I don't have a security specialist on staff. Does it make sense to rely on security testing from a software testing service like uTest? What should I look for in a security testing service or what are my alternatives?
It’s good to see that you’re thinking about security even though it’s not in your area of expertise. Some businesses that don’t have a security specialist on staff end up outsourcing the security function altogether with minimal internal oversight. That’s not a good approach.
Some businesses ... end up outsourcing the security function altogether. ... That’s not a good approach.
I don’t have any particular experience with outsourced software testing services such as uTest Inc. I’m sure uTest or one of its competitors could potentially help. The thing you have to be cognizant of is general software testing doesn’t equal security testing. Sure, security issues may be uncovered, but when comparing both types of testing, side by side, they’re often completely different types of tests performed by completely different people using completely different tools and techniques.
You need to look at the bigger picture and determine exactly what it is that you need to accomplish. Do you need basic QA testing? Perhaps vulnerability scans to satisfy a compliance or contractual checkbox? Neither are enough if you’re looking to uncover the security issues that really matter.
Security-specific testing services by companies such as Veracode and Checkmarx that look at your source code might be a good fit. In my experience, looking at the source code is only part of the equation.
There are also independent information security consultants (sometimes called pen testers) such as myself who focus their efforts, toolsets and mindsets on hacking Web applications and mobile apps as well as analyzing their source code using both automated tools and manual analysis. Ideally, you’ll want to look at the source code and the actual application in its final state using a malicious mindset to determine what security flaws exist and can be exploited in your unique environment.
Do you have questions about software testing services like uTest, or any other software testing topics? Let us know and we'll publish the answers here on SearchSoftwareQuality.com.
Dig Deeper on Topics Archive
Related Q&A from Kevin Beaver
Explore the differing roles of inbound versus outbound firewall rules for enterprise network security and the varying use cases for each. Continue Reading
Compare host IDS vs. network IDS through the pros and cons of each, and learn how more modern systems may be better suited to ensure effective ... Continue Reading
Different tools protect different assets at the network and application layers. But both network and application security need to support the larger ... Continue Reading