It is a common belief that testers should think like end users by going beyond the defined requirements, seeing if the application under test addresses end-user expectations, and evaluating how it fares against competition.
While this holds true for a lot of the functional and nonfunctional test areas, including accessibility, among the few exceptions is security testing. With security testing, testers have to think not only like the end-users, but more importantly like the intruding users—the hackers—and what they might do to break into the system. Just like for a home security system, you would test how usable it is and how foolproof it is. Ensuring the application is foolproof involves testing from an intruder’s standpoint to ensure all vulnerabilities are known and tested for.
Such vulnerabilities need not just be the top ten commonly leveraged Open Web Application Security Project (OWASP) vulnerabilities. For example, a post that talks about how to bypass restricted sites may be useful information in the hands of a genuine user, it can be dangerous in the hands of a hacker defeating the purpose for which the site was restricted in the first place. All of this makes security engineering a chicken and egg problem—the more solutions there are to bypass, the more test scenarios there are to try to see how they could be maliciously leveraged by hackers.
Thinking like a hacker is a mindset change that needs to start at the top, even with the chief information security officer, and move down to the engineering team, specifically the security team. Globally, application security spending is on the rise and expected to reach $101 billion this year. However, despite such a rise in spending, the mindset change in the organization to think and attack like a hacker (in an ethical manner) tops the list when it comes to cyber security.
This approach should be used not only at the web application security layer but at all levels in the security chain, including the services and network layers. When thinking like a hacker, it's not just about the scenarios you could try but also about emulating the hacker’s characteristics and attributes to have a realistic simulation—such as being patient and persistent, among others.
In everything you do during security testing, thinking and acting like a hacker with a mindset change to ethical hacking will promote cyber security at all levels, beginning with the product ideation stage.
