WavebreakmediaMicro - Fotolia

Get started Bring yourself up to speed with our introductory content.

Software security testing: Where to start

For those of us new to software security testing, it can be an intimidating field of study. Where do the veterans suggest we begin?

Welcome to the exciting field of software security. The first order of business is to understand the different types of software security testing so you'll know which area you'd like to focus on.

For the software world, I'd recommend vulnerability assessments and penetration testing. Vulnerability assessments take an inventory of a system's security readiness and seek to find ways to mitigate risks. Penetration testing is the active process of simulating a cyber-threat in order to find and remediate weaknesses. Remember that your job is to recommend fixes for the greatest number of software flaws, not just "penetrate" a system and be done with it.

If I've learned anything in my 15 years of security testing, it's to have an open mind. This means considering alternatives to mainstream theories on what it takes to truly fix security flaws. It also means committing to learning new things -- staying on top of the latest exploits, tools and testing techniques. If you ignore these important areas, you'll struggle to build the credibility and the buy-in you need to be successful in the field long term.

You'll find that as you build your career in software security testing, there's always something new and exciting. In fact, it's this very thing that makes software resiliency both a blessing and a curse. The more software security flaws we find and make public, the better our software can become. However, public knowledge of security flaws can create immense levels of risk on the part of the business and stress on the part of those responsible for developing applications and testing software security.

It's also important to remember the basics of security. Protecting the business against all the newest malware threats won't mean much if decade-old techniques can still find a foothold. Remember to use proper firewalls and antivirus in addition to application security measures. You also want to have processes in place to train users and developers about the importance of security. Keeping all your patches up-to-date is a challenge, but the rewards are well worth it.

For more information, you could visit OWASP, or check out more of my security articles here or on the Principle Logic website.

Next Steps

Watch this webcast on vulnerability assessments

Learn to differentiate terms for security tests

Dig Deeper on Topics Archive

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What sparked your interest in software security testing?
The answer for me would be.  1 little harmlessly seeming, injection vulnerable that was found.  That lead to curiosity, which lead to probe for more meaning which lead to now constantly learning more and more about security testing.
I like the fact that security is a process and not a product. A systems architecture always has security flaws, they only need to be discovered.
Great points guys. Gotta love code injection and the fact that everything's always changing! Good job security for us, for sure.
I have found two things interesting in my recent forayer's into security testing.  I find it interesting we tend to use one word to describe at least two major kinds of activities.  One is application specific (E.G. SQL injection into a text field) while the other is all the various layers, like the various layers of the network (E.G. Port Scanning).
The second piece is the lack of API/unit test level of security testing tools.  For example, ZAP has no way of running tests via an API, they only allow you to use the UI, a proxy or a service running on top of the UI.  The way the UI creates new files each time you save shows how it was not designed with version control in mind.  What I am interested in is a way of doing better security testing closer to the point when the software is being developed, but I haven't been able to find many systems designed with that in mind.
I am an MD working in the emergency department looking for a second career and I found it. Health care software security testing. PHI cybersecurity and forensics in the mobile health sphere. Looking for interested corporate or consulting opportunities...
Uwe G. Goehlert, MD
Security testing definitely seems like a niche role, but it sounds fascinating. I don't think that the software development industry in my local area would support a demand for testers wanting to specialize specifically in security testing, but it would definitely come in handy to have a bit of knowledge in that area. I'd like to know how others have got started.