Welcome to the exciting field of software security. The first order of business is to understand the different...
types of software security testing so you'll know which area you'd like to focus on.
For the software world, I'd recommend vulnerability assessments and penetration testing. Vulnerability assessments take an inventory of a system's security readiness and seek to find ways to mitigate risks. Penetration testing is the active process of simulating a cyber-threat in order to find and remediate weaknesses. Remember that your job is to recommend fixes for the greatest number of software flaws, not just "penetrate" a system and be done with it.
If I've learned anything in my 15 years of security testing, it's to have an open mind. This means considering alternatives to mainstream theories on what it takes to truly fix security flaws. It also means committing to learning new things -- staying on top of the latest exploits, tools and testing techniques. If you ignore these important areas, you'll struggle to build the credibility and the buy-in you need to be successful in the field long term.
You'll find that as you build your career in software security testing, there's always something new and exciting. In fact, it's this very thing that makes software resiliency both a blessing and a curse. The more software security flaws we find and make public, the better our software can become. However, public knowledge of security flaws can create immense levels of risk on the part of the business and stress on the part of those responsible for developing applications and testing software security.
It's also important to remember the basics of security. Protecting the business against all the newest malware threats won't mean much if decade-old techniques can still find a foothold. Remember to use proper firewalls and antivirus in addition to application security measures. You also want to have processes in place to train users and developers about the importance of security. Keeping all your patches up-to-date is a challenge, but the rewards are well worth it.
Watch this webcast on vulnerability assessments
Learn to differentiate terms for security tests
Dig Deeper on Internet Application Security
Related Q&A from Kevin Beaver
Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading
Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading
Several vulnerabilities were recently discovered in Android bootloaders via the BootStomp tool. Kevin Beaver explains how they work and what risk ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.