Blog

Gentleman`s kit of a security tester: are the development skills necessary?

What skills do you need to possess? Operating systems are everywhere today. Every day we send thousands of requests via laptops, smartphones and tablets, but do we remember our data security and confidentiality?
10 July 2014
Cybersecurity testing
The article by a1qa
a1qa

What skills do you need to possess? Operating systems are everywhere today. Every day we send thousands of requests via laptops, smartphones and tablets, but do we remember our data security and confidentiality? The article by Anna Andreeva.

What should you know to test security?

In fact, the growth of web and mobile applications usage causes the leakage of users’ private information. Thus, security testing becomes an essential part of application development in general and web app testing in particular. But what an engineer needs to know to perform security testing?

First of all, you are to understand that security testing is not only about the application itself, but also about environment testing and check of information transfer and storage methods. The QA engineer should know lots of things apart the programming languages.

Of course, when a tester knows the application technology s/he understands where to search for bugs and how to fix them. For example, applications developed applying the ASP.Net by default use the built-in mechanisms of validation data, while the PHP programming language presupposes additional integrations of user entries.

Gentleman`s Kit of a Security Tester: Are the Development Skills Necessary?

When performing testing procedures keep in mind that application always runs in some operating system: a server, a laptop or a smartphone. Therefore security testing requires knowledge of system administration, and the skills of an experienced user. For example, if access to the server is provided with «low» rights, the engineer should know the way of escalation rights to the admin user. To do this you`ll need to understand how the register operates and how to launch services, processes and events logging systems.

Next thing in this list is knowledge of network technologies. Often hackers do need to attack the application to get the information because it is possible to “steal” it during the transfer process. To prevent it you are to know OSI model, package structure and the network routing process.

For firewall security testing also requires for special knowledge. What you should understand here is performing of checks from process incomplete, bypassing the “fire wall” through trusted processes and the ability tested products to block execution of unauthorized code in kernel mode.

SQL injection is one of the most critical OS`s vulnerabilities. It provides access to the information stored in the application data base. Thus the knowledge of SQL request language and its dialects is necessary for a full scale security testing. Remember a successful attack doesn`t end on simple select requests.

To check the protection against the cross-site scripting, hackers integrate harmful HTML/CSS/Javascript code in DOM-markup or in a request, which allows them to redirect user to the necessary resource and block application processes or “steal” the session variables. To run this check you need the knowledge HTML, CSS and Javascript.

Poor algorithms of data encryption can also become the reason of information leakage. To detect this vulnerability an engineer should know cryptography basics and what methods of data encryption protect information and algorithms are really poor for information security. For example, protocol SSL v2 is used to transfer data between a client and server and it is considered to be quite vulnerable. Specialists advise to exchange it for SSL v3/TLS v1 protocols.

On the whole, security testing demands for specialized knowledge. It is not obligatory to have extended programming skills, but you are to have basic understanding of different technologies, their pros & cons. If you need to bypass data validation, then you are to understand how programming languages “process” user entries. To integrate SQL-request, an engineer should understand how connecting line is formed and how information gets to database, what returns to users.

For security testing programming language is a tool for information processing. To detect a defect it is unnecessary to write encrypting algorithms or to obfuscate the code while the program running, but you are to know what is variable, array, class, structure and understand how the entities cooperate.

In the end, I want to say that programming languages are not the key of successful security checks. But the understanding of application basic operating principals, their influence upon the used technologies, operating system and configuration is a-must.

More Posts

5G impact
31 May 2021,
by a1qa
4 min read
5G network impact on mobile app testing
Check out what 5G connectivity will bring to the IT world and how it will modify mobile app testing.
Cybersecurity testing
Mobile app testing
Performance testing
29 April 2021,
by a1qa
4 min read
Addressing 4 security issues for digital transformation programs
Find out the top 4 safety challenges of digital transformation and a QA playbook to address them and contribute to a higher level of cybersecurity.
Cybersecurity testing
31 March 2021,
by a1qa
4 min read
QA scenario to introduce 6 eCommerce trends in 2021
Discover what trends will rule the eCommerce industry in 2021 and how QA can help implement them with confidence and ease.
Cybersecurity testing
Test automation
25 February 2021,
by a1qa
4 min read
9 QA points for delivering high-quality SaaS-based solutions
In the article, we’ve gathered 9 QA factors relying on the SaaS specifics that may help to perform SaaS testing with ease.
Cloud-based testing
Cybersecurity testing
Functional testing
Performance testing
Test automation
16 February 2021,
by a1qa
5 min read
Winning trust: 5 industries that need blockchain testing
Get to know what industries are prone to rapid transformation within blockchain solutions, and how their catch-all testing can help keep leading positions.
Blockchain app testing
Cybersecurity testing
Functional testing
Performance testing
13 January 2021,
by a1qa
4 min read
Reaching HIPAA compliance for eHealth solutions through QA
We reveal the HIPAA’s data safety benchmarks and shed light on how software testing may help in its conformity.
Cybersecurity testing
Software lifecycle QA
30 November 2020,
by a1qa
5 min read
Acumatica: ensuring sound business operations with well-tested ERP system
Internal business activities are advancing, while ERP systems’ usage is growing rapidly. Explore how to ascertain their accurate work through timely applying QA.
Big data testing
Cybersecurity testing
ERP testing
Functional testing
Performance testing
Test automation
19 August 2020,
by a1qa
4 min read
Data migration to the cloud: enable robust transition through QA
With cloud computing being a pervasive technology, many companies still face challenges to set well-tuned information transfer. Learn how to avoid possible quality issues and be confident in data safety.
Cloud-based testing
Cybersecurity testing
Migration testing
Performance testing
24 July 2020,
by a1qa
4 min read
OWASP as a guide to mobile apps security testing
More apps, more sensitive data, higher security levels... Learn how companies address the challenge of providing secure solutions harnessing unbiased safety recommendations.
Cybersecurity testing
Mobile app testing

Get in touch

Please fill in the required field.
Email address seems invalid.
Please fill in the required field.
We use cookies on our website to improve its functionality and to enhance your user experience. We also use cookies for analytics. If you continue to browse this website, we will assume you agree that we can place cookies on your device. For more details, please read our Privacy and Cookies Policy.