Monday, 4 July 2011

Developers Vs QA Vs Security testers

When developing software there are now 3 groups of teckies involved:
  • Developers
  • Functional testers (QA)
  • Security testers
For a while I've been trying to convince developers that they really need to have a basic understanding of security testing - you just cant develop a secure application unless you know how its going to be attacked.
However when I was preparing for my OWASP talk for AppSec EU in Dublin, I started thinking about this a bit more.

And now I think that can be expanded:

Developers, QA and security testers all need to have a pretty good understanding of what the other 2 groups do.

So I'm saying you cant really be a good developer unless you know about QA (functional testing) AND about security testing.
You dont have to be an 'expert' in both areas, but you need to have a good grounding in each.
The former is actually quite common - most developers (at least in my experience) work pretty closely with QA and so should have picked up a fairly good idea of what they and how they do it. The latter, well, some do and some dont.

But the converse is also true - I dont think you can be a good security tester without knowing about both development and QA,
And you can be a good functional tester without knowing about both development and security testing.

Anyone feel like arguing against that? :)

Which group are you in, and how good is your understanding of the other 2 disciplines?