WavebreakmediaMicro - Fotolia
Welcome to the exciting field of software security. The first order of business is to understand the different types of software security testing so you'll know which area you'd like to focus on.
For the software world, I'd recommend vulnerability assessments and penetration testing. Vulnerability assessments take an inventory of a system's security readiness and seek to find ways to mitigate risks. Penetration testing is the active process of simulating a cyber-threat in order to find and remediate weaknesses. Remember that your job is to recommend fixes for the greatest number of software flaws, not just "penetrate" a system and be done with it.
If I've learned anything in my 15 years of security testing, it's to have an open mind. This means considering alternatives to mainstream theories on what it takes to truly fix security flaws. It also means committing to learning new things -- staying on top of the latest exploits, tools and testing techniques. If you ignore these important areas, you'll struggle to build the credibility and the buy-in you need to be successful in the field long term.
You'll find that as you build your career in software security testing, there's always something new and exciting. In fact, it's this very thing that makes software resiliency both a blessing and a curse. The more software security flaws we find and make public, the better our software can become. However, public knowledge of security flaws can create immense levels of risk on the part of the business and stress on the part of those responsible for developing applications and testing software security.
It's also important to remember the basics of security. Protecting the business against all the newest malware threats won't mean much if decade-old techniques can still find a foothold. Remember to use proper firewalls and antivirus in addition to application security measures. You also want to have processes in place to train users and developers about the importance of security. Keeping all your patches up-to-date is a challenge, but the rewards are well worth it.
Watch this webcast on vulnerability assessments
Learn to differentiate terms for security tests
Dig Deeper on Topics Archive
Related Q&A from Kevin Beaver
Compare host IDS vs. network IDS through the pros and cons of each, and learn how more modern systems may be better suited to ensure effective ... Continue Reading
Explore the differing roles of inbound versus outbound firewall rules for enterprise network security and the varying use cases for each. Continue Reading
Different tools protect different assets at the network and application layers. But both network and application security need to support the larger ... Continue Reading