10.3. The Trouble with Security Testing
It's pretty obvious that security testing is difficult. The amount of knowledge of the techniques and tools needed to test the security of web applications is overwhelming. As with many of the other testing disciplines we have discussed, it's urged that you test for security from day one of the application life cycle and think of security as a feature. The most difficult part of thinking of security as a feature of your web application is finding the potential security problems.
10.3.1. Knowledge Transfer
Developers are a stubborn group of people. Many developers that I know will not ask for help when they encounter issues. They would rather research the problem for hours and figure it out themselves. The fact that many developers seclude themselves, and are unwilling to ask for help, is detrimental to the development community — especially in the security world. I feel that knowledge is best shared in a group of people, where multiple people can voice their options.
There is also the mindset of experts not willing to share information for fear of losing their job or not being the only one who can accomplish a particular task. This is common in the security-testing world, with many security experts not willing to share the "Tricks of the Trade."
There are many movements such as ALT.NET, agile software practices, software craftsmanship, and the .NET users groups in the Microsoft Heartland district to help combat this issue by fostering safe environments where knowledge transfer is encouraged.
10.3.2. Experience Level
The results of a security test are directly related to the relevant security experience of the staff performing the security test. I have touched upon the type of mindset required for security testing. The creative, malicious, meticulous mindset required to be a good security tester is extremely difficult to learn by reading books and articles. This mindset is best learned by working with someone who has already mastered the skills.
10.3.3. Outside Consulting
Many companies do not staff security experts who are able to perform adequate security testing and many of those companies are unwilling to seek outside help for security testing. Many managers don't want to pay for secure applications. They would rather add a few more "bells and whistles" to their application. Seeking outside help for security testing is highly encouraged. Not only is it an unbiased look at the application, it's a team that may take a different testing approach, use a different testing methodology, and have a different experience than the internal developers.
This is not to say that internal security testing should not be done along with the outside testing. It's best when both of these teams work together and learn how to test/resolve the security issues encountered together.
10.3.4. A Unique Problem
Security testing is a unique problem. Most application vulnerabilities arise from an attacker's unexpected but intentional misuse of the application. Is it possible to plan for an unexpected misuse of an application? No matter how much time you put into security testing, you will never be done with it. It's not a matter of if your application can be compromised, it's a matter of how long it will take. This is not what managers or customers want to hear, but it's reality. Learning the security basics and how to test for them will combat the majority of the attacks.