Ensuring Software Quality and Security: Lessons from CBE Incident

We are concerned about the incident that occurred to CBE last Friday, March 15, 2024. There were rumors about the incident through social media, suggesting it may have been a cyber attack by hackers. However, after the weekend silence, yesterday the CBE president released a statement ensuring that the incident was not related to cyber attacks, as discussed on social media. Rather, the incident occurred in the effort to provide quality services to customers and in the development of CBE transformation. If indeed this explanation is the correct root cause, it is a relief that it is not related to a cyber attack.

However, it raises another questions.

• how did such a significant mistake occur?

• Is it because of the change management process in place?

• Or are the key factors of quality assurance and testing phases in the application development process working perfectly?

• We also want to point out how the newly released application was critically evaluated via the security testing phase in the application development process.

If indeed the root cause is not a cyber attack but anonymous mistakes in the development of the application, we are critical of the reasons for such a comprehensive major incident. We view this circumstance as a chronic issue that requires validation through deep IS (Information Systems) audits. Several key areas need assessment to ensure that changes to the developed application and IT environment are controlled effectively and securely.

Having said that, as the need for IS audit is as important as ever and even disccussed in LinkedIn, we need to clearly point out the key factors of the quality assurance and testing phases in the application development process and the criticality of the security testing phase in the application development process.

As a professional association, we feel responsible for addressing these issues and would like to provide our expertise to Ethiopian society. Additionally, we aim to create a learning dialogue so that other companies can learn from this event and understand what they need to do before such an event occurs in their development programs.

Quality assurance and testing ensure that software works well and is safe before people use it. Any company must check every part of the code to ensure it's good enough to be released to production. In developing software, quality assurance and testing serve as meticulous weavers, carefully building each thread to ensure the final product is resilient, efficient, and user-friendly.

The key factors of the quality assurance and testing phases in the application development process include several steps and areas. We outline some important aspects that one organization needs to assess in its own software development with the help of these issues.

1. Test Planning: Creating a comprehensive test plan outlining objectives, scope, resources, and schedules.

2. Test Design: Developing test cases and scenarios based on requirements, user stories, and use cases.

3. Test Execution: Running tests to identify defects and verify the functionality of the application.

4. Defect Management: Tracking and managing defects through their lifecycle, from discovery to resolution.

5. Regression Testing: Rerunning tests to ensure that new changes haven't introduced unintended side effects.

6. Automation: Implementing automated testing where possible to increase efficiency and coverage.

7. Performance Testing: Evaluating the application's performance under different conditions to ensure scalability.

8. Security Testing: Assessing the application's security posture and identifying potential vulnerabilities.

9. User Acceptance Testing (UAT): Involving end-users to validate that the application meets their requirements and expectations.

10. Continuous Improvement: Iteratively refining testing processes based on feedback and lessons learned from previous cycles.

We focus particularly on the security testing phase here with more detail:

Threat Modeling: Understanding the application's architecture, components, and potential threats it may face. This involves identifying potential attackers, attack vectors, and assets to be protected.

1. Vulnerability Assessment: Conducting automated and manual scans to identify common vulnerabilities such as injection flaws, cross-site scripting (XSS), broken authentication, sensitive data exposure, etc.

2. Penetration Testing (Pen Testing): Simulating real-world attacks by ethical hackers to identify vulnerabilities that automated tools may miss. This involves attempting to exploit vulnerabilities to gain unauthorized access or extract sensitive information.

3. Security Code Review: Analyzing the application's source code for security flaws such as hardcoded credentials, insecure cryptographic algorithms, or other vulnerabilities that may not be apparent through other testing methods.

4. Authentication and Authorization Testing: Verifying that authentication mechanisms are robust and that users can only access resources they are authorized to access. This includes testing password policies, session management, role-based access control, etc.

5. Data Security Testing: Ensuring that sensitive data is handled securely throughout its lifecycle, including data in transit, data at rest, and data in use. This involves encryption, secure transmission protocols, secure storage practices, etc.

6. Security Configuration Management: Verifying that the application and its supporting infrastructure are configured securely, including web servers, databases, firewalls, and other components. This involves checking for default configurations, unnecessary services, and insecure settings.

7. API Security Testing: Assessing the security of APIs used by the application, including authentication mechanisms, input validation, access controls, and potential vulnerabilities such as injection attacks or insecure direct object references.

8. Security Awareness Training: Educating developers, testers, and other stakeholders about common security risks and best practices to mitigate them. This helps build a security-conscious culture within the development team.

9. Compliance Testing: Ensuring that the application complies with relevant security standards, regulations, and industry best practices such as GDPR, HIPAA, PCI DSS, etc.

As professionals and experts in this domain, we perceive the key factors of quality assurance, testing, and security testing outlined above not only as relevant to the CBE incident but also as vital components for any company involved in application development, whether the company in be in the domain of fintech, healthcare, insurance, construction, education, government, or non-government sectors. Continuous evaluation of these steps and key factors is essential. We emphasize that this is an ongoing learning process, and all processes should be further developed to enhance their effectiveness.

In summary, quality assurance and testing play vital roles in ensuring the reliability and functionality of software. These phases involve meticulous planning, design, and execution of tests to verify that the application meets specified requirements and performs as expected. By adhering to these key factors, organizations can minimize the likelihood of defects reaching end-users, thereby enhancing user satisfaction and reducing costly rework.

As we all know, security testing is a critical component of the application development process, focusing specifically on identifying and addressing vulnerabilities that could compromise the security of the software. Through techniques such as threat modeling, vulnerability assessment, penetration testing, and security code review, organizations can proactively identify weaknesses in their applications and address them before deployment. By conducting thorough security testing early in the development lifecycle, organizations can mitigate the risk of security breaches, protect sensitive data and assets, and build trust with their users. This proactive approach to security helps ensure that applications are robust and resilient against potential threats.

Contributed by EISAA Chairman.