Security Testing: What Testers Can Do
Thousands of times each day, network perimeter security defenses fail to recognize new and obfuscated attacks. Rather than attempting to build security firewalls, Declan O’Riordan asserts that project teams must design, code, and test security into applications―and that requires skills that are in short supply. As testers, we need to recognize which security tests we can perform and which require delegation to experts. Let’s stop our passive acceptance of designs that are weak on security and instead conduct analysis of the security features before we plan the system testing. As a tester, examine how the developers are coding, and verify their use of secure coding guidelines. Work through a security testing example and identify its authentication, access control, and session management functionality. Acquire the skill to identify tests you can handle—e.g., incomplete validation of credentials and unprotected functionality—from the tests you need to delegate to experts—e.g., brute-force login and predictable session tokens.