Privacy Testing: A Growing Field for Software Security Specialists
Security has always been a core focus area for software makers. Traditionally, the product team has taken on studies such as threat model analysis to determine what the product’s vulnerabilities are and then work to mitigate them.
The threat model has served as a great resource for testers to determine what tests they need to execute to provide the required confidence on the product’s security. One of the popular strategies to handle threat model analysis has been based on STRIDE principles. Resources such as OWASP and its updated list of top ten security vulnerabilities have also been very useful.
These practices continue to be used, but security is not just about preventing a hacker from gaining unauthorized access to the systems and data. There is a much more important aspect to consider: user privacy and how organizations handle collected user data.
Security is a very interesting area because the software maker is constantly drawing a balance between its business angle of collecting, mining, and distributing more user data and the user angle of safeguarding their information and using it only in appropriate places. This is a very tough call to make, as user data is a core piece that organizations use to build on their partnerships with advertisers and other online entities to grow their reach and competitive edge.
Given the scope of the reach that is possible with such user data, even companies as large as Google get caught in privacy issues periodically, including the latest instance, where it will pay $17 million to plaintiffs in a Safari browser-related privacy issue.
While the end users are increasingly paying heed to this matter of privacy, they are still often in a helpless situation, including rare cases where they are forced to compromise their privacy for the sake of getting a job. Several nonprofit groups and forums are actively discussing the issue of privacy, suggesting simple measures that end users can take to protect themselves, especially with the amount of social networking and online activity most of us undertake today.
From a testing team’s standpoint, the first validation to take on is to understand and reason out what kind of user data is being collected. This is the first step toward ensuring user privacy and making it a point not to collect data that is really not needed.
Privacy testing is still a niche field. While security testing is a more understood and practiced area today, privacy testing is still nascent. A tester often builds his skills here by experience, as every organization has its own privacy practices.
Nevertheless, the awareness of user privacy, active use in organizations, and discussions in public forums—including news items on cases where privacy is compromised—are definitely taking this practice in the right direction and helping it mature.