data sanitisation, there are a number of areas that organisations can learn from the leaders </li></ul>