Problem solve Get help with specific problems with your technologies, process and projects.

Advice for getting started with security testing: Start with OWASP top ten

Software test expert John Overbaugh gives advice on skills needed to become a strong security tester. He recommends starting with learning how to test for the OWASP top ten exploits. Overbaugh also suggests a solid understanding of TCIP/IP, HTTP, HTML, Web servers, operating systems, Ajax and JavaScript.

What skills do I need to be a security tester?
Security testing is the buzz word these days, in almost all aspects of software testing. And that's for a good reason, too! Too many applications are being written with poor security, and too much personal information is being exposed across the Internet. I'm often asked what a tester needs in order to move into security testing. My initial answer is "good for you for even asking!" Not many testers give this much consideration to their career. Let's take a second and probe what skills one needs to be a good security tester.

The first aspects of a successful security tester are shared amongst all good testers: curiosity and a drive for perfection. If you find yourself wondering how something is made, asking how you might break it, and naming what's wrong with it, you are a member of a very elite group of professional testers! If you keep following these instincts, you have a distinguished career ahead of you. However, you still don't have everything it takes to succeed in security testing.

A great first step is to master the art of testing the OWASP top ten exploits. These exploits exist in most Web applications at the completion of the development cycle. They're 'low hanging fruit' and they're the vulnerabilities hackers are looking for when they're scanning for targets of opportunity (rather than targets of choice). Implementing Top Ten testing will result in a relatively secure application, much like locking doors and windows secure the home against the average intruder. Numerous companies are requiring their applications to be tested for Top Ten exploits, so developing an expertise in these areas will benefit you dramatically.

But memorizing the OWASP top ten will not be enough for you to become a security tester. Security testing, along with performance and automated testing, is one of the most technical aspects of software testing. You can learn the OWASP top ten, but you still won't really understand security testing yet. The technical skills required to understand security testing include a solid understanding of TCIP/IP, HTTP, HTML, Web servers, operating systems, Ajax and JavaScript. Unlike manual interface testing, security testing requires you to really dig deep behind the UI and figure out what's happening in the application. Understanding the principles of software engineering will help, as well. Dive into these technical aspects. Work with your development team to understand them. Read up on them on Wikipedia and other websites. Practice at home on your own computer. Developing the skills and expertise in the technical aspects of computing will give you the ability to dive deeper into the target site, and pull out those vulnerabilities that no one has discovered yet.

If you thought software testing in general was fun, just wait till you try security testing!

Dig Deeper on Topics Archive