Different Types of Security Testers

For many software products, the person responsible for testing a specific feature is also responsible for testing all aspects of that feature, including accessibility, globalization, performance, and security. Although testing all these areas involves a great amount of work and is a great responsibility, it is a sensible way to conduct testing because the feature tester knows the specific functionality extremely well and is able to focus on exactly how the feature works.

Another common approach to security testing is to assign it to security experts. Sometimes security experts ”also known as penetration testers, or pen-testers for short ”work on the same test team as functionality testers; other times, pen-testers work as security consultants and are hired by the software development company to perform security tests (also known as pen-tests). If functionality testers or pen-testers aren t testing software security, don t worry! The product s security will still be tested ”by criminals, spies, third-party pen-testers, and security hobbyists.

Criminals might test a product s security so that they can find a way to perpetrate a crime. For example, a criminal might test the security of a banking Web site to find a software vulnerability that will enable access to the bank customers money. Spies look for software security vulnerabilities for other reasons. Perhaps an underhanded company will try to obtain confidential information about its competitors by exploiting software vulnerabilities. Spying isn t limited to the corporate world; government agencies also spy. Some criminals and spies are prepared to use vast resources to attempt to find security vulnerabilities in target software if compromising the user or data is rewarding enough. Even a seemingly unimportant home computer might be of interest to an attacker if it can be used as a tool to launch additional attacks and promote anonymity.

Many legitimate reasons exist for external pen-testers to test software whether or not they have been hired directly by the creator of the software. Some security consulting companies are hired to test a company s security by attempting to break into the company s premises or networks. If the target company uses particular software, that software could be targeted for penetration. Pen-testers typically notify the software developer and sometimes the general public when a vulnerability is discovered . See Chapter 20, Reporting Security Bugs for more information on that notification process.

Security hobbyists test software for fun and challenge. Security testing is often like a complicated puzzle. The hobbyist attempts to figure out how all the pieces of the software work and how they can be used together to cause some insecure behavior. Because software is very complex, often developers are unclear on exactly how all test cases will be handled by their code. Security hobbyists are in a unique position because they can decide which software is interesting to them and they can test it as long as they like. They can spend extreme amounts of time examining a small piece of a program. If they find an issue, security hobbyists usually notify the software creator and perhaps the general public the same way a third-party pen-tester does. Security hobbyists should not be thought of as novices ”many are extremely knowledgeable, clever, and experienced .