Generally speaking, security testing is treated as an add-on to our testing coverage. Well, it is like this; if you want to function very well and you want your customers to love you for what you have given them? It becomes very important to care for their software needs. And people hate when their data is compromised. But, the fact remains the same. And that fact says, “No matter what your users want, you still continue only with functional testing and UX testing”, but you forgot that if users do not have secure experience then they shall still be satisfied with your User eXperience ingredients. However, this is a sloppy fact and a lie which many people consider as a fact.
Possible reasons why security testing is not given importance?
#1 Product owners/stakeholders are not aware of how security testing can help to safeguard their business in the long-run.
#2 Companies are doing great business and they are least bothered to spend on security testing activity
#3 Testers in testing companies do not have time to learn something else. Really?
#4 To do security testing, passion is required and most of us lack that.
#5 Most or some testers want straight-forward training with security/penetration testing tools, they do not want to practice the mindset of it. Mindset is always boring, we humans are impatient and we want have take-away very soon.
#6 Most or some testers do not like to spend on credible security testing workshops. They always love to receive but do not like to give (And here giving for the workshop will benefit themselves).
So what’s the solution?
Security testing is not an option, it’s a choice for those who want to build a cleaner and safer web. Those who perform security testing for their web apps or mobile apps or client-server stand-alone apps contribute to the world for the safe web. Others would continue to make money without caring for the data of users, that’s inevitable. You can do your bit if you like to. Having said that, some or most people may face a large loss due to breaches and also class-action lawsuits due to sloppy security practices in their organization. For instance, you don’t want to be fined for not being compliant towards GDPR (General Data Protection Regulation).
What can we do as testers to create awareness?
No worries if your area of interest is functional testing, but you can still learn something about security testing and help your customer understand the importance of it. But, its tricky as your customer may go to someone else who can do both functional testing and security testing. But, I personally would make the customer understand even though I cannot test for security. Like how a layman can be made understood about security hassles, even you can do it for a customer.
Why it’s a choice and not an option?
It is simple! You are dealing with sensitive data of your users. How can you consider it as an option? It’s surely a choice that you want to safeguard your users. Don’t you?
Santhosh Tuppad has played different roles in his life which include being an entrepreneur, liar, lover, boyfriend, husband, thief, passionate software tester, blogger, reader, trainer, coach, black-hat hacker, white-hat hacker, grey-hat hacker and what not. In this amazing journey of life, he has experienced his salvation. Not to forget that, “Salvation comes at a price” and of course he has paid that price. Before he was known for being merciless, ruthless, unkind, evil etc. And today he is known for kindness, humbleness, and some people call him “Privacy Fighter”.