How does security testing differ from testing?

You guessed it from the title, but security testing is really just another type of testing. Secure development is not rocket science, but a mindset inside of the scope of any development.

Security is essentially to know your product, both how it’s designed to work (happy path) and how it can be broken (exception paths). If you build a skyscraper, you do not only build it for sunny weather but also for hurricanes. If you’re building software that you sell, the customer expects the software to enable their business, not to block it.

Security is to find bugs and be able to perform good triage on them.

Security is also to have a prestigeless, nonblaming working environment where found bugs actually can be fixed.

Continue reading “How does security testing differ from testing?”

Authentication and Authorization – what is it?

Doing talks in Germany this weekend was really fun! I had a blast and learned a lot. My talks can be found here and here.

The most inspiring talk was about Fairytale Protocols (in German) – describing different authentication schemes with help from Arabian Nights and the Grimm brothers. Security pedagogics is a field that still has a lot of room for improvement, and I think this was a great way of bettering the mental picture of different authentication schemes.

Continue reading “Authentication and Authorization – what is it?”