- July 7, 2014 at 7:59 am #2459
Recently an experienced security tester told me they would not share their knowledge on security testing with the wider testing community. This person felt that because bug hunting was a lucrative occupation, sharing techniques would spawn competition for the lucrative bug bounties they were chasing.
This got me thinking – do testers subscribe to the hacker’s code of ethics – that all knowledge should be shared with people who can benefit from it?
Do you feel an obligation to help other testers improve in their profession or do you believe it’s every tester for himself (or herself!)?July 7, 2014 at 8:51 am #2473
Interesting conversation you must have had with the security expert! I’ve worked with people like that before that just wont share any knowledge purely because they like to be the go to person, or the only person who knows how to do something, so it makes them feel indispensable I guess…
I feel like I am the opposite though. I really like sharing. It feels good to share knowledge and I get a buzz knowing that I’ve helped someone learn something.
I think it stems from learning from others though, which I’m still constantly doing. I appreciate everything that I’m taught, or every story that I hear as each story will teach me something – be it of a different perspective, or of a bug that I’ve never experienced but am now aware of, or a new tool, etc.
I think the security expert that you were speaking to has a worrying view too. Especially because its security testing. I’d say most testers out there don’t know much about security testing and the amount of software that doesn’t undergo any security testing is extremely worrying. The only way people can learn is by others sharing their knowledge…July 7, 2014 at 12:20 pm #2491
It was an interesting conversation alright Dan. The area of bug bounties is probably another discussion but if discovering a bug is worth a five figure sum, you can understand the reluctance to share information. So how can testers learn security testing?July 7, 2014 at 12:37 pm #2494
I don’t believe that testers are any different to other humans when it comes to sharing knowledge.
Some people will hoard information to try and ensure they are the expert, the only one who knows how to do something and others will share their knowledge willingly and openly. This can also depend on the role they are doing at the time as when you are managing or leading a team you have more of a responsibility to grow those around you.
A resource who is employed as, in effect, an ethical hacker by an organisation is likely to live and die by his specialist talents and I perhaps can understand why he would hoard his special techniques, his personal IP the same way McLaren or Ferrari etc. do, from each other, in Formula One Motorsport , but would perhaps expect him to be more open about more general security test knowledge.
As for me, I have been lucky to have mentors and colleagues who have passed on there knowledge to me and I in return delight in sharing with anyone who is interested in testing.
In fact thinking about a couple of managers /developers from my past, even insisting that quite a few people who aren’t interested, learn a few things whether they want to or not ………July 7, 2014 at 2:33 pm #2496
I completely agree with Donna’s third paragraph. I too have had the luck to work with some incredible testers who shared their knowledge and were also open to having their opinions challenged. I’ve also had the very good fortune to have worked in positions where I could pass on what I’ve learned and experienced to other testers, programmers and anyone prepared to listen.
The satisfaction of seeing colleagues develop is tremendous for me, especially when they’re able to challenge my ideas and approaches to testing. And if they turn out to be at least as good as me I’m delighted.
Rarely have I known testers who adhere to the “Knowledge is Power” concept, and those I have met quite frankly wouldn’t have been worth learning from.
And lastly, I never feel obliged to help other testers improve, which is to say that it’s never felt like an obligation.July 7, 2014 at 3:49 pm #2498
While understanding why a security tester might take a selfish attitude, I would not agree with that approach for two reasons:
Firstly the size of the problem is so gigantic that it’s hard to imagine the supply of skilled security testers will ever catch up with the rapidly expanding attack surface area, especially when the Internet of Things is added to the mix.
Secondly it is impossible to monopolise information on how to perform security tests. There are many sources of useful advice such as the Open Web Application Security Project, YouTube videos, and many affordable books. The main obstacle being the lack of interest and incentives to undertaking the learning.
At the EuroSTAR conference in Dublin this November I’ll be helping testers get started with the basic knowledge they need to bridge the gap between the experts trying to secure the network perimeter (configuring the firewalls and intrusion detection and prevention systems) based on pattern matching for known hacks, and the penetration testers who usually find the low-hanging fruit at the end of the project. The security gap in between those expert activities is almost everything that happens in projects to develop and maintain systems. Testers don’t need to be experts in penetration testing tools and techniques to ask useful questions to the project team such as “Is there even a single security misuse case defined as a project requirement?”, “Have the developers all followed a set of secure coding standards?”, “Has there been a security threat assessment undertaken?”, “Is untrusted data being validated?”, “Can users submit arbitrary data to the server side application?”, and so on.
Until project teams accept it is their own responsibility to learn how to build self-defending applications there will be an ever increasing number of unsecured systems added to the landscape to make bug-bounty hunters and hackers alike earn a good/bad living. I believe every tester with a good moral compass should be helping as many colleagues as possible learn how to include secure application design, coding, and testing into their everyday work.
We can do this!July 7, 2014 at 6:52 pm #2499
Hello everyone. First of all, excuse my english, maybe I will use some dummy combination of words.
I see the problem like this:
1. If you are a lazy person, you will not share with the others, because this means that you need to go and discover other things..which will make you the expert (again).. this is a process, is a daily improvement; if you learned something 10 years ago and you are doing the same thing over and over again, every day (testers blocked on some project based on ancient technology), you are process / company dependent which is not a good thing.
2. sharing information will destroy the mistery around you, which maybe defended you, but you will get the appreciation of the others
3. before sharing information with specific person, be sure he/she is not a lazy person either.. I mean, did he/she tried something already, or just waits for you to give the solution? learn them how to fish, do not give them the fish.
These are my principles! (at least some of them)July 7, 2014 at 7:26 pm #2500
I think Donna’s insights reflect my initial thoughts. So to think of a new insight — I can imagine if someone’s job description involves telling the IT project that they created bugs, made mistakes and generally didn’t do their job to standard then I can imagine a vital component of the skill set must include “soft skills” — such as diplomacy, politics and general ways of “bringing the community together”. Hiding information I think is contradictory to these skills and someone who comes across as a “know it all” who works in isolation probably finds themselves moving around frequently between companies. Maybe.July 8, 2014 at 8:58 am #2501
I totally agree with Declan. I don’t believe that amount of security testers will ever (or at least in near future) catch up with the demand for that type of testing. That tester Paul mentioned in the first post might be type of person believing he belongs to ‘secret society’ and not everyone can become a member.
The other reason for not sharing with the others is the case when someone experienced doesn’t want to learn any more and is afraid that other will catch up and go around him.
As experienced tester I feel it is more beneficial to help others to improve because it is the only way you may have more time to develop yourself. And the circle closes.July 9, 2014 at 8:48 am #2514
Whilst I do not feel obliged to help other testers out, if I can then I will. I have a number of testing experience years behind me, mostly built up by observing the great and the not so great and being helped along the way with more experienced testers. I am secure enough in myself to happily share any knowledge I can if it helps someone out. After all this time I still don’t know it all so take the view that there is probably something I can still learn, even if I am helping out others.July 14, 2014 at 2:08 pm #2622
I do not think testers feel “obliged” to share knowledge. I do however think that many testers come from backgrounds where sharing information is the way to do things. As I understand it there hasn’t been any schools or universities teaching testing, at least not here in Sweden. That is a relatively new thing. Many testers seem to have learned the testing trade from other testers in a way resembling the old fashioned master/apprentice way. Even now, as there are educational programmes you can attend to learn testing, those often have experienced testers with many years in the trade as well. This might have created a natural culture within testing where you share your knowledge to teach new colleagues (and thus not have to do all the work yourself). However in some cases, as the above mentioned security tester there might be good reasons to not disclose and share.October 26, 2014 at 8:24 pm #5147
I think i have a problem with the way the question was asked.
Everything in the statements arround it impies that the question is “should or should not one tester help an other”
No one is obliged to do anything until that is ether part of what you are getting paid to do or it’s a necessity to do a good job in order to deliver a good product.
Also “help”would not be hand everything on the silver plate. In my understanding it would be guiding and challenging the person to learn and aspire for more.
Demending to share your tips and tricks should not be the way to go.
As for me personally – i’d try to be careful with teaching to do things my way. If it’s about giving tips when person have reached out or when it’s clear that without these tips it will be harder to reach the goal of delivering good product – i will speak up, i will show where to find logs, which tools could be helpfull, how to easier trace down the problems in the s/w we are testing and
how to tailor dug reports so its easier for our developers get was is the real issue the tester tried to report.
I could imagine that i would have hard time to reach our to person who is not willing to collaborate. Thus i might not really share the knowledge i have gained up to this point.
Yet one thing is clear to me:
In the end of the day it’s not our egos we should care about. Its the results we bring as individuals, as a team and as a company.
~~ ~~October 26, 2014 at 9:01 pm #5148
(: annd i left the most important think here: do testers feel obliged to help.
I dont think that this is a question that could be answered. As there are many different testers – there are different belief system they follow.
If it’s a feeling to put your thought in the blog – go for it. I believe a blog is something you write to help yourself. If it can help others – its there for anyone to check out on their own free will.
It would be great if we all would be a big happy family that helps each other out.
Here we also need to take into account:
*the way we like to think and deal with what needs to be dealt.
I think everyone here can imagine at least one person from who you would not want to get the tip of how to live your life and how to do you work. Most likely that is the person also could believe that you are wasting your life, you know nothing and you must be saved. (Implying person feels obliged to help you).
How well will you be able to take those tips from this person?
A. If you are respecting the skills he/she has – you will listen and give those tips a chance
B. If you are having hard time to cope with that personality type as well as respect the person professionaly – i will take a wild guess and assume that the tip will not be appriciated and might not get applied any time soon.
There can be good cases, when you get a tip from person whos been in your shoes thus can relate to you and help out without triggering any allarm.
There could be cases where the help attempt affects you negatively (e,g, makes feel worse, puts you in a rough spot) . Such helping hand could make it harder for a person to deal with the current situation/problem.
Everyone willing/feeling obliged to help need to really consider:
*Why im doing this
* what are the benefits and pausibble downfalls before going in.
If is done – i feel hopeful that we bring added value and it was worth a try to help out.
You must be logged in to reply to this topic.