FAQs by Developers for Security Vulnerabilities Reported – by @Santhoshst
Security Testing Tips: FAQs by Developers for Security Vulnerabilities Reported
Often in some teams it becomes a challenge to make developers or testers or managers understand about, “Why we need to fix the various security vulnerabilities which have different severity level”. Well, to me personally these severity levels do not make sense. Trivial, Minor, Major, Critical could be some of the severity levels, but these are again based on our knowledge; but any security vulnerability may be linked to other vulnerability and the vulnerability which you thought was minor could be entry point for an attacker to exploit it very severely. Now, the minor severity becomes critical.
Developer: You yourself say that this is minor vulnerability, then why are you pushing so much to fix this?
Well, as security testers or ethical hackers we have limited time to perform attacks and for a hacker or an attacker, he / she has plenty of time to think and attack. In such case, we see that we fix each and every security vulnerability to close any loop holes which can be attacked by hacker based on his / her tremendous knowledge about hacking which may be more than us.
Developer: Okay, all sounds good about your XSS alert seen on profile webpage. But, tell me how one can exploit this?
Now, it’s important for testers to learn bug advocacy and writing exploits very well which convinces people to fix it as soon as possible based on the threat level of it. People always love demonstration compared to just the plain words. If developers are of the same thought process, you need not convince them, but if they question you; it is always good for you to build a strong case around the vulnerability.
Developer: This fix will take time or not possible as of now due to reasons like, we use third-party systems!
This is one of the reason that would be correct or incorrect based on the context. And the context may be, developer just wants to goof up or give some reason to skip this work. However, if you are knowledgeable and you know the fix which could be in terms of code or algorithm, then you can provide a counter-measure for the security vulnerability that you reported. And as you have already contributed to the fix, developer may take time to fix it as soon as possible. So, you see “Learning is crucial and it should never stop if you want to be credible tester and add value to testing project”.
Developer: Why do we need to test for security after functional testing?
In my opinion, this is the sequence of testing that needs to be carried out, “Functional -> Security -> Performance”. If there are functional changes in the code, then that may open the vulnerabilities in terms of security. And as security testers, we need to make sure; after security testing, there are no functional fixes or changes. Or else, we need to again re-do the security tests as part of regression.
Leave a comment