Non technical product owners do not understand security
As a white-hat hacker I have reported security vulnerabilities to the product owner; I have written e-mails. Some responded once and later they did not care about understanding the security vulnerability nor fixed it. Some people did not even respond even over so many gentle reminders; looks like I had to send rude reminder LOL. Then I finally do a responsible disclosure using platforms like CERT, Keeda Null and others. They try to get in touch with vendors and see if they can get it fixed but, it is still not sure however; I can go full disclosure after stipulated time when vendor doesn’t fix it even on notification.
Most of the companies do not educate customers about security
A customer provides requirements which should help him / her in his / her business. All customers might not be technically sound. In such case, technical set of people from the companies should educate them to understand about security however; it is sad that most of the companies are not serious about it and they just want to give what customer asked and get huge amount of money transferred to their bank. Finally, customer goes for a toss while hackers sit on it and rule it. Where is the problem? The problem I personally see here is, either company does not have technical people who can understand about security or companies do not want to educate them even when they could at least try.
We do not have security testing team
This is something that I hear from organizations saying, we do not have team of testers who can test for security. In my opinion, testers can learn to test for security. This comes from a personal learning and passion is a must. After learning if testers can spend at least 1 hour with a mission of testing for security, then I think that must help and also helps organization in return. Testers, are you game to learn security testing? The answer should not be, “We do not have security testing team”. Rather it has to be, “We will build one”.
Let us say if the testers at your organization do not have the skills to test for security and they are not willing or able to learn because of any reason; then what you can do is hire security consultants, ethical hackers who can do awesome job and help you uncover the security bugs. Search on Google for some security testing aspirants or ethical hackers and I am sure you will get bunch of them. Well, you can even hire me :D
Tester: How do I start security testing? / Whom do we hire for security testing?
The answer is pretty simple, start practicing, reading hacking books, conferring with IT security professionals, think like a hacker. Here are some of the resources that can help you to start of with,
a. http://securitytube.net/ – Security Testing / Penetration Testing videos and tools.
b. http://hackthissite.org/ – You can test your skills here. Good enough exercises to help you in assessing your skill levels.
c. http://owasp.com/ – I just love this.
d. Hacking for Dummies by Kevin Beaver – You can also get e-book version for free if you search with “Hacking for Dummies” at http://issuu.com/
Above things are just enough for you to start of with. It will take lots of days for you to finish the above activities. Well, it is not about finishing; it is about exploring more and more about what you read and what you analyze. Do not just read it and say, “I finished it”. After reading it, you got to question yourself – “What progress have I made? How am I able to test for security?”
If you are looking to learn more and need some information from me then you can skype me at “santhosh.s.tuppad” and tweet @santhoshst. I hope you had a good read (At least a few).
My interests include traveling, driving my SUV, health & fitness and many others. I mentor budding entrepreneurs, testers, teams in any profession.