Software developers will find it increasingly difficult to maintain software quality in cloud-based projects, due to the complexity inherent in their environments.
According to the latest results of a project by the Austrian Science Fund FWF, , unexpected weaknesses can suddenly emerge even in mature, successful cloud projects.
Ruth Breu, head of the Institute of Computer Science at the University of Innsbruck, is leading the three-year project. She said: "The nature of current IT systems is that they use interconnected services where the system has lots of interfaces."
In such environments, she warned that the systems the application connects to may change quickly. "You do not have full control of the changes and the dependencies. When something changes, it can impact security," said Breu.
Breu's team has worked for the last year on improving security in applications that use cloud services.
Read more about software quality
- Anglian Water targets code quality across multi-sourced contracts
- A Computer Weekly buyer's guide to testing and code quality
- Software quality metrics paint partial project picture
She said: "It is a matter of quality management. In the future you will need more automated processes, because too many things are handled in a manual way."
Breu said that, by starting with a baseline level of quality, it should be possible to measure the impact of changes. From a security perspective, testing needs to be split from the knowledge of the vulnerabilities, Breu explained. "The testing can be fully automated, while the expert knowledge can be formalised."
Breu's research team is investigating how to develop a tool that could use machine learning techniques, with vulnerability databases, to focus on automated testing for SQL injection and cross-site scripting vulnerabilities.
"Our work initially tended to be guided by theory. But we also wanted to demonstrate the practical relevance of our deliberations," she said.
"So we performed real-life tests which checked reactions to common problem situations such as SQL injection attacks."
Software written by the researchers was initially relied upon to do this. The team has also been using publicly available test systems, where it claims it can reliably identify 90% of all weak points.
The researchers hope the tool will be able to learn to use the knowledge to improve detection of security bugs.