Skip to content

No security testing? Then be ready for nightmare

Most of the applications that are released to the world are not tested for security quality criteria. However; most of them with confidence say; “Our privacy policy safeguards you against hackers and attackers” but, it is a fake policy rather than privacy policy. I have seen web applications that are used by large set of people but, still contain some common security vulnerabilities. Product owners can be happy on the basis how much of registrations they are getting but, it is like they need to always sleep with skeptical sense of “When would my product be hacked by hackers?” I would personally say this, till hackers are away from your product you are safe, when they get on to your product and hack it; it is a NIGHTMARE for your customers and you as a businessman.

Non technical product owners do not understand security
As a white-hat hacker I have reported security vulnerabilities to the product owner; I have written e-mails. Some responded once and later they did not care about understanding the security vulnerability nor fixed it. Some people did not even respond even over so many gentle reminders; looks like I had to send rude reminder LOL. Then I finally do a responsible disclosure using platforms like CERT, Keeda Null and others. They try to get in touch with vendors and see if they can get it fixed but, it is still not sure however; I can go full disclosure after stipulated time when vendor doesn’t fix it even on notification.

Most of the companies do not educate customers about security
A customer provides requirements which should help him / her in his / her business. All customers might not be technically sound. In such case, technical set of people from the companies should educate them to understand about security however; it is sad that most of the companies are not serious about it and they just want to give what customer asked and get huge amount of money transferred to their bank. Finally, customer goes for a toss while hackers sit on it and rule it. Where is the problem? The problem I personally see here is, either company does not have technical people who can understand about security or companies do not want to educate them even when they could at least try.

We do not have security testing team
This is something that I hear from organizations saying, we do not have team of testers who can test for security. In my opinion, testers can learn to test for security. This comes from a personal learning and passion is a must. After learning if testers can spend at least 1 hour with a mission of testing for security, then I think that must help and also helps organization in return. Testers, are you game to learn security testing? The answer should not be, “We do not have security testing team”. Rather it has to be, “We will build one”.

Let us say if the testers at your organization do not have the skills to test for security and they are not willing or able to learn because of any reason; then what you can do is hire security consultants, ethical hackers who can do awesome job and help you uncover the security bugs. Search on Google for some security testing aspirants or ethical hackers and I am sure you will get bunch of them. Well, you can even hire me :D

Tester: How do I start security testing? / Whom do we hire for security testing?
The answer is pretty simple, start practicing, reading hacking books, conferring with IT security professionals, think like a hacker. Here are some of the resources that can help you to start of with,
a. http://securitytube.net/ – Security Testing / Penetration Testing videos and tools.
b. http://hackthissite.org/ – You can test your skills here. Good enough exercises to help you in assessing your skill levels.
c. http://owasp.com/ – I just love this.
d. Hacking for Dummies by Kevin Beaver – You can also get e-book version for free if you search with “Hacking for Dummies” at http://issuu.com/

Above things are just enough for you to start of with. It will take lots of days for you to finish the above activities. Well, it is not about finishing; it is about exploring more and more about what you read and what you analyze. Do not just read it and say, “I finished it”. After reading it, you got to question yourself – “What progress have I made? How am I able to test for security?”

More information
If you are looking to learn more and need some information from me then you can skype me at “santhosh.s.tuppad” and tweet @santhoshst. I hope you had a good read (At least a few).

Follow Me

SanthoshTuppad

Software Tester, Product Innovator, Security Enthusiast at #StealthModeStartup#
I have been as a software tester for over 5 years. I am a hands-on tester and I've been winning bug battles & testing competitions across the world. I am a testing enthusiast, who conducts free workshops on security testing across India (Covered locations: Bengaluru, Pune, Hyderabad & Chennai. Invite him to come to your location), and monthly meets for testers in Bengaluru. I am also an avid testing blogger.

My interests include traveling, driving my SUV, health & fitness and many others. I mentor budding entrepreneurs, testers, teams in any profession.
Follow Me
Share/Bookmark

3 Comments

  1. My curiosity has aggravated to tenfolds to attend your session @BugdeBug.

    Eagerly looking forward to it.

    Regards,
    Sunil

    Friday, March 9, 2012 at 3:32 am | Permalink
  2. Sunil, Thanks for your comments. I am glad that you want to attend my workshop on security testing at bugdebug. I am sure it will be valuable for you. The eagerness to see you in my workshop is on this side too.

    – Santhosh Tuppad

    Friday, March 9, 2012 at 3:32 am | Permalink
  3. Very nice articulated post, very informative indeed. I agree with you that “No security testing? Then be ready for nightmare” very well said. Security testing is one of the most crucial aspect that can’t be left out. Thank you for sharing this post.

    Thursday, May 3, 2012 at 10:54 pm | Permalink

One Trackback/Pingback

  1. Five Blogs – 9 March 2012 « 5blogs on Friday, March 9, 2012 at 3:06 pm

    [...] No security testing? Then be ready for nightmare Written by: Santhosh Tuppad [...]

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*