Posted by Tess Rupprecht.
Mar
7
Posted by Tess Rupprecht.
Buggy Thoughts for Today : OWASP TOP 10
I was involved in an application that has a program integration point that consists of several projects that are being developed in parallel streams.
In one of our project automation strategy sessions with our Lead Developer, I asked “How are we going to build security into our code?“. Thou the question came from me, it also made me think “How am I going to test security on these features on a project level?”.
To assist me in this type of testing, I sought the advice of our most experienced QA in the team. He led me to the top site that is dedicated to software security that would give me the most reliable and up to date information.
The site is Open Web Application Security Project (OWASP) .
I would advice any QA to go over this site, but if you are in a hurry be sure to check first the link on Top Ten.
Download the file titled OWASP 10 – 2010 The Ten Most Critical Web Applications Security Risks ( or click here )
In most companies, security testing needs direction from management since the cost involved can be quite high. But this should not prevent us on the project level to think of ways to make our code more secure. Security is considered a non-functional feature but has become so crucial to any application that I seriously think it should be part of every non-functional Acceptance Criteria in every Story. This forces every one in the team to always think about securing the code.
On the QA side, even a simple manual test can lead us to uncover vulnerabilities of our features. This is where the human intuition of a QA can be best used.
This is how I intend to get myself up to speed in Security Testing.
- I would begin planning for my security testing by creating a simple checklist of questions.
- I will Google “security testing checklist“.
- I will gather as many checklists created and being shared by other QAs (why re-invent the wheel?).
- Once I have a good number of items to test, I will use this as a guide during my initial manual testing.
- I would like to believe that my exploratory testing techniques would serve me very well in finding security issues
- I will add my own to the checklists based on my own testing
- Then I will share my security checklist to the rest of the QA world to get feedback and give back
One of the best tips I heard from a security officer is this ” To catch a hacker, think like a hacker…”. Easier said than done, but any skill can be develop over time. I say if security testing inspires you then I am sure this will be a very rewarding career move for you!
I found a very good youtube presentation given by Google regarding OWASP 10.
There are 0 comments to this post.
Add Your Comment.
Previous Post
« Tips to Improve Your Testing Skills Next Post
Software Testing : No. 12 in America’s Fastest- Growing Salaries »
« Tips to Improve Your Testing Skills Next Post
Software Testing : No. 12 in America’s Fastest- Growing Salaries »