What Testers Need to Know about Security
It’s easy to overlook certain aspects of testing when you’re working on a multilayered application. You want to make sure each piece of intended functionality is fast, responsive, and maybe most importantly, does exactly what it’s supposed to do.
But if you fail to create a secure application, users aren’t going to trust your product—no matter how speedy or useful it is.
Every single tester should keep an eye on what security vulnerabilities might be plaguing their testing, but speaking in an interview at STARWEST 2016, Jeff Payne, the CEO and founder of Coveros, explained why you need to put a focus on security very early in the process.
“If you can find it earlier and fix it, it's going to save you a lot of downstream trouble. You don't really want to wait till the end,” Payne said. “Pushing it earlier and getting your developers to understand how to build things to be secure—how to get your testers to learn how to do some security testing—is going to significantly decrease your risk. You're not relying on the people that show up at the end to pull it out.”
If you let something linger for long stretches of times, it becomes more and more difficult to remedy. What might have started as a simple mistake at the start of development could become so interwoven into the nature of your application that it takes weeks to weed it out of your systems.
For security testing, just like many other aspects of testing, you need to shift everything left. Test for security earlier than you have in the past in order to assure better quality by the time development wraps up. This will also ease the minds of your users, since they’ll be able to trust their information in the hands of a team that devoted time and resources in this direction.
“It's hard to pull it out at the end. It’s no different than if you wait till the end to do your system testing. If you wait till the end, it's a needle in a haystack to find problems,” Payne continued. “It's the same in security. You're not going to find all those vulnerabilities if you're coming at it at the end of the lifecycle, and you have a fixed amount of time and you're doing some red team or penetration testing.”
All testers should have security on the mind. Make sure your testing techniques are solid, and be sure to check the security of your applications early and often.