Recession fears may cause us to lower our defenses

Adam Sandman, CEO and Founder of Inflectra discusses the trends in software quality engineering and cybersecurity for 2023. Mr. Sandman explains why quality engineering, DevOps, and security will no longer be seen as separate disciplines but as part of a larger whole. Finally, he will cover how risk management is critical in addressing this new integrated set of challenges head-on.

Software has become an essential good

In many ways, 2022 can be thought of as a watershed; as the global pandemic eased, for the first time, we can see what changes were temporal and which ones have become structural. Likewise, the changes to the global supply chain (and globalization itself) and how information technology has become embedded in our daily lives are here. Yet, at the same time, the risks from failures in critical systems, whether cyber attacks or “old-fashioned” software bugs, have only increased.

Latter risk examples include various airline IT meltdowns in the past 18 months that have upended travel around the world, banks that performed data migrations in such a slapdash fashion that customers’ accounts were variously inaccessible or accessible to non-account holders, and infrastructure outages that have taken down large cloud platforms or global project management systems.

Recession fears may cause us to lower our defenses

The invasion of Ukraine in February of this year was only the latest salvo in what has become a clear transition from a globalized world economy to a multipolar one where trade and intellectual property are the new battlegrounds. However, despite early predictions, there have not been widespread, large-scale cyber attacks on national infrastructure. The risk is that companies and organizations will learn the wrong lesson from this and, as a global recession looms, cut costs on both cyber security and software quality at precisely the wrong moment.

If we look at this reflection in a mirror, the exact opposite is true. The pandemic showed us how IT systems have allowed cities and societies to function remotely and resiliently. Likewise, the war in Ukraine has shown us how telecommunications, modern embedded systems such as drones and smart munitions, and 'low-cost' but high-tech solutions can change the fortunes of a conflict. The lesson is that IT and the security and safety of these systems (civilian or military) are more critical than ever.

Security and quality go hand in hand

This leads me to the next major trend in 2023, the rise of quality as an overarching discipline. Previously in any organization, the teams responsible for quality assurance (QA) were separate from the groups doing development and those responsible for Information Security (InfoSec). The hack on SolarWinds showed the vulnerability of the software supply chain, and the various more minor failures in critical components over the previous years (e.g., heartbleed and OpenSSL) have demonstrated that the quality of software systems needs to be a holistic process and cannot be separated from security. As industry regulators step up enforcement of data breaches and significant IT failures (backed up by hefty fines), the era of "move fast and break things" will be replaced by one of "move carefully and check everything."

At Inflectra, many of our customers work in highly-regulated industries such as life sciences, aerospace, manufacturing, finance, and automotive. In these industries, you cannot simply create user stories, write software, push it into production, get user feedback, and pivot until something works. Instead, you must plan and think about quality from the outset. A key trend in 2023 will be for companies to optimize and streamline their quality processes and mindset to make these compliance tasks as agile as the development work itself. Agile compliance has been a missing key ingredient, and those companies that can master it will outshine their peers in 2023.

Securing your DevOps pipeline

Another reason for ensuring quality in your agile software development process and DevOps toolchains is that DevOps pipelines have become an increasingly popular attack surface for cyber-attacks. As companies have spent time locking down and securing their production systems and networks, the same cannot be said in many cases for their development environments and networks.

For example, Australian telecommunications giant Optus revealed that about 10 million customers, about 40% of the population had their personal data stolen when an internal test API used in development was connected to production data with no authentication mechanisms. Another example was when LastPass suffered a security breach targeting its development environment that resulted in the theft of some of its source code and technical information.

With the threat to development and test environments increasing, it is paramount that organizations adopt many of the same security and quality measures in use for their production environments. Using defense in depth, encryption, secure centralization management of passwords and API keys, and ideally moving to a completely "passwordless" cloud infrastructure will become critical topics for 2023.

In line with classic risk management approaches, it is essential to plan ways to reduce the impact and/or probability of a credential being compromised. A key recommendation for 2023 is to deploy a Single Sign On (SSO) identity provider that uses a technology such as OAuth 2.0/OpenID Connect and allows bio-metric login as its primary factor. Then use this provider to access all other services instead of having passwords or API keys for each service.

Risk Management is no longer optional

Expanding on the criticality of risk management as an overarching discipline, one of the top trends of 2023 will be the mainstreaming of risk management and risk-based techniques such as risk-based testing. Previously an obscure branch of project management, risk management is now front and center of the dashboard of most CIOs and CISOs.

The next few years will see a shift in the higher-order project management skills required, covering quality, risk, and communication. Specifically, there will be considerable growth in risk management beyond software product management. As mentioned at the start of this article, software and firmware are becoming commonplace. Whether it is apps on our phones or wearable devices, software product development is no longer limited to risks from the software itself.

Analyzing the environment in which the software works is becoming so common that regulations are constantly being revised. For example, the Failure Mode & Effects Analysis (FMEA) is expanding into ISO14971, Good Automated Manufacturing Practices (GAMP) are increasingly a part of clinical and post-clinical product development in life sciences, and Hazard Analysis and Critical Control Points (HACCP) covering restaurant and food products, and so on. As a result, every industry is starting to expect product owners and IT managers to become experts in risk management for their industry. Failure to plan for this future will put your entire organization at unacceptable risk.

Adam Sandman

Adam Sandman, who founded Inflectra in 2006, has been a programmer since 10. Today, Adam serves as the company’s CEO. He is responsible for product strategy, technology innovation, and business development. He lives in Washington, D.C., with his family.

Before founding Inflectra, Sandman worked as a director for Sapient Government Services, where he was in charge of development with the U.S. Marine Corps and other government agencies and was responsible for leading many capture teams and writing whitepapers and position statements to build Sapient’s reputation as a leader in the defense space. He studied physics at Oxford University.

Inflectra offers a suite of intuitive, turnkey enterprise solutions to manage the entire software lifecycle. Its industry-leading products for application test management, test automation, and lifecycle management help customers streamline their operations, allowing developers, testers, and managers to allocate their time and resources to business-critical assignments. Among our most popular products are SpiraPlan, which allows you to synchronize what matters with agile program development, and Rapise, providing fast and easy test automation for everything, web, mobile, desktop, and APIs.