a blog about things that I've been thinking hard about

Are you an Application Security Tester? (Questionnaire)

12 September, 2007
application security tester ≠ application tester

Application testing usually means testing functionality – things that should happen.

Security is about things that shouldn't happen.

So, testing security is not like testing functionality.

If your application needs to be secure, hire a specialist application security tester.

You might be an application tester, and they might have asked you on occasion to "test security". But, are you really an application security tester?

The following three questions will help you to answer that question. For each question, the preferred answer is "yes".

1 Have you read the application's source code? You can do normal testing of an application without really knowing how the application is constructed or how it works, although if it is written badly enough, certain bugs may only be discoverable by someone who has read the source code. But with security testing, you are looking for things that are not meant to happen, and it is difficult to guess, a apriori, what those things might be, without a bit of help. Which is why you need to read the source code.

2 Are you able to recompile or otherwise alter the client? I say "or otherwise alter", because if the application is a web application, and the client is made from HTML, CSS and Javascript, then there is nothing to recompile (since it all runs directly from the source code), and "alteration" can be done easily enough with suitable browser extensions, like GreaseMonkey and WebDeveloper. But if the client is Java, or Flash, or (heaven help you) C++, then you will need to get that compiler running.

3 Do your test scripts have gaps in them? Normal testing is for positive functionality, i.e. things that are meant to happen. Security testing is for negative functionality, i.e. things that are not meant to happen. Here is an example of a normal test script (abbreviated somewhat):

  1. Log in as CEO with CEO user name and password.
  2. Choose "Compose Email" from the menu.
  3. Type in details.
  4. Press send button.
  5. Send email as CEO to chosen recipient.
Here's an example of a security test script:
  1. Log in as accounts assistant with an accounts assistant's user name and password
  2. ?
  3. Send email as CEO to chosen recipient.
The most important step in this script is the second one, and it's your job as security tester to find out what it should be. You will have to read the source code to get some ideas, and you may have to recompile (or otherwise alter) the client application to make it happen.

Who can be an Application Security Tester?

It seems that if you want to be an application security tester, then you have to know as much as the developers do, if not more, about how the application has been developed. You have to be able to read source code. You have to understand how the client parts of the application communicate with the server parts of the application.

And given that developers generally get paid more than testers, it follows that application security testers will also get paid more.

If you are in charge of the application development budget, it may seem like madness to pay developer's rates for a testing role. But if you don't, then you won't really be testing application security. You'll just be pretending to test application security. (For some applications, "pretend security" might be enough. But if that's really the case for your application, have you documented that?)

Vote for or comment on this article on Reddit or Hacker News ...