What? Why? Who? How? Of Application Security Testing
A penetration testing expert is better at pen-testing than me, but should I simply delegate application security to specialists and network firewalls? Actually no, I shouldn’t and neither should anyone else involved in the systems development lifecycle.
For years I treated security testing as something akin to black magic beyond my comprehension and penetration testers as technical wizards who could cast out evil hacking spells. Obviously that was daft, but it took some effort to see what was really happening behind the smoke and mirrors of application security, and to de-mystify it for my colleagues.
Follow the journey that led Declan O’Riordan to believe that every well-formed tester can and must have a basic understanding of what application security is, why it is important, who should be doing it, and how.
After this presentation you can stop describing security as ‘Out of Scope’ from your test plans.