Skip to main content

Testing impact on security

... or the impact when testing is lacking?

Security breaches, hacks, exploits, major ransomware attacks - their frequency
seem to increase recently. These can result in financial, credibility and data
loss, and increasingly the endangerment of human lives.

I don't want to propose that testing will always prevent these situations.
There were probably testers present (and I'm sure often also security testers) when
such systems were created. I think that there was simply a general lack of
risk-awareness on these projects.

There are many tools and techniques from  a pure technical point of view to harden the software in security context. Some of them have automated scans which crawl through your website and might discover the low hanging fruits of security weaknesses (ZAP, Burpsuite...), without much technical knowledge from the person operating it.
The more important aspect is however the mindset with which you approach the product. The tester is often the first person to discover these risks, simply because of the difference in mindset.

We don’t think 'how can this work?', but 'where it might fail?'

Lets look at a security approach. There is a methodology in security called 'Threat model' (or 'Threat modeling'), which forms the security strategy before even looking at the technical details of the system. It describes the risk analysis from security point of view. It maps the set of possible adversaries which can attack our system and vulnerabilities/attack vectors which they can exploit. It helps to pinpoint the places where the system is at the weakest against a probable attack and then we can focus the security improvements more effectively. 

This methodology is in many aspects similar to the exploratory testing mindset. Both try to learn about the system, exploratory is more general, threat modelling has a more specific scope. I admit that I never yet done threat modelling professionally. However from testing numerous systems it is clear that something similar as threat modeling appears in the mind of a tester. When testing a system, after creating and continually refining a model in my head, I often ask myself where the places that might be exploited are (the “attack vectors”). There are often security defects which can be found without any penetration testing experience - buggy password prompts (revealing information or allowing unauthorized entry), data leaks, unencrypted storage of sensitive data, etc.
Usually these are not identified thanks to any specification or predefined test case (when not focusing especially on security aspects), you just need to look for these loose ends when you navigate through the system.

TL;DR
Any person with the right mindset can make a difference in software security. In absence of a security specialist, this person is often your software tester, I hope you have one;)


Visit us for more info


Comments

Popular posts from this blog

When to start automation?

If you are asking this as a tester, you probably asking too late. Automation is something that can save you some portion of your work (understand resources for your client) and i rarely found cases of testing work that did not need at least some portion of automation. I know that it is rarely understood that automation is something to be developed & maintained and if you cover enough of the application, you do not need any more regression - well i do not think that somebody has done an automation regression suite that if fully reliable (i am not speaking about maintaining this code - which is another topic). There can be always a bug (or quality issue) that slips through, even when you scripts go through the afflicted part. I understand that many testers have no development background or skills, but i doubt the developers that could help you are far away. I am not assuming that they can do the scripts for you.... However if they understand what you need, they can say how e

Testers toolkit

As every craftsman needs his tools, testers are no exceptions. I was this weekend at  SOCRATES SWITZERLAND  (SOftware CRAftsmanship and TESting) where we talked also about useful everyday tools. This list tries to be as general as possible to provide tools which can be useful to most part of everyday work, more specialised test-useful tools are very context dependent. I use most of the tools mentioned here and believe they can provide value also to you. Documenting Screenshot  - good picture is worth thousand words, this applies especially for testing, the following are some screenshotting tools and editors I used and can recommend Lightscreen  - simple tool for capturing pictures, free, cannot edit the pictures FastStone  - screen capturing tool and editor, cheap & gets the job done Snagit  - very powerful screen capturing tool and graphic editor, many functions which you never knew you can do, but wont be able to live without afterwards, a bit pricey Recording  (

Many problems with one button

I admire the complexity which can emerge from elementary designs. Especially in the problem space. One example speaks for itself, the 'On/off app' : - an webapp consisting only from one button which can either turn 'things' on or off ( 'Picture 1 ' is an aproximate illustration of both visual states of the app) - 'things' are marketing campaigns, some more complex processes to send particular marketing messages under particular conditions to particular customers (details of such don't matter in this context) Picture 1 source: https://www.vecteezy.com/vector-art/88994-on-and-off-chrome-buttons Even when my team was highly qualified in software development, under the fog of communication  and implicit expectations that we missed, we discovered the following problems with the implementation:  Wrong template The template which we used in the test environment was not meant for production, the impact was low - only a few business