MANAGEMENT DOESN’T UNDERSTAND THE VALUE MOST OF THE TIMES
We have known this for long time and it is hard to figure out the reasons behind, “Why management doesn’t agree to this or why management doesn’t understand this”. It could be a business reason finally however, not at the cost of sensitive data leakage of the customers. It takes a technical guy who knows what is hacking and it’s after effects. And only such person may make a decision in a appropriate way.
ETHICAL HACKING COURSE IS NOTHING
One of my student enrolled into Ethical Hacking course, and finally once he scored great marks in it; I asked him to hack into WiFi network of neighbor by giving him a laptop. His response was, “I cannot do it, I only know the tool name which can do that and that is AirCrackNG”. Now, ethical hacking course looks like more of a tool-smith where you remember the tool name and just run it without having the mind-set or skill-set which plays a great role in this profession. So, if you are hiring people who has done ethical hacking course, you may want to re-think about, “What else that person need to have as skills?”
CONVINCING MOST DEVELOPERS TO FIX THE VULNERABILITIES
In my experience, I have seen product owners going live with vulnerabilities open and I advocated that, it is a bad idea. The reason they provided were, developers do not believe that it will happen anytime. Another reason was, these are the only requirements and the code works according to the specifications. That sounded weird to me. I would be happy if you had said, you do not have skills to do it or you just wanted to not fix it for whatever reason. Last, but not least; it is not only the developers but also testers or test manager in the team who would deny that it needs a fix. Like Gerald M Weinberg says, it is always people problem!
VERY FEW PASSIONATE WHITE HAT HACKERS IN THE INDUSTRY
We collectively lack the number of white hackers who could fight the black hat guys. However, I see the change happening and I am man of patience. Things that take time will take time. And the people who claim they are passionate white hat hackers end up in knowing some tools / utilities very well or some techniques and the learning stops there. That doesn’t make white hat hackers cool, what makes them cool is to deep dive into learning more and more and not settling for less. Let us hope for the best in the future.
BUG ADVOCACY IS CHALLENGING
Most of the testers want the easy way out. I interact with many testers in India in different cities, most of them do not want to use Notepad++ when I tell them about it; they say “I am able to do it in Notepad”. My point is not about not using Notepad if it works for you, it is about “Knowing what Notepad++ has and may be you can do it more effectively and get more ideas while working with it”. Likewise, most testers lack bug advocacy; not only in security testing but many other quality criteria as well. Well, no good thing comes easily. Difficult is different and challenging word is different. Bug Advocacy is challenging and not about easy or difficult.
PROVIDE CODE FIX FOR THE VULNERABILITY EASY TO FEEL LIKE AN EXPERT & STOP LEARNING
In some organizations, testers are asked for the code fix as developers may find it tricky bug or could be challenging to fix it. Now, testers may provide an algorithm or logic to help and sometimes provide the code as well. And yes, it is easy to feel like an expert and stopping your learning. Well, the best example could be “Santhosh Tuppad” who thought he was great at security testing (Well, the fact is he didn’t think; but the world thought and still thinks). Here is what I would love to say, while the world is wanting to become famous in whatever reason, I would love to go back to my learning mode and learn how much ever I can in anything that I like before my death.
Following my heart in both my personal life and professional life has been giving me great happiness and happiness matters to me a lot.
While the title reads, “Why Security Testing Sucks?” I am game for making great things happen in security testing and I am not going to settle for less. People just shy away from anything that sucks, it is their will; no comments on that. Well, I want to go ahead and do great in security testing craft along with other quality criteria in Software Testing.