Writing exploits – Learn programming to build a strong report – by @Santhoshst
Security Testing Tips: Learn programming to build a strong report
If you think that one must learn programming to do security testing, I wouldn’t agree with it. However, programming knowledge surely adds value in writing exploits for the vulnerabilities that you have found. One skill is finding the vulnerability, but the other one is making others believe that it is really a lethal vulnerability which will help them decide its priority for fixing. Now, most of the security test team do not know to code or they don’t want to learn. That’s fair enough as it depends on the interest and their passion could be finding vulnerabilities and not writing exploits. But, the good news is; the gap can be filled by hiring (experienced) developers who could understand the vulnerability and write exploit to develop a strong report which would convince stakeholders about its severity in order to take it for fixing.
Let us say there is a cross site scripting vulnerability, now as a security tester you may just go to the bug tracker and report it. However, what if the developer or stakeholder wants to understand the effects of it? What if the developer asks, “Why do you think we should fix this?” May be you will end up in saying, “Oh, its categorized under OWASP Top 10 Attacks” which would not make sense in the given context to the developer or stakeholder. It is like using OWASP Top 10 as jargon, but it is useless sometimes or most of the times.
I leave the decision to you. If you are interested, you can practice programming in order to write cool exploits to help your stakeholders or developers understand the severity of the vulnerability. Or else if you are a hiring manager, how about hiring a dedicated team member in security testing who could write exploits for the vulnerabilities found by security test team.
Before I finish, I would love to say something; every profession or every activity is a mind-set and a skill-set. So is programming and testing. Choose your cup of tea / coffee / anything.https://www.testingcircus.com/writing-exploits-learn-programming-to-build-a-strong-report/Security Testing TipsSecurity Testing TipsSecurity Testing Tips: Learn programming to build a strong report If you think that one must learn programming to do security testing, I wouldn’t agree with it. However, programming knowledge surely adds value in writing exploits for the vulnerabilities that you have found. One skill is finding the vulnerability, but the...Santhosh TuppadSanthosh Tuppad[email protected]AuthorSanthosh Tuppad is the Cofounder & Software Tester of Moolya Software Testing Private Limited (www.moolya.com). He also won the uTest Top Tester of the Year 2010 apart from winning several testing competitions from uTest and Zappers. Santhosh specializes in exploratory testing approach and his core interests are security, usability and accessibility amidst other quality criteria. Santhosh loves writing and he has a blog http://tuppad.com/blog. He has also authored several articles and crash courses in the past. He attends conferences and confers with testers he meets. Santhosh is known for his skills in testing and you should get in touch with him if you are passionate about testing.Testing Circus
Latest posts by Santhosh Tuppad (see all)
- Writing exploits – Learn programming to build a strong report – by @Santhoshst - December 25, 2014
- Is Your Third-Party Integration Secure? – by @Santhoshst - November 15, 2014
- FAQs by Developers for Security Vulnerabilities Reported – by @Santhoshst - October 20, 2014