Why Testers Need to Explore Security

The festive season is over with the start of the new year and everyone has most likely gotten back to speed. While I was looking for another voice to share their experience during the past few months, one of my friends casually asked me, “Where is your voice?”

That Aha moment initiated me to write this January newsletter featuring myself to share an aspect of software testing that I’m curious about.

Tell us about your career journey?

I pursued Computer Engineering back in my (then) hometown and took up the first available job in the aerospace industry as a developer. Back then, it was the good old C language. After a brief period, I went on to pursue my do-it-before-30 dream of teaching high school students O-level Math and Computing for a few years which really strengthened my administrative and human skills. During that time, I also mentored students to prepare for their Robotics competitions locally and internationally.

Following those rewarding years, I returned to the IT world and pursued a different area from development, software testing, which was a breath of fresh air, given my innate need for having variety at work. For the majority of my initial years I worked in various domains, ranging from telecom, advertising, education and big data which gave me a broad perspective into many aspects of testing, while deepening my expertise in automation. The last seven years have been predominantly in the financial industry which has given me insights into why testing and testers need to evolve and make themselves heard.

What do you like about testing?

Software testing has an open scope.

Let me explain.

While the functionality to be tested has scoped requirements and specifications, testing has a bigger scope for the amount of testing that can be potentially done.

While we only work on a subset of what is relevant for testing the functionality, it gives us the opportunity to deploy various skills, tools and techniques to ensure we’ve tested well.?

Also, the testing industry continues to evolve, with various domains popping up, satiating our curiosity to learn and apply techniques.

For example, 10 years ago, security testing was only important to industries like finance, but now, with the growing risks of cyberattacks, it has become a necessity. 10 years ago, we didn’t have as many online businesses but now, the tables have turned and we have fewer businesses operating from a physical location. This has made performance testing crucial for the majority of the companies with digital products.

Testing has therefore felt like a sports arena with a lot of tools, techniques and strategies. What works for one match may not work for another. What tools work for one company, or even a team, may not work for another. You have to experiment and determine what works best for the organization and continue to evolve the strategy with technology, processes and people.?

What made you curious about security testing?

Here is a quick story. Several years ago, I joined a bank and it was one of the quarterly releases where the code changes had to go through ‘pen testing’ (a term I had no clue about back then) from an external vendor. The security testing report revealed a couple of issues with access control. Reading the report on how the issue can be reproduced, I tried out the steps and realized that I could have picked this up earlier if I had the awareness of Access Control Levels (ACL). I felt responsible for not finding those issues. Fixing the issues, redeploying, retesting them cost time and also had that added pressure because we were close to the release schedule.

Since then, I got personally vested in security testing and took up any opportunity I could find to learn about it. While I am not an expert, I have learnt from the developer experts on some key ways to test for security earlier on in the development phase and made efforts to incorporate security with testing and automation.?

Why should testers care about security?

With the relentless data breach issues, cyber security attacks and high-speed transactions, security testing is no longer an afterthought. Customer loss due to security issues is expensive and irrecoverable.

If your house was broken into by the lock which you bought personally because of its good quality, how would that make you feel?

As testers, we have embarked on a mission to ensure high quality. It is our responsibility to care and be proactive about any quality aspect of the software, including security and raise it with the teams. There could be other departments that could be officially responsible for security, but that shouldn't stop us from saying something when we identify a potential security issue.

How can security testing be embraced?

While there are some parts of security (mainly terminology) which feel intimidating to software testers, the strategy is to navigate the security landscape from what you are familiar with.?

Start from the functionality you are testing. Naturally, you would test against the requirements, and also where the functionality is not reliable and prone to errors, which includes security.

Consider these points:?

Input fields - Have we ruled out risky characters? Fuzz testing can help you with generating pre-set input values. One of my go-to source is the "big naughty list of strings" which can easily be hooked up to tools or code. There are also browser extensions that can help you come up with some malicious inputs.

Access control - This is where majority of the security issues lurk. Is the functionality restricted to some roles? What page is it available on? Is that page permissioned correctly?

Test for permission breach by logging in with lesser permissions and accessing the higher-privilege functionality. If you are testing on a website, do not stop at testing at the front-end, go one layer further and check the web APIs.

API Request and Response - Do not just focus on the response status code in your testing. Response body and response headers are very liable to providing more than what is requested and revealing information on the tech stack used.?

For JSON response body, each field can be permutated and fuzzed. For request URLs, the paths can be manipulated. Understand the common API vulnerabilities and raise your awareness to help design better tests with smart scripting.

Logs - Logs could be a whole topic by itself. For potential security risks, look for test data that you work on and identify which types are Personally Identifiable Information (PII). Ensure the test data is firstly not actual data of real people. Sanitizing test data is the first step. Explore the application logs and see if any of these PII is showing up unmasked and check with your team on whether it is a security concern.?For example, you do not want to log the entire bank account number or credit card information in the logs and the best practice is to mask parts of them.

(And of course, please don’t print passwords as debug logs in your pipeline builds. I have been there, done that, and faced the consequences...)

How to grow in the security testing space?

Put your hand up:

Let your team or manager be aware that you are keen to help out in making the security of the software better. When security testing is conducted in the company, internally or externally, request for the security report to be shared and have a read through it. Talk to your friendly developers to understand the report further.?You'd be surprised to see how much they are willing to help!

Secure your test frameworks and tooling:

Ensure you apply security best practices when you are working on your tests. Treat the quality of your test tooling with the same level as the developed software that gets deployed.?Run regular security audits and fix vulnerability issues.?

Periodically scan your applications:?

There are out-of-the-box security scanning tools available in the market. Start with tools that are easy to setup and use (e.g. Fiddler, Burp Suite, ZAP), work with a developer to set up a periodic scan, and understand the scope of the scan. What matters the most is learning to review and interpret the results. Most tools give you plenty of information about what the vulnerability finding means with standardized codes and also good description.?Refer to the CVE-ID shown on the scan to understand the issue.

Know your OWASP top 10 vulnerabilities:?

Learn about what the top 10 issues are across the organizations from OWASP website and use these to help ask security-focused questions during kick-off sessions so that you raise the awareness of possible risks early on. Understand these issues and integrate them when you plan and design your testing activities with your team.?

Explore and secure:

Security testing is going to be a ever important and ever growing space. Utilizing smart tooling will only help you spend the time to explore different security risk-based scenarios. Experience and imagination are your best friends.

Can you relate? Share your voice.

Testing landscape is changing at a faster pace than ever. Embracing those changes by being open to the various dimensions of quality is imperative in the software testing industry.

How have you explored security testing in your organization? Or, did you find a security issue by accident?

Please share your thoughts in the comments.

If you would like to contribute to the newsletter with your view on testing (in any aspect), please send me a message. We really need to hear from more voices!

Thanks for reading.

Please subscribe if you would like to be notified of new publications.