My wife recently made the comment about how it seems as though bad things come in threes. I thought it was an odd thought to see random events as coming in sets, but then again she also thinks that there are a finite number of good weather days in New England. But then I realized that there have been three occurrences that have set a course for part of my intellectual pursuits here at Cigital. These three events are completely un-related, but all evolve around the issue of security testing and how it seems like security testing should be the next technical pursuit for software test engineers.

The first event was at SD West. I went to hear Herbert (Hugh) Thompson talk about fuzzing. Hugh is a great speaker by the way and you should definitely hear his presentation about his escapades as a young teen fuzzing his high school’s soda (”pop” for all us midwesterners) machine. But, I digress… In any case, the question that came up at Hugh’s talk was whether security testing was the domain of developers or testers.

I’ve been doing some work with one of our clients about moving security testing into their testing organization. That’s the second of the three coincidences. Our client has realized that in order to implement the Software Security Touchpoints throughout their SDLC, that they need to train and empower their testing organization and not assume that the developers to write secure code. Good assumption.

The third is that Joe Jarzombek, Bob Martin and I were asked to give a talk on Software Security at the Boston Software Process Improvement Network (SPIN) and Software Quality Group for New England (SQGNE) meeting. The talk is on May 9th for anyone in the Boston area. My talk is titled “Software Security Testing - The Next Frontier”.

Does this mean security testing is a bad thing because it “comes in threes”?

I was starting to worry that it was after my wife told me about the “bad things come in threes” thing. Then, the other day one of my co-workers, Paco Hope, and I were talking. Turns out that he’d already started blogging about security testing and some of the challenges. He’s started with a couple of book reviews which provide some insight into the challenges. He and I started talking about and the relationship of Cigital’s Risk-based Security Testing methodology and other negative testing methodologies like equivalence classes. Paco’s definitely got some great ideas about how Software Security and Software testing relate.

So, there aren’t three incidents - there are actually four. Phew - because I really do believe that testing organizations are going to need to provide the security training, tools and resources to empower their test engineers. It also creates a natural, technical growth path for those engineers. Engineers progress from manual testing of features to being able to write test automation. Security testing requires even deeper technical knowledge than automation, so it’s a natural evolution to start getting underneath the constrained environment of traditional automation tools and start working on testing the security related aspects of the software.

So, Security Testing is definitely not a bad thing, since it doesn’t come in threes. Now, if I gotta start working on the weather in New England.

Technorati Tags: security testing, fuzzing

This entry was posted by Scott Matsumoto on Friday, April 27th, 2007 and is filed under Software Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.