QA City

   QA City >> Expert Column
Dont Miss Experts

Security Testing Is A MUST; What Are You Up-To?

Santhosh Tuppad
Santhosh Tuppad
Director & Senior Tester, Moolya Software
Santhosh Tuppad is the Cofounder & Senior Tester of Moolya Software Testing. He also recently... more>>
When internet and few websites were born; there were very few hackers. As the time passed, there are more and more skilled hackers who want to exploit the security vulnerabilities on the web as well as stand-alone desktop applications which have got licenses (They are good at cracking licenses). With these things, it becomes challenging for software testing services and product based companies to expand their focus area amidst other quality criteria like Functional, Performance and others however; most of the companies do not go beyond functional aspect of a software in my opinion which is based on my experience.

Why one should be worried about security?

Would you be happy to see all your chat messages with your fiancée made public?
Would you be happy to see private pictures being accessible by hacker and made public?
Would you be happy to see your personal information revealed to any third-person?
Would you be happy to get your business uptime affected by dDoS attacks by hacker?

You could ask many questions like above to yourself. Now, being an end-user you do not like all these things to happen to you but, why is their no seriousness for your customers where you are a tester? Absolutely, there has to be seriousness factor in terms of security aspect for the software that you are testing. Even I see some of the organizations are focusing on security now but, they are lacking good security testers who have the mind-set and skill-set and not looking for only tool-smiths who do not have the mindset and skill-set but, just click some button and enter URL and generate the report. Come on, those are not security testers. Please!

Okay, all this history and current situation is fine? Now, tell me what the hell should I do?
I do not want to give technical gyaan to start of with, I would like you to ask these below questions to yourself and if the answer for most of the questions is "Yes", then go ahead reading.

Questionnaire for security testing aspirants,

Can I develop interest for security testing?
Can I invest money on credible workshops for security testing?
Can I choose not to go behind certifications, which just focuses on theory?
Can I invest time on meeting security researchers?
Can I invest on credible conferences, meet-ups etc.?
Can I invest time, energy and money on reading hacking books?

You can even expand the questionnaire by self-questioning.

How does it feel? It's not a cakewalk. If you are game for the challenges, then write your learning plan and follow it in a stringent manner. There is plethora of things to be explored in security testing area for web applications, desktop applications, client-server applications, mobile applications and more. For the start guide, you could refer to my blog post - How do I start security testing? Follow the guidelines in it and you will see a tremendous change.

I am not here to give answers to boring questions like,

How much can I get paid for security testing projects on crowd-sourcing platform?
How much pay hike will I get if I do security testing?
What certifications do I need to do in order to get more pay?
And many other questions where I do not like to answer.

Do it if you are interested or else continue to do what you are doing. If I see interest in some individual then I can provide my continued help or guidance at free of cost. That's all I can offer you which is a great opportunity for you folks.

You might be concerned about, how will it save costs if you are wearing a manager hat or management hat. Below is my understanding how the costs could be cut down.

"If some of the testers who are not doing anything beyond functional testing can start a group for learning security testing. Start with talking about hacking with your peers. Then put your learning into implementation on the projects. By doing this, your organization need not go to third-party vendors who are dedicated to do security testing for your software. You would save lots of $$$ for your organization while you also gain knowledge about something which you did not know before. That's sounds really cool."

So how about starting to test for security and giving "Secure Experience" for your end-users?

Well, how about some challenges to start off with? There are two exercises which I have created and it is about cracking the password in first exercise while cracking the username in the second exercise. The URL(s) go below; if you crack them I would like to know how you did it and how much time did you take in doing it. What was your strategy? You kept on typing the string(s) one by one? Or you did something else which would be smarter way to do it? This could be challenge even for those who call themselves as test automation folks. Just knowing how to automate is not enough, what is your test data matters, if you do not know that then it might turn out to be "A fool with a tool is still a fool" (Credits: Marshall McLuhan).

Okay, time for the challenges.

Challenge 1:
Username: testing
Password: You_got_to_crack_this

Challenge 2:
Username: You_got_to_crack_this
Password: testing

Before ending I want to say this,

"One life, rock it" - Santhosh Tuppad

Happy testing!

Experts on QA
Swaid Qadir Bhat
Sr System Architect
Virtusa Corporation
Subhash  Motwani
Prasad Rao Pasam
Ayaskanta  Mohanty
Managing Director
TATWA Technologies
Rajesh  Dagar
Software Architect
Connect Icon Pvt Ltd
Yasar  Khuthub
Software QA Manager
Azure IT Solutions
Sunil  Bhat
Project Management
HCL Infosystems Limi
Sharad  Agarwal
Team Lead