- This topic has 34 replies, 25 voices, and was last updated 8 years ago by
.
-
Posts
-
A thing you should never say to a tester (I am not sure about this one 🙂 ) ::
‘I wouldn’t go into details. Because you wouldn’t understand’@jarilaakso Yes I did notice. That does not change my opinion however.
With the tools available programmers and testers can check for security issues without a lot of extra training.@jarilaakso Yes I did notice. That does not change my opinion however.
With the tools available programmers and testers can check for security issues without a lot of extra training.
@kasper, OK, I thought “I strongly disagree” means you strongly disagree with either of my quoted claims. Some points to consider:
1) There would be no need for bug bounty programs if current tools could replace all the needs for specialists.
2) VeriSign Trust Seal requires 3rd party testing, as does for example Trusted Shops.
3) Something being useful doesn’t mean another thing can’t be done. For example, it might be useful to buy testing from an external party even if there are already internal testers.
4) Many companies want IT systems, but don’t have any/enough IT professionals in their org to handle it.
5) Not having enough skills/resources to do what one wants quite often results to purchasing part of the work from outside of the company/department.
6) Having a test department can work very well for a company.
7) For example, Homakov from Sakurity has written a lot about OAuth(2) problems. If specialists are never useful, and orgs have all the skills and tools they need, why problems have been reported about OAuth?As for
Also it is very complicated and (therefore) costly to fix security issues afterwards.
, I agree with the sentiment. I would write “can” instead of “is”, but as I’ve seen how costly security issues can become (especially when fixed only after many end users have been affected), I’m fairly sure we agree on this. “Test early” is a good heuristic.
I agree with Thomas @ponnet and Gerald @jerryweinberg with a small note.
…I don’t mind hearing any of those comments. At all. It’s just a reminder that there’s some work to do…
(Jerry wrote about being angry.) These are emotional (system 1) thoughts, where as the “reminder to think” and the thinking part itself is logical/conscious (system 2) thinking. However, as they both might imply, we can train ourselves to receive feedback with a more positive automatic response. But I digress.
Here is an interesting read. You don’t want to mess with the testers!!
- You must be logged in to reply to this topic.