Monday, 4 July 2011

Developers Vs QA Vs Security testers

When developing software there are now 3 groups of teckies involved:
  • Developers
  • Functional testers (QA)
  • Security testers
For a while I've been trying to convince developers that they really need to have a basic understanding of security testing - you just cant develop a secure application unless you know how its going to be attacked.
However when I was preparing for my OWASP talk for AppSec EU in Dublin, I started thinking about this a bit more.

And now I think that can be expanded:

Developers, QA and security testers all need to have a pretty good understanding of what the other 2 groups do.

So I'm saying you cant really be a good developer unless you know about QA (functional testing) AND about security testing.
You dont have to be an 'expert' in both areas, but you need to have a good grounding in each.
The former is actually quite common - most developers (at least in my experience) work pretty closely with QA and so should have picked up a fairly good idea of what they and how they do it. The latter, well, some do and some dont.

But the converse is also true - I dont think you can be a good security tester without knowing about both development and QA,
And you can be a good functional tester without knowing about both development and security testing.

Anyone feel like arguing against that? :)

Which group are you in, and how good is your understanding of the other 2 disciplines?


  1. wonderful information, I had come to know about your blog from my friend nandu , hyderabad,i have read atleast 7 posts of yours by now, and let me tell you, your website gives the best and the most interesting information. This is just the kind of information that i had been looking for, i'm already your rss reader now and i would regularly watch out for the new posts, once again hats off to you! Thanks a ton once again, Regards, QA online trainingamong the QA in Hyderabad. Classroom Training in Hyderabad India