Security and data breaches are probably one of the biggest risks any product faces. One public incident can take a company down or at least have a huge impact on it’s bottom line. Not to mention what something like that does to company morale. It would follow then that security testing is very important.
However, I don’t know if you’ve looked into security testing. It is a complex and intimidating world to get into. You need a lot of specialist knowledge and a high degree of technical competence to be an effective security or penetration tester. Not all of us have the time or inclination to learn what it takes to get into this field, but that doesn’t mean we can’t contribute to security.
Good testing leads to a more a secure product. There are many security concerns like cross site scripting or packet sniffing or SQL injection that you probably won’t find without a least some specialist knowledge, but there are many other things that contribute to security.
If you have code that you can understand, it will be much easier to see possible security flaws through things like code review. Cleaner code could also make it easier for security analysis tools to find flaws and vulnerabilities.
Testing can of course contribute to understandable code. Even if you don’t know much coding you can contribute. Look at code reviews and even if you don’t know how to write code you should be able to sort of follow along with it. If the variables, methods and classes are well named and the code is well organized you should be able to least feel like you basic grasp of what is going on. I’m not talking about finding issues in the code review, I’m just talking about able to kind of get the gist of it. If you can’t even do that, it might be sign that the code is unnecessarily complex or that things are not well named and structured in the code. You don’t need to be a programmer to be able to contribute to the team having understandable code
Sometimes all you need to do is ask a question. Why do we do it this way here? What is happening here? You would be surprised at how simple questions like that can sometime expose unclear code and even if they don’t you’ve now learned a little more about the system you are testing and that certainly isn’t a bad thing!
Many security breaches boil down to less technical things than something some black hat hacker does. For example read this article about mining public passwords using google. Doing this required a very minimal amount of technical expertise in using google, and did not involve any of the highly technical things we often think of when we think of security hacking.
Finding ways that we could accidentally expose private information is a creative and exploratory exercise. These are skills every good tester has in abundance and we can use these skills to help prevent security breaches. Think about creative ways people might accidentally use your project or about ways that people might try to get around limitation you have in place.
Good exploratory testing can expose many security flaws. Just knowing that code will be looked at with this multifaceted approach can help everyone in the development process think more carefully about those less than ideal ‘users’ that our products might have
There are of course many other ways that an emphasis on quality can help reduce security threats, but at the end of the day it is going to be very very hard, if not impossible, to ensure that there are no security holes anywhere. This is where monitoring comes into play. We need to think about how we would detect and quickly shut down any issues that might arise. Thinking about how things might go wrong and what kind of things we could check to know if has happened is also very much a testing activity and so here again having good testing in place on your product helps improve security.
So, don’t leave out the importance of targeted security testing on applications, but at the same time don’t forget that a big part of having a secure product is just having a good quality product and code base. Those things don’t guarantee security, but they can help improve it!