Skip to content

Security Testing – Help your customers from being victimized

Hunger for data

Hackers are always hungry about getting access to treasure which is related to data which they can sell to your competitors or use it for their own purpose. They will be on patrol and big organizations are their targets where they can make big news and also get the data of the customers. Let us speak about retail giants like Amazon, Wal-Mart, Tesco and others. Millions of data is stored in the database and security is very crucial for these big giants. There is no word called “compromise” in this context. If you’re compromising; it is as equivalent to being negligent or compromising your customers privacy. So, if hackers are hungry for data then it is like you are showing yourself as bait.

 

Safeguarding from the hackers

Identify some vendors who have cool hackers who can hunt for security bugs or identify the security testers in a consultant role and get them on-board; if you have in-house skilled testers, even then it will do. Do not go to a vendor who just blindly run a tool and say these are the vulnerabilities; Agreed that a tool ran some checks and reported some vulnerabilities but, it is what the tool is programmed for and I personally would not call it is security testing. Tool would give some information whereas, you need skilled exploratory testers to show you colony of security bugs. Security Testers will use different techniques, explore in many different ways based on the application; they think of features where social engineering attacks would be the entry point to exploit the vulnerability and many more. You got to find a good geeky skilled security tester or consultant or a researcher who has been in hacking for many years; not just years but has extensive hands-on experience. This is one of the way how you can safeguard from black hat hackers.

 

Attitude of (Most or Some) Dev Folks

I have personally experienced this where; I reported security vulnerabilities and development team did not fix it however; when the report came from a third-party vendor and they had the same security vulnerabilities that I reported and they fixed them. Now, this talks about the attitude of taking things lightly. They fixed it because they had paid the vendor some cool money. So, this speaks about attitude towards the product. You are working to give some good enough quality product to your customers rather than slipping away from fixing these security bugs. Personal discipline is very much required which should be learned if it is lacking. Not to deny that I have seen developers with a good attitude and thinking skills with respect to the security bugs and sad to say that they are very few just like very few good testers.

 

Crime / Robbery / Impersonation due to security bugs

You could laugh at this but; your laugh will end when you realize it being true. You can just go to past incidents that might have happened due to security loop holes in the product where someone got some girls confidential data; the person started abusing / torturing / blackmail / Sexual Harassment and such evil stuff. You might want to just put yourself in the shoes or your family member being in the bad situation just similar to above example. What would you do? Would you sue the company? Yes, indeed. I hope now, I need not explain the impact. You must have understood by now.

 

 

I stop here and I scream, “Are you next victim?”

 

 

SanthoshTuppad

I have been as a software tester for over 5 years. I am a hands-on tester and I've been winning bug battles & testing competitions across the world. I am a testing enthusiast, who conducts free workshops on security testing across India (Covered locations: Bengaluru, Pune, Hyderabad & Chennai. Invite him to come to your location), and monthly meets for testers in Bengaluru. I am also an avid testing blogger.

My interests include traveling, driving my SUV, health & fitness and many others. I mentor budding entrepreneurs, testers, teams in any profession.

Latest posts by SanthoshTuppad (see all)

Share/Bookmark

4 Comments

  1. Deepak Malladad wrote:

    Hi Santosh,

    I have a doubt.

    Recently i was testing the application. I changed my system date and time to say next 10 years. suddenly the secured application (HTTPS) starting showing as “Untrusted connection”

    On what this should be dependent whether on System date and time?

    Thanks in advance.

    Tuesday, November 27, 2012 at 1:07 pm | Permalink
  2. No, this need to be dependent on the server time. If the code was deployed on your local machine while testing and your machine acted as the server then, it’s not a problem because your local machine time is treated as server time.

    Tuesday, November 27, 2012 at 3:12 pm | Permalink
  3. Deepak Malladad wrote:

    Thanks santosh.

    Tuesday, November 27, 2012 at 8:20 pm | Permalink
  4. Hi Santhosh, nice article. Lack of poor quality product directly translates into loss of business for most customers. That is even more true in terms of security wherein the impact is way way higher.

    And I also agree with the attitude of some devs, I think this case is not only true for security related bug, but also for other bugs. But as I already mentioned, the impact of security bugs are much higher.

    – Rajaraman R
    http://programmersmotivation.com

    Monday, October 28, 2013 at 7:58 pm | Permalink

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*