I continue my worry (paranoid?) about mobile and embedded security, hacking, and lack of quality testing efforts. Check these links out:
inflight wifi hacks
thieves hack key fobs
So am I paranoid or are they really out to get us (development projects)? What is the cost to us and does the cost justify any added security testing? Will standards, e.g. ISO29119 and government reg’s drive testing or will the market?
My guess is some places and project will take mobile/embedded security testing seriously and some won’t and the users will be left to vote with their feet. As individual testers I think we provide information to our development teams so the context of the project can help decide what is needed. In James Whittaker’s books and my book on software test attacks (available on Amazon), there is the starting point for security testing, but as much as I know, there is far more that I don’t know on security testing.
On other sites, I’ve written about tester certifications and skill lists. I have supported certifications and skill definition efforts because I believe, that while there are abuses with certification, gaining knowledge in a field is part of being a profession and we need bodies of knowledge (BOK) as starting points. However, I do agree that the software test industry still is maturing and so information gained in a certification or standard should be treated with some level of care (does is it work, when does it not work or fail, when should we change what we know, etc.) I bring these points up, because as the risk of software increase because of things such as failures and security issues, the pressure to have “certified” engineers will increase (see http://www.computerworld.com/s/article/9250174/Cybersecurity_should_be_professionalized?source=CTWNLE_nlt_security_2014-08-06 for example). Groups like IEEE and ISTQB promote certs. State governments already regulate the word “engineer”. The current certification bodies of knowledge (BOK) may be incomplete and/or wrong, but just because a BOK is not perfect, does not mean we should ignore and discount it, but that we should work to make them better. Sooner or later, the BOK will become “law” and the expectation of employers. Not every project, domain, or area of software will need certs, but areas that I work in, such as embedded and mobile, where life or large money losses may be at risk, will likely get focus for certs sooner.
I hope more people will become involved in certifications, both the production-use of them, and critic.
Various researchers have report security-bugs, but they remain open for years, see:
I have written and reported on mobile security issues and testing. However it feels like until somebody actually exploits a fault and the exploitation makes the news, many vendors and app providers do nothing.
I do not put any information on my phone that I don’t want public. I am even unsure about using many mobile web apps with register logins. If the mobile app world wants to become trusted, I feel they must do a better job, but just like the web world during the “.com” bubble of years back, I suspect it will take time until companies come to understand the importance of quality and security of the mobile world.
It is sad.