In the eyes of Mike Weider, the correct way of doing software security testing requires getting into the mind of the hacker.
The director of security products for IBM Rational said it takes a special breed of software professional to step into the driver’s seat of a hacker’s mentality and take the wheel. While quality assurance professionals can do security testing and smoke out some vulnerabilities, they usually have the customers’ thoughts in mind rather than those of the hacker.
“There is a need for this specialized security testing professional to anticipate how hackers think and use this slightly different way to test applications,” Weider said.
From a technology standpoint, there are two main approaches for testing software for security, and they are well known to developers and testers. One is exercising the software from what many call the outside-in approach: testing to see how the application responds to a simulated attack. The second is more of an inside-out approach, which looks for coding patterns that would highlight vulnerabilities in the code.