The Role of the Security Tester

I wasn t being flippant when I said that testers keep everyone honest. With the possible exception of the people who support your product, testers have the final say as to whether your application ships. While we re on that subject, if you do have dedicated support personnel and if they determine the product is so insecure that they cannot or will not support it, you have a problem that needs fixing. Listen to their issues and come to a realistic compromise about what s best for the customer. Do not simply override the tester or support personnel and ship the product anyway doing so is arrogance and folly.

The designers and the specifications might outline a secure design, the developers might be diligent and write secure code, but it s the testing process that determines whether the product is secure in the real world. Because testing is time-consuming, laborious, and expensive, however, testing can find only so much. It s therefore mandatory that you understand you cannot test security into a product; testing is one part of the overall security process.

Testers should also be involved in the design process and review specifications for security problems. A set of devious tester eyes can often uncover potential problems before they become reality.

When the product s testers determine how best to test the product, their test plans absolutely must include security testing, our next subject.


	If your test plans don t include the words buffer overrun or security testing, you need to rectify the problem quickly.