WavebreakmediaMicro - Fotolia

Software security testing: Where to start

For those of us new to software security testing, it can be an intimidating field of study. Where do the veterans suggest we begin?

Welcome to the exciting field of software security. The first order of business is to understand the different types of software security testing so you'll know which area you'd like to focus on.

For the software world, I'd recommend vulnerability assessments and penetration testing. Vulnerability assessments take an inventory of a system's security readiness and seek to find ways to mitigate risks. Penetration testing is the active process of simulating a cyber-threat in order to find and remediate weaknesses. Remember that your job is to recommend fixes for the greatest number of software flaws, not just "penetrate" a system and be done with it.

If I've learned anything in my 15 years of security testing, it's to have an open mind. This means considering alternatives to mainstream theories on what it takes to truly fix security flaws. It also means committing to learning new things -- staying on top of the latest exploits, tools and testing techniques. If you ignore these important areas, you'll struggle to build the credibility and the buy-in you need to be successful in the field long term.

You'll find that as you build your career in software security testing, there's always something new and exciting. In fact, it's this very thing that makes software resiliency both a blessing and a curse. The more software security flaws we find and make public, the better our software can become. However, public knowledge of security flaws can create immense levels of risk on the part of the business and stress on the part of those responsible for developing applications and testing software security.

It's also important to remember the basics of security. Protecting the business against all the newest malware threats won't mean much if decade-old techniques can still find a foothold. Remember to use proper firewalls and antivirus in addition to application security measures. You also want to have processes in place to train users and developers about the importance of security. Keeping all your patches up-to-date is a challenge, but the rewards are well worth it.

For more information, you could visit OWASP, or check out more of my security articles here or on the Principle Logic website.

Next Steps

Watch this webcast on vulnerability assessments

Learn to differentiate terms for security tests

Dig Deeper on Topics Archive