Last time, I had the opportunity to talk to Toronto’s own Jennifer Fernick. Somehow, she juggles graduate computer science studies with taking care of a bank’s cybersecurity. I couldn’t do that!
This time, I had the honour of speaking with software tester Claire Reckless. Testing an application’s security and functionality is a vital cybersecurity role that people often don’t think about. I learned a lot.
Kim Crawley: Hi Claire! Please tell me about what you do.
Claire Reckless: Hi Kim. I’m a software tester, which is something I’ve done for about eleven years. I work as part of a development team, all the way through the development cycle testing from the idea stage to production. This can encompass different kinds of testing like functional testing, performance, usability or security testing as well as things like test automation. My last couple of roles have been Test Lead roles, meaning I’m responsible for test strategy and co-ordinating the testing carried out on a product as well as some line management.
KC: So the secure development cycle is a focus of yours?
CR: Yes, obviously it’s important to think about security in any kind of software development. But in my previous role working for a security software company, it was something we placed particular focus on given that was what the business did. We wanted to make sure we were thinking about security all the way through development from when we were discussing and refining user stories to testing the final product.
KC: What did you study first, development or cybersecurity?
CR: I’ve never studied either in terms of formal qualifications, I don’t have a degree at all. I came into software testing from a technical support background and took some of the ISTQB exams. Then anything else I’ve learned since has been self taught. I’ve spent quite a bit of time over the last few years developing my knowledge of how to do software testing well as well as learning to use code to support that. Most of my knowledge of security was gained in the over three years I spent in my previous role.
KC: Learning on the job is the best! As a cybersecurity blogger, that’s what I’ve always done, too. What are some of the biggest challenges in making sure that software is adequately secure?
CR: I think many software testers can be quite intimidated by security, and knowing where to even start can be a big challenge. But there are lots of great resources out there they can learn from as well as awesome people in the community.
Often in agile development, teams are trying to get something out quickly which gives value to their users, and security can be something which isn’t seen as a priority when thinking about the ‘minimum viable product.’ It’s obviously value, just less visible value until the consequences of it not being considered are seen.
A lot of the time, security is also seen as ‘someone else’s job.’ Perhaps the company has a separate team for it or will get a pentest done, so testers can think any issues will be picked up there and they don’t need to worry about it. However, quality is everyone’s responsibility and security is an aspect of quality, so everyone should take responsibility for it.
KC: Is your testing often on certain patches before they’re deployed?
CR: Yes, absolutely. For any project I’ve worked on, if we’ve needed to deploy or ship a patch for a product, then we will test it. Generally, to ensure the patch functions properly but also to test if any existing functionality has broken. The kind of testing we do depends on what the patch is for; we might do some exploratory testing as well as run automated tests.
Our testing can also be done by pairing or mobbing with developers, so we might be testing as the code is written, which helps to reduce the feedback loop.
KC: How did you get interested in development in the first place? Did you dabble in programming as a kid?
CR: I kind of fell into it, which seems to be a fairly common thing among software testers. I had a computer when I was a kid and would spend hours playing games on it, but I never really ventured into programming. When I was working in tech support, I discovered testing was a thing. Before that, I didn’t realize it was a job, but seeing what the testers did really interested me. I thought I might be good at it and applied for a role when it came up. I loved the critical thinking aspect, coming up with those ‘what if’ cases that ‘no user would ever do.’ (Even though we all know if a user can, they probably will.) I really liked being able to help shape a product, and not just clicking around the UI and checking it works. I think that can be a bit of a misconception of what software testers do.
KC: My first IT roles were in tech support, too. And my late father was a professional writer… so there you go. What are some other misconceptions about software testers?
CR: That we don’t have technical knowledge. Testers often like to understand the architecture, how something is built, so we can try and identify as many risks as possible. A lot of testing also takes place beneath the UI. That could be unit testing or API testing perhaps. We can also be involved in writing automated tests, again at different levels of the application, so a great many testers write code and build automation frameworks.
All testing can be automated. Testing can take many forms. We test ideas, requirements, designs, code, documentation and all sorts. Testing is critical thinking, asking questions, exploring and investigating, not just checking a product. Automation can do an awful lot to support what testers do, but it isn’t everything. It makes me wince a bit when I see things like ‘100% automation’ and companies firing all their testers because they think automation can do the same thing. Maybe one day! But not just yet.
Testing is just creating test cases and executing them. When I first started testing, I was doing some of this, and it never felt right. Like I said above, good testing is exploring, investigating, challenging and a skilled job.
KC: Do you have any advice for people who want to get into software security testing?
CR: There are a whole bunch of resources which people can use to get started, the OWASP website being the main one. I know testers who have made the move into security by following the guides on here. I’d also advise software testers who are interested in security to look at attending security events, meetups, conferences etc. I’ve been to a few BSides conferences and OWASP meetups and loved them. I learned so much; it’s great to get out of the testing bubble.
I’d also encourage security testers to look at software testing conferences if they want to speak at or attend events outside of the security community.
KC: Excellent! do you have anything else to add before we go?
CR: I don’t think so! It’s been great to chat to you!
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.