Director & Senior Tester, Moolya Software
Santhosh Tuppad is the Cofounder & Senior Tester of Moolya Software Testing. He also recently... more>>
Why one should be worried about security?
Would you be happy to see all your chat messages with your fiancée made public?
Would you be happy to see private pictures being accessible by hacker and made public?
Would you be happy to see your personal information revealed to any third-person?
Would you be happy to get your business uptime affected by dDoS attacks by hacker?
You could ask many questions like above to yourself. Now, being an end-user you do not like all these things to happen to you but, why is their no seriousness for your customers where you are a tester? Absolutely, there has to be seriousness factor in terms of security aspect for the software that you are testing. Even I see some of the organizations are focusing on security now but, they are lacking good security testers who have the mind-set and skill-set and not looking for only tool-smiths who do not have the mindset and skill-set but, just click some button and enter URL and generate the report. Come on, those are not security testers. Please!
Okay, all this history and current situation is fine? Now, tell me what the hell should I do?
I do not want to give technical gyaan to start of with, I would like you to ask these below questions to yourself and if the answer for most of the questions is "Yes", then go ahead reading.
Questionnaire for security testing aspirants,
Can I develop interest for security testing?
Can I invest money on credible workshops for security testing?
Can I choose not to go behind certifications, which just focuses on theory?
Can I invest time on meeting security researchers?
Can I invest on credible conferences, meet-ups etc.?
Can I invest time, energy and money on reading hacking books?
You can even expand the questionnaire by self-questioning.
How does it feel? It's not a cakewalk. If you are game for the challenges, then write your learning plan and follow it in a stringent manner. There is plethora of things to be explored in security testing area for web applications, desktop applications, client-server applications, mobile applications and more. For the start guide, you could refer to my blog post - How do I start security testing? Follow the guidelines in it and you will see a tremendous change.
I am not here to give answers to boring questions like,
How much can I get paid for security testing projects on crowd-sourcing platform?
How much pay hike will I get if I do security testing?
What certifications do I need to do in order to get more pay?
And many other questions where I do not like to answer.
Do it if you are interested or else continue to do what you are doing. If I see interest in some individual then I can provide my continued help or guidance at free of cost. That's all I can offer you which is a great opportunity for you folks.
You might be concerned about, how will it save costs if you are wearing a manager hat or management hat. Below is my understanding how the costs could be cut down.
"If some of the testers who are not doing anything beyond functional testing can start a group for learning security testing. Start with talking about hacking with your peers. Then put your learning into implementation on the projects. By doing this, your organization need not go to third-party vendors who are dedicated to do security testing for your software. You would save lots of $$$ for your organization while you also gain knowledge about something which you did not know before. That's sounds really cool."
So how about starting to test for security and giving "Secure Experience" for your end-users?
Well, how about some challenges to start off with? There are two exercises which I have created and it is about cracking the password in first exercise while cracking the username in the second exercise. The URL(s) go below; if you crack them I would like to know how you did it and how much time did you take in doing it. What was your strategy? You kept on typing the string(s) one by one? Or you did something else which would be smarter way to do it? This could be challenge even for those who call themselves as test automation folks. Just knowing how to automate is not enough, what is your test data matters, if you do not know that then it might turn out to be "A fool with a tool is still a fool" (Credits: Marshall McLuhan).
Okay, time for the challenges.
Before ending I want to say this,
"One life, rock it" - Santhosh Tuppad
Experts on QA
Sr System Architect
COMPACT TRAVELS PVT
FOUNDER & CEO
Connect Icon Pvt Ltd
Software QA Manager
Azure IT Solutions
Latest postings by this author
Top Expert Articles