Software Security Is Software Quality

Creating software is no different than creating a woodworking project. The end product will be creative. The flow of the wood, the colors, the stability, the functionality. After enough change in temperature, the expansion and compression of the wood will expose the skill level of the craftsman. The beauty of a natural wood dining room table fades when the table gives way due to lack of stability.

Software is no different. Software can be thrown together like a project set for a workshop. It can have a unique purpose with little utility or need for use beyond a small set of requirements. There is nothing wrong with that.

Software built to be used and consumed is different. Experience and wisdom must be used to ensure it lasts in a changing world. The changing world where the stressors range from the number of users, to an additional requirement which changes the legal consequences for poor practices, to customer requirements demanding more and more.

Like seeing consistent grain flow on drawer faces across a wooden dresser, how software protects user data determines the quality of the final product. A woodworker who understands how to make cuts to match the wood grain across the dresser, that they will understand the joints and type of wood needed to make a quality piece. The woodworker who understands to use food-grade stain on a cutting board will be much more appreciated than the one who does not. They are paying attention to the details that matter.

If you are asking “why?” the answer is in the level of testing and rigor the software product goes under. The only way to truly gauge the quality is to test it. That testing must happen in many parts of the software development lifecycle and it must cover a lot of different avenues.

Many woodworkers build highly dependable workbenches in a day or two. They are basic and can withstand the cutting, hammering, and glue-ups that occur on them. They don’t necessarily have the storage or they don’t have the ability to prevent all that wood dust from collecting in the drawers. These are quality for what they are intended to do and what they are built to do. They don’t need the rigor because they aren’t being sold. The person who may buy the plans has the same goal. These components aren’t intended for mass consumption. These are comparable to the scripts to perform very specific tasks with no intent of being trusted by someone else.

Our educational software product must meet the standards of the highest quality. Teachers, parents, and students must all find it intuitive. The system must protect the confidentiality of the students. There are many facets of the grades that must be protected – the answers, the accuracy of the answers, the flexibility in the answers, and the grades recorded.

Functional testing would suggest that testing evaluates whether the questions display correctly, the user is able to enter answers as appropriate, and that the answers are checked. User experience testing would evaluate whether the interface behaves appropriately and expectedly. Security testing goes further. Security testing asks the question: How does the system handle wacky behavior?

Let’s walk through a possible scenario of an essay homework assignment. The question asks the student to write about “How Can Someone Create New Habits?”. The answers can range, but there will be certain aspects that the system will be looking for. Then it will leverage tools to evaluate the quality of the writing, then it will look for certain phrases and words. After all the phrases are found and the writing is checked, some formula will generate a percentage correct for that essay. Functional tests would be written to check the scoring – some with horrible writing, some with perfect writing, some with all keywords and phrases, some with none, and some with them in mixed-up order. User experience testing will look at whether students are able to type answers in the window, all characters that can be allowed are, and so on and so forth.

What will security testing do? It will dig deeper. It will test the size boundary. It will test against how the system grades. Is it using an artificial intelligence program and can the student write an answer that manipulates the artificial intelligence? It might even try to extract the answer the question is looking for. And so much more. In short, security testing looks to make sure the joint isn’t end-grain to end-grain and that the flow of the grain on the drawers is seamless.

Posted in Security and tagged .