Security Testing is not about running the tools alone

If things were so easy that tools would do the brainy work, humans should have done something else. Now, tools are what a human makes and they are designed to do however they have been programmed. Well, I am not saying running tools for security testing for your web apps or mobile apps is not good; but I am emphasizing on the fact that "Only running tools will not help if there is no brain behind it". You can relate to following something blindly without knowing the minute pieces of it.

Now, you got the context I hope. I have seen many testers who want to learn security testing and have failed miserably in learning it. Why? Its hard to provide a reason which may convince the audience. Like hackers just can hack for whatsoever reason, testers couldn't learn security testing for whatsoever reasons.

Testers who have been doing functional testing for a while always ask me about, "What tools can I use to do this?" Argh! This is the question that used to piss me off. However, I am much calmer now and understand testers while I try to answer them in better way. I insist them to build the mind-set and skill-set in parallel. Yes, in parallel and not really mind-set first or skill-set last (vice-versa).

I have been into hacking since 16 when I was in my school. Now, no one spoke to me about hacking or taught me hacking, I was curious and I started to dig more deeper about it. I may give credit to my financial problem when I was 16, I mean I did not have money to pay for internet dial-up packages. So, I learned about dial-up hacking where I need not pay for the package and use someone else bandwidth. And here it was not about TOOL but my BRAIN which designed this idea. And later was the search for a tool which can aid this activity.

So, you see it is crucial to generate the tests first and these tests need to be designed by your brain and not just the tool.

Both mind-set and skill-set are important. Even if you leave one, it is incomplete. Period.