So I wrote this and got it published a month ago.
I was hoping for some responses from testers wanting to become security test warriors. I know there are a few and it is a specialization, but no comments?? Disappointing.
Are we as testers being left behind by the hacker bad guys? It seems like companies care (some more than others) and care more when they get hacked (see Target and how money they are spending on chip card readers). So, the IT/PC/Web community are being active (to some degree)
Mobile and embedded seem to be less concerned. Maybe M&S are just trying to get a product out, and we’ll care as we get hacked more (something about closing the barn door after the horse are gone?). I have written and presented on M&S security before, but where are my warriors (I’m to old to be warrior).
I wrote on this when it came out and this article link is dated, but it had a different “slant” on things that my first posting:
I note in this article there were comments about standards and not following them, as well as references to the earlier NASA report claiming there was not a software issue.
Now I believe standards have a place, but still need thinking. Some people use them so they don’t have to think about something like testing. Not good. Also, as far as “reports” and investigations go, they need to be subjected to thinking and the “scientific method” in which we question any report to see if the information is incomplete. This is a fact of life for testers (just because your first 100 tests work does not mean that a bug is not there).
So I write a lot these days about skills in testing (building them), using many different approaches to testing, and watching for things like bias. Do Toyota or other companies have bias and need to improve their testing skills?
Probably as bias is a fact of being human and every tester I know can improve their skills.
What can we as tester do about it?
Test more and practice our skill?
Okay, I am behind on posting about embedded/mobile software security concerns, in part because the number of interesting reports has become almost a flood of “issued”. For example this week, you should read about SCADE systems (something I talk about in my attack testing book) at:
The mobile and embedded industry and their testers seem to be in the mode of “let the bad guys find the holes”. This is the classic closing the barn door after the horse are out. It is concerning to many of us. I really don’t want my SCADE controlled power system to be hacked and crash.
I promise I will post more of these “pointers” for embedded/mobile software security testers to have in the “horror” story play book. I just need more time to keep up with the flood.