Top 8 Cybersecurity Questions You Should Ask Your QA Testing Company

QASource | September 24, 2020

Top 8 Cyber Security Questions You Should Ask Your QA Testing Company

Fresh news stories about high-profile hackings or customer data breaches happen every week. And while no organization wants to be the subject of the next reputation-ruining headline, many business leaders still skip over cyber security best practices when interviewing, hiring and onboarding a new outsourced QA partner. How much will it cost? How fast can you make it happen? These QA questions take center stage over many concerns about security.

Before searching for the right QA testing company, you must first define which requirements are non-negotiable. Data protection standards and strong cybersecurity protocols should be high on your list.

Getting the answers you need starts with asking the right kinds of cyber security questions. To follow cyber security training best practices, we recommend asking these top cyber security questions as you explore potential QA providers for your organization.

1. How Do You Secure the Perimeter?

Start with the basic security-related QA testing questions. What onsite protocols are strictly enforced to protect all IT and QA equipment? In what ways does a data protection standard safeguard all hardware and software from cyber threats? These top cyber security questions can provide a clear perspective on a QA provider’s various security mechanisms for protecting the product at all levels.

Remember that every vulnerability in your software is an opportunity for a cyber attacker. It is your job to ensure that all proper cyber security training best practices are in place, so it’s important to partner with a QA provider that follows this guide to penetration testing and enforces security mechanisms. These should include but are not limited to web application firewalls, intrusion detection and prevention systems.

2. Have You Achieved a Data Protection Standard?

QA providers that follow cyber security best practices wear these certifications like badges of honor. The certifications are objective, measurable proof that the provider’s data protection standard is up to par with industry levels, as recognized by accredited institutions.

Some of the most common certifications include ISO 27001, SSAE16, Safe Harbor and SOC 2. Before asking your cyber security questions about certifications, make sure you know which of these certifications apply to your industry and be ready to explore the QA provider’s process in obtaining these certifications.

How do certifications follow cyber security training best practices? Many industries are protected by high cybersecurity standards and strict regulations, such as HIPAA and HITECH for medical organizations, GLBA for financial companies and FERPA for eLearning and educational institutions. Certifications confirm that a QA provider consistently enforces testing procedures and security measures that keep software products aligned with the expectations of these industry standards.

3. How Do You Keep Customer Data Safe?

Partnering with a dedicated QA team can solve many cybersecurity domain problems pain points. And when a QA provider knows how to keep customer data safe, it shows in the answers they provide to these QA testing questions:

Ask the QA provider more cyber security questions so that they explain how they segment and store customer data. If they follow cyber security best practices, this data should live somewhere separate from your vendor’s web server, ideally on a separate database server located behind a firewall. Though this makes for a more complicated setup process, the security benefits are well worth the effort.

4. How Do We Monitor Internal and Outside Traffic To and From Our Network?

Even the best attempts at attack deflection can fail when faced with a determined hacker. It’s up to you to ask the right QA questions to ensure that a QA provider can withstand even the sneakiest cyberattacks on your software application.

Your top cyber security questions regarding network traffic monitoring should focus on their toolset. Does the potential QA provider have the following systems in place?

  • Intrusion Detection System (IDS)
  • Intrusion Prevention System (IPS)
  • Data Loss Protection (DLP)
  • Security Incident and Event Management (SIEM)
  • Network Behavior Anomaly Detection (NBAD)

A strong QA testing company that follows cyber security best practices has a strong backup system in place for detecting nefarious traffic on the network. If you ask the right QA testing questions, the QA provider should explain how they are able to:

  • identify suspect activity
  • effectively connect the alerts to actual human activity
  • take swift action against those events

5. What Is Your Incident Response Mechanism?

Suffering a data breach hurts. And it’s especially painful when you have no plan of action afterward. By asking the tough QA questions now, you’ll know if the QA provider understands how to recover from a cyberattack.

When a QA provider follows cyber security training best practices, they have already established a comprehensive response plan that outlines key actions (and who is responsible for executing each action) after an attack. A well-written plan can shorten the time it takes from initial breach to first response, setting in motion a coordinated response effort by the team.

6. Have You Established an Organization-Wide Awareness Campaign To Educate All Employees on Cybersecurity?

Just like your physical and logical security safeguards, employees at a QA testing company can be hacked. Cybercriminals know what to say to trick, deceive, or manipulate almost anyone into taking an action that grants them access to the network. These “client-side” attacks can include spear phishing, browser-based attacks and other forms of social engineering.

That’s why it’s cyber security best practices to implement human decision-making as an effective line of defense. Ask QA testing questions on how a potential QA provider trains their engineers in identifying, taking action against, documenting, and reporting client-side attacks.

7. How Do You Assess Employees’ Security Understanding?

These kinds of QA questions get to the core on how serious your potential QA provider is about cybersecurity. A strong QA testing company can give a detailed answer that involves a best-in-class security awareness program and regular review or testing. For example, the QA provider should explain why API testing in cybersecurity enhances the understanding of security across their QA team.

Remember that human error accounts for nearly all major security breaches. And because human QA engineers are essential within every testing cycle, it’s up to the QA provider to keep their testers up to speed on cyber security best practices.

8. What Best Practices Do You Follow For Cybersecurity?

Your QA provider should take a layered approach to security. Your top cyber security questions should address these cyber security best practices:

  • Formal information security governance
  • Data backup policy
  • Insider threat detection and management
  • Vendor, contractor, and employee monitoring to prevent data loss
  • Security education and training
  • Regularly updated software and systems
  • Thorough incident response playbook
  • Maintained compliance certification

Where should you start asking your cyber security questions? Consider contacting a QA provider like QASource. Our team of testing experts are highly skilled in security testing and enforce the strictest cybersecurity protocols to combat today’s most challenging cyber threats. Get in touch with a QASource expert today.

See how other organizations are using QA partners to add value and increase efficiency.
Learn more in the whitepaper below! 


This publication is for informational purposes only, and nothing contained in it should be considered legal advice. We expressly disclaim any warranty or responsibility for damages arising out of this information and encourage you to consult with legal counsel regarding your specific needs. We do not undertake any duty to update previously posted materials.