In a pandemic world, testing is crucial to understand risk and take proactive mitigation steps, and the same is true in IT. In this blog, I will look at what testing means and why your applications need to be secure and up to date, together with how you can achieve great outcomes by leveraging the cloud and automation.
Application testing usually means different things, and it comes down to why you might be testing. It could be for quality assurance when creating and releasing your Line of Business (LoB) applications, or it could be for regression testing to see how they interact with existing systems. Finally, your applications or operating system could have an important update which you are looking to evaluate the performance and impact of before you release them to users.
Let’s focus on testing applications, whether it be an operating system or application update, the application itself, or an environmental change, like a policy or a setting, and why it is essential for cybersecurity.
DO YOU PATCH ON TIME?
For many reasons, it is quite common for organisations to delay patches. It could be due to compatibility – you cannot quantify the impact of deploying the update. Or perhaps your CTO does not want to be the first to launch, putting your business operations at risk and instead choosing to wait to see if other users report issues. Whilst these are valid reasons, you are actually exposing your environment to risk when you delay. We know that once a patch is released and the exploit or the vulnerability is made public, cybercriminals and other nefarious groups will attempt to exploit unpatched environments. The University of Maryland approximates a cyberattack occurs every 39 seconds on average against vulnerable computers – is this a risk you can continue to take?
CRIME WAITS FOR NO MAN
You really cannot afford to wait. IBM has estimated the average cost of a cybersecurity breach is around USD 3.8 million, and it takes up to 280 days to identify and contain a breach. CompariTech measured the impact to a company’s share price once an exploit has been publicly notified. What they found was an average loss of -7.21% in the first one hundred days and shares underperforming against the market average by -4.18% of the coming year.
The Australian Cybersecurity Centre or ACSC, formally known as the Australian Signals Directorate (ASD), published guidance on mitigating cybersecurity incidents known as the Essential 8v. The essential eight provides a clear and concise guide with practical steps to continuously mitigate ever-increasing Cybersecurity attacks on IT infrastructure. One of the top mitigation recommendations is to implement patching on your systems and applications. ACSC recommends systems with a known exploit are patched within 48 hours. This is quite a fast turnaround time from release, test and deployment. However, it is crucial to do so to ensure you are not at risk once a patch is released.
Typically, if there is an application or operating system update, this update would get packaged and pushed out to a small subset of users or test machines. The test itself generally consists of:
- did it break anything?
- did the users notice anything?
While this empirical data is valid, it is only qualitative, observational, and open to interpretation rather than based on hard data. There is typically no systematic approach to testing to ensure it is measured the same way each time.
If nothing is reported, patches are released into the environment, and most companies will manage by exception if there is something wrong. So, if it did impact a critical business function, for example, then IT staff would drop everything to respond and remediate after the fact, leaving the downtime or impact to be borne by the users. The impact could be huge; what if your critical ERP or CRM system stopped working? What if users could not access their files or email? Operations would grind to halt quickly. Gartner estimates downtime costs on average $5,600 a minute.vii
Instead, if you assessed these updates and patches properly, IT could make an informed decision and decrease the risk of downtime. However, it takes a lot of time to test the app, manage and upkeep the environments teams use as the test environment. For some testing, you may need to take people out of the business so they can run through and assess the application to confirm functionally. Most businesses do not do this because it is lengthy, time-consuming and disruptive to take people away from their day job.
SCALE FOR SUCCESS
So, what if we could automate testing of our apps and our environments to get baseline tests of performance and application interaction and compare these to a known good baseline? What if we could ensure our apps will still install, run and uninstall? There is a way to do this efficiently and automatically.
At Insentra we have partnered with Rimo3; application specialists who have developed a cloud-based system leveraging the power of automation, Ai, and machine learning. Rimo3 discovers your applications and intelligently tests against your image or production environment, giving you the insights you need to understand the impacts of patches and operating system updates before releasing them into your environment.
Being an automated system, Rimo3 can process hundreds of applications 24 hours a day rapidly shortening the time to assess your application estate and helping you make an informed decision to release the patches with confidence.
The benefit of testing applications is clear. IT security, change management and user experience all benefit from automation, so why not reach out and find out more about Rimo3. Want to learn more about Rimo3? I explain more in this blog.