New Adventures in Security Testing

Dan Billing

Learning new skills and experiences are key to developing any career, but in the rapidly changing world of software testing it is particularly necessary. Recently my work has led me to need to develop my security testing skills, but more than that it has opened doors into a whole new world of skills and techniques, and I am still learning more and more.

This track explores how I have approached the problems I have encountered, formulated my learning, and how I have developed an understanding of the key features of security testing in an accessible way.

I see testing as a holistic process, incorporating functionality, usability, performance and security. Having an understanding of these elements enhances our ability to drill down into the issues surrounding our applications. Security testing is seen as something of a dark art, which is the preserve of specialists and consultants. The aim of this track is to break down some of these barriers to understanding and learning through discussion and shared experiences.

We will discuss the key threats and how to recognise them; by diving into the OWASP Top 10 and discovering how important it is to testers. The top 10 describes the leading attacks that web applications can be vulnerable to. It will be the foundation for all the security testing activity that I undertake, so it will one of the cornerstones of my discussion.

As well as this, I'll share my learning around some of the tools I have used such as Fiddler, OWASP Zed Attack Proxy and Burpsuite. There are tonnes of useful tools out there for the budding security tester, but they need to be used with caution. I'll discuss the pros and cons of using some of these tools, and how they can be implemented quickly.

Along side this, testers need to know how to replicate some of these issues manually. It's the best way to learn them. A demonstration of some of the vulnerabilities testers will encounter will highlight these aspects of this challenging problem.

I'll share my experiences on the resources available to learn these skills and techniques. Security testing in your applications can be risky and dangerous, so having a safe environment to learn is key to learning effectively.

To conclude, security testing is a minefield of pitfalls and false positives, so by sharing my thoughts, idea and learnings in an engaging and humorous way will aid testers interested in this topic to get a grasp on the key areas for learning, and take these forward in their own professional development.

Hi, my name is Dan Billing. I'm a software test engineer with 13 years experience in the public and private sector. I've spent time working in all sorts of testing environments, using different approaches, but now I feel that my natural home is in the context driven school of testing. I consider myself a technical tester who still has a lot to learn about how applications work.


I love sharing my learning and knowledge with others, whether it is buddying with other testers, talking to groups or leading workshops. I think it is the best way to get ideas across, and learn more yourself. Recently I have been learning about Security Testing and it's an exciting new avenue for me.

After 4 years in the contract market, I was given an opportunity to work in a great team at New Voice Media, in Basingstoke, UK. We work hard to create cloud based contact services for our customers, where we deliver to production rapidly, which is a huge testing challenge.

I look forward to connecting with the testing community much more in the future, and learning from you too.

I tweet as @TheTestDoctor and blog at http://thetestdoctor.wordpress.com/