Many employers are interested in developing security testing skills in their testing organizations, but they’re not sure where to start. Books, courses or just letting the tester self-train… which is the right approach? In this article, we’ll examine some strategies managers can employ to move their organizations into the growing world of Web application security testing.
The first strategy I recommend to anyone seeking to develop their career is to find a mentor—managers should definitely encourage mentoring. A mentor is someone who can provide advice, leadership and critical insight. A career mentor should be experienced in the area you are trying to develop skills in—for security testers, finding a mentor involved in software security is a must. Not every security professional will make a good mentor – the mentor needs to take an interest in helping others develop. He or she will need to be willing to provide feedback as well as encouragement. Above all, a security testing mentor needs to be experienced in the realm of software security testing (as opposed to the numerous other realms of IT security). Encourage employees to take their time in looking and selecting a mentor, to be sure they find the person most likely to help them succeed.
A mentor is important to help employees on their course, but the majority of career development is the individual’s responsibility. Managers need to encourage employees to take all the skills they use in their day-to-day job (inquisitiveness, creativity, passion for quality, technical ability and analytical approach) and apply them in an entirely new direction. If employees have gaps in their testing skills—technical or otherwise—they will be exposed even more as the employees move further into security testing. So be sure team members have the basics down.
Your team members can find mentors pretty much anywhere – I recommend starting within the company, then looking to security-related groups in the area. Another great place to look is on social media sites like Google+ or Facebook. Finally, look for meet-ups and other face-to-face group activities related to software security in your area. Not only can employees find mentors there—they’ll also gain valuable experience and networking by attending meetings.
Develop technical skills
Let’s move to some very specific advice now. Security testing is a highly technical career, requiring technical skills. In order to design and carry out security-related tests, your testers will need to be very familiar with the operating system, server software, runtime environment and programming language used in the application they are testing (I refer to this combination of technologies as the application “platform”). Because most companies vary the platforms they use, they’ll need to go beyond proficiency on more than one platform.
Testers will want to develop an administrative expertise in the operating system itself, understanding the ins and outs of memory management, account management and configuration as well as the operating system’s security architecture. Many Web application attacks today still exploit weaknesses in the server operating system; in order to find those weaknesses, they will need to understand the OS.
This administrative proficiency applies to the Web server technology, as well. Your employees need to become familiar with IIS, Apache or other Web application servers, at an administrative level in order to ferret out defects and vulnerabilities exposed in this layer of the platform.
Finally, understanding the execution environment cannot be overstated. Whether Java, .NET or even unmanaged code (C, C++), testers will have to be familiar with how this environment works in order to succeed in attacking it. The best way to develop these skills is to administer servers, although reading books on hacking Windows, Unix, IIS or Apache can be very enlightening.
Beyond the server environment, a software tester must have an excellent command of the communications infrastructure in use. In most cases, this infrastructure is the HTTP protocol running over TCP/IP. Many attacks take advantage of weaknesses in the networking and transport layers, so developing a keen understanding of HTTP, Ajax/JSON and other Web 2.0 technologies is critical because your team members will recognize and understand where those weaknesses lie and how they might be exploited.
Understand the code
As testers grow to understand the operating environment and the communication mechanism, they’re actually ready to roll up their sleeves and dig into the application itself. This is where a tester can really shine if they understand the application from a code level. While your testers may not be interested in coding day-in, day-out, knowing how to code allows them to think like a developer—and improves their chances of thinking like a hacker looking for defects in the Web application. They’ll need a command of Java or ASP programming, and of object-oriented programming in general. To develop these technical skills, play to your teams’ strengths: encourage them to take a course, purchase a book or just allow them time to build their own applications to build familiarity with the language.
A highly valuable resource for learning how to perform security testing is the Open Web Application Project (OWASP) testing guide. This guide explains how to test for each of the OWASP top ten vulnerabilities; as your team members practice testing for these vulnerabilities, they will begin to develop the ‘muscle memory’ they need to leverage similar concepts in other Web applications.
Practice, practice, practice
The final step to learning is to seek opportunities to practice Web application testing skills. There is an ethical factor involved – practicing new testing skills on, say, Google’s site will have a negative impact (computers deemed by Google as executing malicious attacks are automatically blacklisted). Luckily there are test applications available for free download, like “Hackme Bank” or OWASP’s “Broken Web Application Project” and such. These applications are built with intentional security vulnerabilities, allowing the Web application tester to search for them while developing skills through hands-on application.
Becoming a software security tester requires a solid network, a strong mentor and serious technical skills. This career change requires significant growth in numerous areas. Making a career change is ultimately a difficult thing, no matter the targeted career. It requires dedication, effort and a lot of hard work. But speaking as someone who has undergone several strategic career changes, I know the value of change. As a manager, supporting your employees in career growth will benefit you with more loyal team members, a deeper bench to go to, as well as goodwill and trust throughout the company. Above all, your customers will benefit from more secure software.
Have any of these approaches been especially helpful in your organization? Send comments to firstname.lastname@example.org