The President's Security Order Unpacked: What Executive Order 14028 means for your testing strategy

By

Ryan Thornton & Monique Swanepoel

,

Product Marketing

2021-07-19

Those of you familiar with the Virtuoso blog will know about our passion for leveraging test automation to produce high-quality software at scale - and now the leader of the free world is in absolute agreement with us! President Biden has just signed Executive Order 14028 into law and this represents a big thumbs up for the role of test automation in software delivery. 

At a high level, the order is about bolstering national security by adopting standards for any software produced by or for the government of the United States as well as critical software (don’t worry, we’ll come to that in a moment). But this is not an ordinary executive order, being a lengthy 15 pages long and containing 74 (yes, 74!) actionable directives. It is safe to say there’s a fair bit to unpack and lots of detail to understand. But there is no need to fear, because Virtuoso is here to help guide you through the implications of the order. As an added bonus, by following the directives you can get ahead of the curve, produce better products, increase customer satisfaction, and increase your ROI. Not a bad day at the Oval Office, eh? 

The exec order: the facts 

Day by day we are finding out more details of the order and companies affected by them are going to have to act fast and find solutions with minimum ramp-up. Given the government’s buying power, this will certainly affect how software is produced beyond that used in the marble halls of Washington.  This is what we know so far: 

What is its purpose? 

The overarching goal of the Executive Order is to standardize cybersecurity protection protocols across the entire Federal Government, rather than the agency-to-agency protocols currently in place. Up until Executive Order 14028, cybersecurity protocols were at an agency-to-agency level, meaning that there were different policies and practices for government and agency interactions. The new Order will create cybersecurity measures for the entire Federal Government to standardize protocols and ensure secure practices at all levels. As described in the order, this will help with “enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain.” The White Paper on the Definition of Critical Software Under Executive Order 14028 (phew, take a breath here!) makes it clear that the Federal Government wishes to “improve its efforts to identify, deter, protect against, detect, and respond to malicious cyber actions and actors.”

Who’s affected? 

At the moment the implementation of the Order is still a work in progress. Several definitions and components for "Critical Software" have been identified, but we don't want to bore you with the details. You can read all about that in the White Paper. What you do need to know is that upcoming phases of the order will include testing standards for software that is cloud-based and since that's our niche, you can be sure Virtuoso knows how to help.

We already know there is a focus on Quality Assurance from the recently released minimum vendor requirements, and with this information from the White Paper - well, it’s quite likely that big changes are coming and they’ll stretch beyond the boundaries of the USA government. 

Test automation 

As the National Institute of Standards and Technology (NIST) put it when listing the minimum standards for software verification as part of Executive Order 14028: 

“Automated testing can run tests consistently, check results accurately, and minimize the need for human effort and expertise. Automated testing can be integrated into the existing workflow or issue tracking system.”

They correctly note that automated testing has advantages to manual testing that are perfectly in line with ensuring the security that Executive Order 14028 demands. However, that does not mean that moving to test automation is completely risk free (we like telling you the whole truth, and nothing but the truth). So what are the risks to this approach? 

  • Traditional test automation tooling requires a lot of engineering skill 
  • Traditional tooling is difficult to maintain 
  • Traditional tooling is difficult to scale 
  • Testing becomes a bottleneck 
  • Ramp up time can be heavy with installation required

Now time for the shameless plug of how Virtuoso offers the perfect solution (still telling the whole truth, and nothing but the truth here)! By adopting Virtuoso you can: 

  • Author fit-for-purpose tests without engineering skill
  • Automate the most dynamic and difficult to test apps
  • Obliterate your test maintenance overhead
  • Leverage the latest technology to test more and earlier
  • Completely remove testing as bottleneck in your SDLC
  • Achieve zero ramp up time or installs 
  • Have a lot of fun doing it

The face of cybersecurity is changing and it might seem daunting to catch up, but with Virtuoso you can help secure your country’s cybersecurity interests and make your President proud.

Black-box testing

The minimum requirements from the NIST go on to talk about black-box testing: 

“Black box” tests can address functional specifications or requirements, negative tests (invalid inputs and testing what the software should not do), denial of service and overload attempts, input boundary analysis, and input combinations.”

This is another area where Virtuoso is able to help you level up to the standards mentioned in the Executive Order. Black-box testing is a great way to have a look at how an application functions without having prior knowledge of internal structures or paths. This is a testing method that is less intrusive, since testers do not have access to the software code and no third-party installations are required for the software to be tested. You can see that black-box testing offers a secure way to test applications without compromising sensitive data, information, or code contained within. We’ve perfected black-box testing as part of our offering and made it easier than ever to implement - again, just telling the truth here. You can book a demo to see how we approach black-box testing.

Fix critical bugs 

The final point in the recommended minimum standards points to finding and fixing bugs earlier. Well, if that doesn’t represent what we do in a nutshell! The good news here is that this approach can produce both a robust cybersecurity policy for a nation and healthy bank balance for an organization. And this is backed up by some rather clever people. The Systems Sciences Institute at IBM found that the cost of finding, or preventing, potential bugs before the implementation and testing phases saw savings of 650% and 1500% respectively, or $650 and $1500*. And if those bugs found their way into the end product, it would mean savings of a whopping $10,000 - not even to mention the invaluable advantage of avoiding critical software bugs that could negatively impact your company’s reputation. 

If you want a codeless solution for your functional tests that works across every browser, OS, and device in the cloud then look no further. Basically, we love providing you with the tools to fix critical bugs before they even become critical. We take test automation just as seriously as Executive Order 14028. 

Conclusion 

Let’s be honest, rules and regulations passed down from governments are not always universally met with industry-wide rejoicing. Despite the many times that we’ve mentioned the new order in this post, we’re not planning an Executive Order launch party just yet. However, with Executive Order 14028’s directives on software testing  the proper implementation of test automation is a no brainer, whether you have contracts with the USA government or not. It’s about time that test automation gets taken seriously.  Of course, getting the right tooling and testing frameworks in place is critical, which is why Virtuoso are here to help - get in touch today. 

Tags

Building Test Automation
for True Shift Left

How to shift your testing left and build web automation that keeps up with your development.

Download eBook

Subscribe to our Newsletter

@ Copyright 2021 SpotQA, Creators of Virtuoso – PRIVACY POLICY