
Thoughts on the Future of Testing
As IoT and connected everything become a larger part of our life everyday; keeping digitally secure becomes increasingly important. This means that Pen Testing will eventually become more integrated with Quality Assurance.
With the rise of Connected Devices something seemingly trivial has the potential to become malicious and has more ways to break. High-Level security tests will need to be conducted on an app. A favourite way of mine to find some bugs is to consult the OWASP Top 10 and test a few examples from that — add some XSS JavaScript to a field or some iframe tags, or try to upload a Billion Laughs XML. I know that there are tools that can help with really in-depth pen tests too but I’m not really talking about testing the infrastructure of a project.
So far my explorations into Penetration Testing have had an emphasis on automated tools, but I know that Pen Testing also contains a large part of intelligent and focused manual testing. Currently, there are many courses which attempt to teach a wide range of computer security. There’s a lot of information that already exists online so I won’t go over them here. My forays into Pen Testing by playing with Backtrack and Kali, reading Kevin Mitnick books, following CTF events and testing against vulnerable VMs are barely a scratch on the surface of the universe of Internet Security but it does show a different way for a SQA to find bugs; a way that many QAs may not even be aware of.
There are also bugs bounties, which have similarities to exploratory testing; exploring an application and finding errors. Finding a bug for a Bug Bounty program does require a lots of time, effort and knowledge — but it is still really just exploring and focused testing.
A few more ideas that I have; URL fuzzing could take place during the SIT process, to check how the app behaves with unexpected URLs. It could include a lot more testing of invalid URLs as these cases should probably be handled by the app or “sad path” flows through apps. Tasks such as attempting to break character limits of fields would also be a good use of automated testing during app development. There are Python scripts that can easily be written which basically just start up Metasploit using a Python library, set up an exploit and perform a simple remote file inclusion. Nothing special and not particularly useful for testing a web app, especially in 2017; but it’s more to show that tests like these can — and probably should be done. Maybe it can be included in CI/CD builds, where basic security tests are run on the code at the time of a deployment or a code check-in.
This article is really just my thoughts on what direction software testing could take and basically just to document and share these thoughts. I feel that it’s important for a Software Tester to be aware of how rapidly technology is changing.
The title image above is a map of ARPANET in 1973 — the very early days of the internet. Compare this with an attempt at mapping the internet in 2015 and it mind-blowing how much it has grown.
