My Testing Journey – Discovering security Testing

This year has been a very steep learning curve for me, but all in a good way!

Career wise I was initially perhaps a little bit lazy. Graduating from university in 2008 I only knew I wanted to stay in the city I was living in, but had no idea what to do. Being a native German speaker it felt natural to seek out jobs that looked for fluent German as a must have skill and this is how I ended up at a 3rd party games localisation company that has since moved to Canada, due to tax breaks.

I never thought this was a proper job, maybe because I liked it and was good at it, and from the people around me you never got the feeling that a job is an activity you may enjoy.
This attitude made me look for other things and I found the ultimate “I hate it” job…Credit Card sales.
Two years of that and I fell back into localisation testing of an online MMO for very young kids ~6 to 11 year olds.

I must admit I didn’t quite feel fulfilled finding spelling/grammar mistake and stating for the nth time that the text box will not fit the German translation ( I will just say Donaudampfschiffahrtselektrizitätenhauptbetriebswerkbauunterbeamtengesellschaft).

This did have a positive though, because I met a very close friend of mine who taught me so much about the bigger software testing world out there! Hence I moved into functional testing. 
Initially I became a front end web application tester, but this year has seen me dabble with APIs, research and perform(to an extent) load testing, dabble with databases, learn a bit of programming and last but certainly not least security testing.

I am so fascinated with security testing! Maybe because it makes me think of hacking and I find it such an amazing skill to be able to understand someone else’s architecture in terms of a web app or website.

This brought me to finding the Evil Tester’s talk and slides about “Confessions of an Accidental Security Tester”.

His talk and slides really made me feel like I can do this! I just need to practice and live and breathe the “what if” question and apply it to all levels of a system! With it you can identify data injection points and accidentally find security problems.
He states that he has bad habits. Maybe I can develop these too!? I have started to have the developer tools of all browsers I use open and try to understand and inspect the web forms.

My next aim is to start learning tools such as Fiddler and Zap!

I loved that he mentions that bad websites made him develop these bad habits because they blocked him from performing an action so he bypassed the issue and managed to perform the desired action!

“Just a cruddy Guy/Gal”

Requests that are sent are of 4 types:
  • create
  • read
  • update
  • delete

Applying and understanding these may be a good starting point. Having been part of a team using a Restful APIs I have been learning more about these Http requests and their responses and good standard to follow as well as bad standard to follow. All of these experiences can contribute to security testing! Not sure what I did not think so but if I can apply these learnings anyone can!

The talk goes on to mention other things to be aware of and to consider when attempting to understand the technology behind what you are testing:
  • url
  • cookies
  • paylods
  • form fields
  • dom
  • http methods and headers
  • etc

I had not ever really thought about it but by using a proxy you can add break points and amend the request and maybe get a new response.

A tip, the more javascript the more client heavy the application will be. All of these facts contribute to the tester being able to model the application under test.

Start to think about the model from a risk perspective. He goes on to so find a way to ask the system questions to help it stop its bad behaviour.

By doing so we as testers can change the risk profile of the application and understand it better.

What I also loved was that he says we do not need special tools, we can apply our normal tools to security testing as they improves our ability to observe and model the system. Once we model the system ask “what does this imply?” And last but not least do not trust the client – shouldn’t be able to amend the dom and send a different request.

I found this talk very accessible. It took aware my “fear” of security testing and gave me confidence that I can do it too! I am not claiming as well as the real specialists out there but at least well enough that we may not need to hire security specialists more than once a year … hopefully.

Is there a skill you would love to learn and be a specialist at? Are you a specialist already?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s