Blog

Gentleman`s kit of a security tester: are the development skills necessary?

What skills do you need to possess? Operating systems are everywhere today. Every day we send thousands of requests via laptops, smartphones and tablets, but do we remember our data security and confidentiality?
10 July 2014
Cybersecurity testing
The article by a1qa
a1qa

What skills do you need to possess? Operating systems are everywhere today. Every day we send thousands of requests via laptops, smartphones and tablets, but do we remember our data security and confidentiality? The article by Anna Andreeva.

What should you know to test security?

In fact, the growth of web and mobile applications usage causes the leakage of users’ private information. Thus, security testing becomes an essential part of application development in general and web app testing in particular. But what an engineer needs to know to perform security testing?

First of all, you are to understand that security testing is not only about the application itself, but also about environment testing and check of information transfer and storage methods. The QA engineer should know lots of things apart the programming languages.

Of course, when a tester knows the application technology s/he understands where to search for bugs and how to fix them. For example, applications developed applying the ASP.Net by default use the built-in mechanisms of validation data, while the PHP programming language presupposes additional integrations of user entries.

Gentleman`s Kit of a Security Tester: Are the Development Skills Necessary?

When performing testing procedures keep in mind that application always runs in some operating system: a server, a laptop or a smartphone. Therefore security testing requires knowledge of system administration, and the skills of an experienced user. For example, if access to the server is provided with «low» rights, the engineer should know the way of escalation rights to the admin user. To do this you`ll need to understand how the register operates and how to launch services, processes and events logging systems.

Next thing in this list is knowledge of network technologies. Often hackers do need to attack the application to get the information because it is possible to “steal” it during the transfer process. To prevent it you are to know OSI model, package structure and the network routing process.

For firewall security testing also requires for special knowledge. What you should understand here is performing of checks from process incomplete, bypassing the “fire wall” through trusted processes and the ability tested products to block execution of unauthorized code in kernel mode.

SQL injection is one of the most critical OS`s vulnerabilities. It provides access to the information stored in the application data base. Thus the knowledge of SQL request language and its dialects is necessary for a full scale security testing. Remember a successful attack doesn`t end on simple select requests.

To check the protection against the cross-site scripting, hackers integrate harmful HTML/CSS/Javascript code in DOM-markup or in a request, which allows them to redirect user to the necessary resource and block application processes or “steal” the session variables. To run this check you need the knowledge HTML, CSS and Javascript.

Poor algorithms of data encryption can also become the reason of information leakage. To detect this vulnerability an engineer should know cryptography basics and what methods of data encryption protect information and algorithms are really poor for information security. For example, protocol SSL v2 is used to transfer data between a client and server and it is considered to be quite vulnerable. Specialists advise to exchange it for SSL v3/TLS v1 protocols.

On the whole, security testing demands for specialized knowledge. It is not obligatory to have extended programming skills, but you are to have basic understanding of different technologies, their pros & cons. If you need to bypass data validation, then you are to understand how programming languages “process” user entries. To integrate SQL-request, an engineer should understand how connecting line is formed and how information gets to database, what returns to users.

For security testing programming language is a tool for information processing. To detect a defect it is unnecessary to write encrypting algorithms or to obfuscate the code while the program running, but you are to know what is variable, array, class, structure and understand how the entities cooperate.

In the end, I want to say that programming languages are not the key of successful security checks. But the understanding of application basic operating principals, their influence upon the used technologies, operating system and configuration is a-must.

More Posts

black-friday
22 November 2023,
by a1qa
4 min read
Get ready for Black-Friday-to-Cyber-Monday shopping: 5 testing types to include in your QA strategy
What’s your nightmare during Black Friday and Cyber Monday shopping? If it’s a loss of sales, read about the ways to prevent this in the article.
Cybersecurity testing
Functional testing
Localization testing
Performance testing
Usability testing
6 top reasons why business should invest in software quality
9 November 2023,
by a1qa
4 min read
6 top reasons why business should invest in software quality
We congratulate you on the World Quality Day with the article by Alina Karachun, Account director at a1qa, having 10+ years of QA expertise. Delve into it to explore the reasons why businesses should prioritize software quality.
Cybersecurity testing
Functional testing
General
Interviews
Performance testing
Quality assurance
streaming services
30 October 2023,
by a1qa
3 min read
Enable crash-proof streaming platforms for Holidays season
Ho ho ho! It’s time to prepare your streaming products for the influx of viewers. Read about how to put peak-load anxiety behind by applying rigorous testing of your IT solution.
Cybersecurity testing
Functional testing
Performance testing
Usability testing
On the way to Web 3.0: key software testing aspects for seamless digital experiences. Part 2
12 October 2023,
by a1qa
4 min read
On the way to Web 3.0: key software testing aspects for seamless digital experiences. Part 2
Let’s analyze essential software testing checks to improve the quality of the business-critical Web 3.0 functionality.
Cybersecurity testing
Functional testing
Performance testing
Quality assurance
Test automation
Usability testing
gaming-qa
24 August 2023,
by a1qa
4 min read
Ready, steady, test: How QA drives seamless gaming experiences
Why is QA pivotal for delivering unmatched player experiences? How to level up video game quality? Find the answers in the article.
Cybersecurity testing
Functional testing
Localization testing
Performance testing
Quality assurance
Test automation
Usability testing
12jun202311
22 June 2023,
by a1qa
4 min read
The ins and outs of ensuring OSS/BSS software quality: a hands-on guide
The need for OSS/BSS’ flawless operation is undisputable, but how can we reach that goal? Inter alia, a1qa suggests focusing on delivering high software quality to the end users.
Cybersecurity testing
Functional testing
General
Performance testing
6-march-2023-1
21 March 2023,
by a1qa
4 min read
The ultimate QA guide for smoothly migrating to Web 3.0
Find out how businesses can seamlessly migrate to Web 3.0 by relying on quality assurance.
Cybersecurity testing
General
Performance testing
Usability testing
27 February 2023,
by a1qa
5 min read
Reaching HIPAA compliance for eHealth solutions through QA
We reveal HIPAA’s data safety benchmarks and shed light on how software testing may help in its conformity.
Cybersecurity testing
Software lifecycle QA
Mobile app testing
15 February 2023,
by a1qa
4 min read
Mobile app testing guide: win the race with five-star software
Which aspects of mobile apps to test first to produce a really high-quality product? Find the answer to this and other questions related to mobile app testing in the article.
Cybersecurity testing
Functional testing
Mobile app testing
Performance testing
Test automation
Usability testing

Get in touch

Please fill in the required field.
Email address seems invalid.
Please fill in the required field.
We use cookies on our website to improve its functionality and to enhance your user experience. We also use cookies for analytics. If you continue to browse this website, we will assume you agree that we can place cookies on your device. For more details, please read our Privacy and Cookies Policy.