Testing and security are two sides of the same coin: that's the message of a WIRED editorial by security expert Bruce Schneier and a follow-up by fellow security expert Colin Percival. They think they're talking about security - but they're also talking about testing. Both fields of expertise have to look at similar problems, and the mindset that makes for a good security professional, can also make for a good tester.
"Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail," says Schneier.
"Very few security problems in the wild are the result of bugs which are tripped over all the time -- such bugs don't survive long enough to cause problems for security. Rather, security issues arise when an unanticipated rare occurrence -- say, an exceptionally large input, a file which is corrupted, or a network connection which is closed at exactly the wrong time -- takes place," adds Percival. But those thoughts that Schneier describes are a tester's thoughts, those occurrences that Percival describes are the ones that a tester should bring about. Testing is not just about making sure that software operates correctly in response to everyday occurrences, it's about making sure that software operates as close to correctly as possible in response to rare, perverse, and malicious occurrences.
Testers explore the universe of possible situations that software can be subjected to. Security concerns are part of that universe. Although QA testers aren't and shouldn't be security experts, they need to have a grasp of it. QA testers need to be very broad generalists to test well because, like security experts, they need to have an eye on the big picture, and they need to be, as Percival suggests, rigorous. This is part of why good testers don't need to come from a computer science background: any background that teaches lateral thinking, rigorous analysis, and thoroughness can produce a good tester. Those skills are what we in the QA industry should demand from ourselves.