Security Testing: A Constructive Mindset with a Destructive Approach
Certain jobs inherently have a negative perception tagged with them. Although software quality has a noble goal of delivering an exceptional product to end-users, the journey of getting there has a lot of destructive work in breaking systems while finding and fixing issues.
Focusing on building a positive mindset and perception of the role a tester plays is an important challenge to address in today’s world of dynamic and global quality. A tester who is conscious of keeping a constructive mindset while having a destructive approach can greatly transform the product development landscape. However, this is easier said than done, especially in the security testing world.
A typical tester works on mimicking end-users who are intentionally constructive in using an application’s functionality. But the role of a security tester is different. Their focus is mainly on mimicking hackers, who are intentionally destructive.
The security tester’s goal is to identify and mitigate vulnerabilities through ethical hacking practices, so they have to not only look for known vulnerabilities, but also be aware of the latest threats in order to simulate new and less-known issues. This requires tight discipline with a mindset that is both constructive and destructive.
Traditionally, the OWASP has served as a great set of guidelines for a security testing effort. However, teams are now recognizing that these materials and resources are just a start. A lot of other activities need to be taken up to ensure a comprehensive security testing effort.
There are two significant parts to security: vulnerability assessments and penetration testing.
Vulnerability assessments, which are largely what OWASP advocates, are a defensive approach to security by following guidelines and standards to determine what vulnerabilities an application is prone to. This can be compared to a regular set of test cases in a functional effort being used to ensure the tests pass and determine failures.
Penetration testing is an offensive approach that requires a destructive mindset to break the system, like a hacker would. This can also be mapped to a rigorous exploratory testing effort, where the tester tests all nooks and corners of the system without bounds to determine the outliers.
For example, security testing teams recently have been exploring unknown territories, such as hacking into limited Wi-Fi ranges and leveraging the internet of things and drones to extend their bounds beyond the traditional application level test effort. Such ethical destructive approaches are opening new possibilities to test and further secure applications and networks from malicious attacks.
A solid test strategy is one that balances both constructive and destructive efforts, regardless of the attribute under test. While this strategy can be defined at a team level, at an individual level, each tester needs to buy into the idea that for an overall successful career, a constructive mindset with a destructive approach is essential. This will enable the tester both to thrive and to deliver quality products with a confident assessment of their security.