Security Testing — The big unknown
Lately, I hear on all channels that full-stack engineers are more and more wanted, but everyone has a different opinion about what full-stack means. Some of them want a guy that can develop both frontend and backend, others wish that guy to know some OPS also, so backend + frontend + DevOps, others wish that guy to write some e2e tests also, but from what I hear, no one thinks about security, or do not really understand or care about the security aspects of an app.
Who should actually take care of this aspect?
I remember an old joke with the tester that goes into the bar and asks for 99999999999 beers, after that he asks for -1 beer, 0 beers, 1 beer, a lizard and so on (the entire joke can be found here). The security specialist (guy) is the person who will try to convince the bartender that he is a relative of the owner of the bar, and he should give him the drink for free.
While a tester is trying to find corner cases and see if the system is working as expected, the security guy is trying to break/attack the system to see if he is able to get sensitive information, stop the system or do any other kind of damage.
Wait a minute, another job?! WE ARE AGILE! In agile teams, the dev team is a dev team! We don’t have different roles. Everyone is able to do everything and anyone can replace any of his teammates.
Disclaimer: I like agile frameworks, that are chosen by teams, and used for specific projects, not “Use SCRUM because everyone is doing it/It’s the company culture/framework”. With this statement, I will never approve. You can’t do a good job in writing code on UI, backend, OPS and take care of environments, hosting, infrastructure and so on, do a good design, write automated tests (unit tests, integration, e2e, security, load tests), write some test cases, do some manual tests also and help the business also with their needs, and of course, everything in 8 hours a day job. Sorry, I don’t think someone can do all those things and bring good quality to each of them. In my mind, even if you find a guy with decent skills on the DevOps side, decent on UI or backend and good on the other one, you should really be happy, and you should pay him well! If the endpoint crushes, if the UI is not working as expected, both will make some “noise”, but if you’ll have a data breach, you might end up in the papers. Get a specialized guy that knows how to do his job, for the security part. (Advice) Play agile with any other role, but don’t destroy your company.
Back in history
10–15 years ago, most companies had backend teams, frontend teams, testing teams, and infrastructure teams and usually paid other companies specialized in penetration testing for audits. Those guys created big audits, sent them to the managers who hired them, sent the documents to the leads or to the POs (if they existed in the company), stories/tasks were made, and security issues were fixed.
Over the years, this “security stuff” evolved, and more attacks appeared, a bigger awareness was raised by the big companies, and engineers started to get simple security questions even from the interview stage. (OWASP, became something that engineers heard about, even if they didn’t know a lot).
In those times, testers became QA and started to take/accept more responsibilities, later they became even “engineers in test” / automation engineers. The entire view of different teams disappeared, and the need of getting feedback faster appeared. Unit and integration tests that could easily cover corner cases started to be written by devs, and QAs started to write e2e tests to cover the “integration” between all the system parts. Why did this happen? It’s simple: Before, when we had different teams when a feature was finished, the testing team started to test the app. When they finished with the testing they send a big document with all the bugs they found to the dev team. The team started to fix the bugs and sent another release candidate to the testing team. They tested again (the entire app), and sent back another document with bugs since some of them were introduced in the latest RC and others were corner cases that couldn’t be tested because of the bugs from the previous RC. This “dance” took A LOT of time. Since this took so much time, other specializations like performance testers appeared (yes, another role).
Present-day
Most companies have at least a manual and an automation tester in the dev team. The performance testers are rare, and they try to “use” the automation tester (the guy who is searching with e2e tests corner cases of the app) to write/learn some performance testing, promise him a raise, a chocolate bugs bunny, or whatever, so he will write some performance tests (even if they will be poorly implemented and will bring almost no value to the project), and they started to have a Blue/Red Team for security. This team basically create audits for the project from the entire company. Are you seeing the pattern? We are back in 2010 when we had different teams. Hopefully, soon companies will understand that this is not enough. Cyber attacks are a lot more than 10–15 years ago. Companies need to train their engineers more in this and get a security tester inside every product. Of course, there are now different products that help these guys with their tests, like XRAY, SAST from SonarQube, Nessus, OWASP ZAP Scanner, SonarCloud and so on, but even with those tools, someone needs to monitor them, install them, push them to use a specific standard. To be honest, even if we have so many tools, they might be useless. I worked in a company in which we couldn’t use any pipeline task like ZAP Scanner, even if it was free because the pipeline was standardized for the entire company; the answer we got was that everyone who used Azure DevOps for CI/CD had to use the same sets of tasks, nothing should be added that is not needed for all the products. “This is the company policy” card was played.
Companies need to start to be more agile, from top to bottom, not expect everything from bottom to top! Teams need to be allowed to use whatever tools they want, that help them to produce faster and more valuable pieces of software.
Coming back to our main focus: get specialised people in your teams! Developers tend to test mainly the happy paths, performance testers, stress test the system, QAs, to find corner cases that do not work and security testers, try to break the system, make it stop working or worse, get sensitive information. I’ve heard a saying once: “Test it, or someone else will”. This is so true right now. Test your corner cases, because FOR SURE the users won’t behave as you expect (don’t ever trust the users! — a bunch of security acronyms appeared because of the input not being validated, from the XSS to different kinds of injections.), test what happens when you have high loads or spikes, because someone for sure will target you with a DDOS attack if you become a “player on the market”, or you will have a “black Friday” or something, test if you have security vulnerabilities because if not, others will cause you problems, only… ”for fun”.
Security will become your problem soon
If you are a PO/PM/manager in general, stop thinking this security thing is not your problem, because…it is. And…don’t get me wrong, some developers or QAs would love to do security testing also, they would love to work on a perfect project, but simply, they don’t have the knowledge to help you in that direction. If you get one that has the knowledge, most likely you don’t have the money to pay him, because let’s be honest, at that moment he will do the same work as 2–3 guys. No one can bring a superior quality of 2–3 people and sustain it for a long period of time.
If you are a QA, you should assure the quality of the project! If you don’t know how to do basic security testing you should at least bring awareness to the teams about the importance of it and why devs should pay more attention in that direction while developing, and why the managers should get a specialized guy to help around and teach!
If you are a developer, clean code, easy to change and maintain, the latest tech and all the other goodies, aren’t enough for you to learn and apply where is needed. You should always think about the security part as well. We live in the era when you get malware and ransomware even as a short link in an SMS.
The reality of our “modern internet” is that cyber warfare isn’t something that you see only in movies and games. Is our day to day reality. We all have a responsibility to continuously learn how to keep ourselves away from attacks and from being hacked; both in our personal and professional life.
If you are in the engineering department (dev, tester, DevOps, etc) subscribe to newsletters on the subject, (last month’s solution isn’t as safe as it was last month, believe me), use tools to help you see the most common issues and even give you potential fixes. If you are a manager, encourage your engineers to proactively keep themselves aware of the latest threats and constantly try to find the security issues of the product they are working on, even try to create (for fun) a bounty contest, in which some of them can find issues and others can fix them (based on some scoring give them prices, and this can be considered even a team building, since it’s a team activity).
As you see, whatever your job is, you can do something. Now only depends if you care or not (and if you want to be a professional or not).
