Software QA personnel, known often as testers, are tasked responsible for guaranteeing a level of quality for the end client, and to help the software development team to identify problems early in the process. They are usually in a unique position with any development organization, responsible for ensuring that the software development process doesn't sacrifice quality in the name of completed objectives.
From a security standpoint, QA professionals have an even more unique role, in that they have the opportunity to apply an SDLC strategy to their craft, and can serve as the point-person for identifying and analyzing where vulnerabilities and bugs exist.
It isn’t always understood outside of Security and Risk departments, but adding this level of security strategy while in parallel converting software performance requirements into a set of testing cases and scripts, will help streamline verification and the overall testing process tremendously. In other words, integrating security into the development lifecycle helps produce better software, and improves Security.
Like anyone, QA professionals and testers should receive training and guidance to help them succeed, and to keep their skills updated and relevant as technologies continue to evolve. Whether the driver is professional development, an increased awareness and focus on security, or to even save time and money, every QA person should be looking at how they can improve which will ultimately help improve the software application long-term.
Security Innovation provides specialized curricula bundles designed to map to exactly to QA responsibilities, including knowing the core fundamentals of security testing, knowing common software defects and how to exploit vulnerable code, to ultimately understand how to remediate identified bugs and vulnerabilities. You can find out more information about our TeamProfessor bundles here.
QA professionals will also find the supporting guidance and how-to’s helpful through our TeamMentor standards knowledgebase. It’s here that testers will be able to find guidance across technologies, about specific vulnerabilities and categories, all relevant to the testing phase of the secure development lifecycle.
Testers/QA personnel should look to best practices models like the OWASP Top 10 Web Vulnerabilities and Common Weakness Enumeration (CWE) list to understand what the most critical and most common issues are, and how to effectively map the identification, fix and remediation processes to these models. Security Innovation offers perhaps one of the most popular and comprehensive courses, How to Test for the OWASP Top 10, which you can preview here for yourself.
Understanding the categories of vulnerabilities first is key to efficiently identifying vulnerabilities that could potentially be exploited, with techniques like buffer overflows. It’s also important for QA professionals to understand the automated and manual techniques that can be employed to gain a more holistic view of the vulnerability profile within a specific application.
With the right training, techniques and tools, testers and QA pros should be able to identify common security issues and defects, fix bugs and remediate vulnerabilities, improving security and software dramatically.