Software Testing’s Undervalued Role in IT Security

Matt Heusser’s report on this summer’s Conference for the Association for Software Testing (CAST) is worth a careful read. Don’t think that you as a security professional have much to do with software testing? Think again. As he says in a blog post on SmartBear’s website, “so many companies downplay the importance of software testing. Quality assurance gets little time, energy and attention until something goes wrong.”

Too often security professionals just see themselves as dealing with the security issues of running an enterprise infrastructure. Well, they would have a heckuva easier job if they could screen the apps and networks beforehand to ensure that the loopholes and vulnerabilities were removed before the apps were put into production.

For example, Michael Larsen, a tester at, suggests the best test method is blending a variety of approaches together, including using automated procedures, manual explorations and writing your own test scripts while you are coding. Unfortunately, most programming shops use only a single approach to testing. This mirrors what the bad guys are doing with blended threats to try to penetrate your networks. Remember that.

Interestingly, we’re seeing the last generation of programming-unaware software testers. One recurring comment Heusser heard at the conference said just that: “This is the last generation of non-programming testers.” Indeed, jobs on you see posted today require some programming skills, something to note if you have these skills but may not have considered a testing job in the past.

Heusser concludes saying, “we need a multi-discipline dialogue about what testing is and how it contributes to the value delivery process.” Amen!

Related Links

One Response to “Software Testing’s Undervalued Role in IT Security”