We started a conversation at the TestBash Brighton UnExpo about wanting to teach, learn and share experiences year round rather than just at the conference.
So here we are! And if you interested in learning, teaching or sharing experiences about Security? Why not connect here with @danielbilling, Parul, @steven.knopf and others who are also looking to connect!
Yep - hit me up here if you want to talk. Or on the Ministry slack of course.
Hi Daniel, I did study about security testing and have tested the apps in my company for OWASP top 10. But unfortunately, I could not continue with it because sadly, most companies don’t want to go for it. They think that security testing is unnecessary and should be the last checkpoint (if at all). Those who want security testers need people with experience of a very a decent number of years- so that they can establish the security guidelines for that company. Just wanted to know your views on it? I am based in NZ so telling you about the market here.
Hi Prachi,
I’m sorry that you have had that experience. I thought the NZ market was quite well informed on security, having spent some time there last year, attending WeTest, talking to folks and learning. I ran some workshops at Xero.
The security industry is quite specialised, but I do not think there is any harm in broadening your personal skill set to aim for the direction you want to set for yourself, not what the market dictates.
Look at the chatter on the web about T-Shaped, Broken comb or Paint drip models for skill and knowledge development.
Thanks Daniel, may be not every company concentrates on security and my exposure is still limited. WeTest is a great place to collaborate. And yeah, no harm in keeping in touch with this domain, some day it might be useful! Thanks for the links…
Hi,
I like to learn security testing. How should I proceed?
I would like to learn security in the context of
blockchain and API testing areas.
If you are not familiar with basic security testing, you can start with basic, then you can shift to your context.
For a start:
Knock me if you need any help:
https://twitter.com/Abir11Khan
So, OWASP Top 10 is one aspect of it. As we get into
DevOps, the threats seem to be changing, and the
checks need to be updated.
For example, if there’s a threat detection in production,
the dev. and test personnel need to immediately alerted,
so that they can take care of it.
Any thoughts?
And by the way, the link does not work anymore…
Sorry, this link should work: https://owasp.org/www-pdf-archive/OWASP_Top_10-2017_(en).pdf.pdf
Thanks! That’s the OWASP Top 10 as of 2017. Have they released any latest around 2020?
Ransomware prevention seems to be gaining more and more exposure and importance recently. Is anyone working on any test strategies/architecture around it?
No, 2017 seems the current version
They actually made a Top 10 API Security in 2019 – which is different but still worth checking out for API Testing => OWASP API Security Project | OWASP Foundation
