why testers need to be involved from the beginning

On a recent project, the ven­dor’s soft­ware was going to be embed­ded in our web­site through an iframe. After a quick tuto­r­i­al from my hus­band (a soft­ware archi­tect who had done a lot of research on the secu­ri­ty of iframes not too long before that), I thought it would be inter­est­ing to poke around and see what I could find in their sys­tem and see if I could break into it, though I’m not a secu­ri­ty tester. I found some of what I expect­ed to find — they were using secu­ri­ty head­ers that are a lit­tle dat­ed but the best that work on Safari (there’s more secure stuff for the oth­er browsers — I don’t know why Apple is behind the times on that). But there was also a head­er that was mis­spelled when it should have been auto­mat­i­cal­ly gen­er­at­ed by the sys­tem. This gave me pause. There was a pos­si­bil­i­ty that some­thing got a lit­tle funky with the serv­er, but it was also pos­si­ble that they were hard-cod­ing things on a home­grown serv­er rather than using a com­mer­cial serv­er that is reg­u­lar­ly patched.

I filed a bug. And pushed it. A lot. I got the Infor­ma­tion Secu­ri­ty team involved. The response final­ly came back (after more than a month of ask­ing) that they were not using Apache, but they could­n’t tell us more about it, that they were keep­ing up with secu­ri­ty issues and reg­u­lar­ly test­ing their serv­er. This was anoth­er issue. The soft­ware we were giv­en was so poor­ly writ­ten and test­ed, that I was­n’t sure if we could trust their word that they were ade­quate­ly test­ing their own servers, much less keep­ing up with OWASP vul­ner­a­bil­i­ties or doing any­thing secu­ri­ty-relat­ed.

InfoS­ec was aware of this. But when I asked about the results from their pen­e­tra­tion test­ing, the project man­ag­er told me that they weren’t doing any test­ing. It was in our con­tract with this ven­dor that we would­n’t do any test­ing of their serv­er.

Seri­ous­ly? My response to that in a meet­ing was, “Some­one is touch­ing their servers, and I’m con­cerned that it’s not us.”

I lost the bat­tle. I looked through the con­tract to see if there was any way we could say they breached the con­tract (hooray, law back­ground!), but the ven­dor had writ­ten it so wishy-washy that it was basi­cal­ly a “best effort” con­tract with­out any­thing bind­ing. So frus­trat­ing.

In addi­tion to the gap­ing poten­tial secu­ri­ty issues, it was a big prob­lem to me that testers weren’t involved in the deci­sion-mak­ing process. I’m not sure if any­one tech­ni­cal was involved, though I real­ly hope so. But a tester could have raised the issue about not test­ing their servers instead of lawyers and busi­ness peo­ple just agree­ing to it with­out con­sid­er­ing the impli­ca­tions. It should have been a major red flag that they did­n’t want us to try to break into their serv­er.

Testers are not just a check­mark. We have expe­ri­ence and spe­cif­ic knowl­edge that can assist with prod­uct deci­sions and can end up pro­tect­ing the busi­ness’s inter­ests.