Hey!
I was wondering how involved you are in security testing? A lot of companies I’ve worked for have separate security teams. Is this the same for you?
4 Likes
In my last company which was startup , obviously there will be budget constraints… so we testers were completely involved in security testing of our API esp…identifying the OWASP top 10 API vulnerabilities …we used tools like postman for exploratory testing to identify issues w.r.t BOLA, BPFLA, BOPLA, and burpsuite for intercepting the network requests, n some performance testing tools like locust to test rate limiting issues… there are ton of free resources to get started with : APIsec University – Become an API Security Expert
5 Likes
Most my work these days are around all kinds of security 
, though not specifically only application security. We no longer have a formal test team, but there is a security team. That’s where I sit, and hence the focus. 
Tools in the team are mostly pen test tools and things for corp dashboards.
I can recommend the books by SheHacksPurple on Application Security and Secure Development.
2 Likes
Almost all of our testers have secondary specialisations, performance, accessibility, automation etc.
It’s only a small team but one of the guys I’d probably put security expert level so often used as a call a friend option to help out on a project for a couple of weeks deep diving into the risk.
The others have basic security risk level ability but rarely would do the deep dive stuff with the pro tools in hand.
3 Likes
We were initially involved a few years ago and in fact we wrapped into our frameworks some out of the box ZAP testing. However, none of us were skilled security testers, so we didn’t build extra tests as we didn’t have the space to up skill. Since becoming CyberEssentials+ certified, its been 100% managed by our Platform Engineering team.
2 Likes
As it should be… pentesting & security is a completely different tier. I’ve done pentesting myself, I sometimes still do it for my teams but it’s not official, it’s not allowed either to test your own projects.
What I see testers do is test the basics & be a security champion for the team/teams your in.
- You can do the basic owasp checks there are many top 10 lists from owasp about web app, api, … etc
- A lot of basic tests are “easy” for testers as @komalgc mentioned all the Broken Access Controls are easy to test, I even teach a course for beginners & advanced about API hacking for testers. There are so many more things to test for like mass assignment is super easy to test as a tester since everything is almost whitebox. Same for IDORs, enumeration, CSRF, SSRF, XXE, … (BUT it REQUIRES understanding of the vulnerability)
- The tester could be involved in SAST
- Threat modeling is for the whole team, including the tester!
- You can do a vulnerability assessment with zap as @ghawkes mentioned but often I see that testers don’t understand the vulnerabilities or just literally download the report and don’t know what it means so without the knowledge I would not advise doing that.
1 Like
100% true story 
, absolutely nailed 
1 Like
The timing of this topic couldn’t be better; thank you, @melissafisher, for initiating it!
We have a dedicated security testing team, but their focus is primarily on infrastructure security rather than API security. So, I’ve started exploring tools that can run automated scans on our endpoints, starting with coverage for the OWASP Top 10.
So far, I’ve looked into the following tools:
- ZAP
- Pynt
- Burp Suite (Community Edition)
- StackHawk
If you’ve used any of these tools or have experience with other automated API security scanners, I’d appreciate your feedback or suggestions!