Knowing how to test for security flaws is vital, but it’s a complicated and changing field.
Welcome to the exciting field of software security. There are so many opportunities with testing Web applications, mobile apps and even traditional client-server software and not enough people to fill positions — a core element behind why we still struggle with software security testing basics. The more we hear about how important it is to integrate security into the software development lifecycle, the more security incidents and breaches we hear about.
The first order of business is to understand the different types of software security testing basics so you’ll know which area you’d like to focus on. I’m particular to vulnerability assessments and penetration testing, since that’s what I focus on in my work. Vulnerability assessments look at the application environment and determine the weaknesses that can be exploited by criminal hackers and trusted users alike. Penetration testing takes security testing a bit further — it’s the active process of simulating a threat exploiting the vulnerability to demonstrate what can happen in a real world situation.
I think we get too caught up in the verbiage around the different types of security testing basics. I like to refer to this exercise as “security assessments” whereby all aspects of the application are tested. It’s not just vulnerability scans, and it’s not just a capture the flag-type scenario with penetration testing. In most cases, the ultimate business goal of such an assessment is to find — and fix — security weaknesses. You can do this type of work in an IT or security role. You can also do it from a development or QA perspective. Whether you work for someone else or for yourself, it doesn’t matter. What’s important is to get as much hands-on experience as you can.
If I’ve learned anything, it’s to have an open mind. This means considering alternatives to mainstream theories on what it takes to truly fix security flaws. It also means committing to learning new things — staying on top of the latest software exploits, tools and testing techniques (both manual and automated). If you ignore these important areas, you’ll struggle to build the credibility and the buy-in you need to be successful in the field long term. If you focus on what’s important, keeping the business goals in mind, it’s easy to stand out from the noise in this field.
You’ll find that as you build your career in software security testing, there’s always something new and exciting. For instance, I have been doing a lot of testing of mobile apps and the Internet of Things (IoT) devices lately. IoT systems are unique in that they tend to be very specialized and design and development teams often cut corners in order to minimize the systems footprint. As with Web applications, IoT devices are most interesting because each system tends to present its own unique challenges, especially as it relates to balancing security, usability and convenience. It’s this very thing that makes software resiliency both a blessing and a curse. The more software security flaws we find and make public, the better our software can become. However, public knowledge of security flaws can create immense levels of risk on the part of the business and stress on the part of those responsible for developing applications and testing software security. In the end, it’s in the best interest of the business and that’s what counts.
It’s also important to remember the basics of security. Protecting the business against all the newest threats won’t mean much if decades-old gotchas involving weak passwords, improper encryption, insecure data storage and the like can still find a foothold. If you are going to contribute to a solid information security program, you have to walk before you can run. That said, we would be remiss by not recommending compensating controls such as TLS, identity management and advanced malware protection to improve the security of any given application environment. As you develop your career in software security, you’ll want to share your knowledge with others so make sure you have processes in place to train users and developers about the importance of security.
For now, create your own lab environment using Kali Linux and related tools to get your hands dirty. The OWASP website has a ton of resources for those wanting to learn more about software security testing basics. The most important thing is to never stop learning. The core security principles that we work with really haven’t changed all that much; however, the technologies we use have changed and that’s what makes for some great opportunities in and around this field.