Testing Ask Me Anything – Security Testing with Saskia Coplans

Later today @testerfromleic hosts an Ask Me Anything with the excellent @saskia on Security Testing.

They’ll be a brilliant set of questions and typically we won’t get time for them to be answered. However, we’ll add any questions we didn’t get to on this thread for Saskia to answer. Plus I’ll share links to all the things shared. :ninja_red: :ninja_blue: :ninja_purple:

And feel free to continue the conversation, this thread is a good place to do that. Share resources and follow up with success stories from your learnings! :trophy:

A recording of the Ask Me Anything will be made available. Look out for it on the Ask Me Anything Page in the coming days. :movie_camera:


Questions that were answered

  • How do I get started with Security Testing as in (a) learning resources, (b) easy things to start testing for, and (c) understanding the bigger picture of security?
  • Would you mind sharing how the OWASP Top Ten helps you when planning your security testing efforts?
  • How do you convince leadership/management to take security risks seriously when they are prioritising other risks?
  • For someone with no specific knowledge of security testing, what would be the top 3 things to test in the early stages?
  • Are the open source tools as good as the commercial tools and how often should the scan be run? Probably build it into the CI/CD pipeline?
  • Security has a lot of different things to test/verify. In your opinion, is it better for the whole team to know how to check a few things, or to have a few people dedicated to thorough security testing?
  • Whilst there are things that only a dedicated security tester can do, like pen testing, what low hanging fruit could us non-security testers do to help?
  • What’s the biggest security testing horror story you are comfortable sharing?
  • This may naturally come up, but how did you get into security testing? Did you do other testing and migrate over? Do other security and move to more testing? Something else?

Useful links shared









What is Thread Modelling? Shostack + Associates > Threat Modeling Resources from Shostack + Associates
Elevation of Privilege (EoP) Threat Modeling Cards – Agile Stationery.

Simon Bennetts https://twitter.com/psiinon

Context Driven Security - Bill Matthews https://www.ministryoftesting.com/dojo/lessons/context-driven-security-bill-matthews?s_id=12259644


The Wheels on the Bus Go Fail, Fail, Fail - Yong Yuen He and Daniel Smart


Digital Interruption https://www.digitalinterruption.com/

Giggle; laughable security Giggle; laughable security | Digital Interruption Research


Jay Harris on Twitter https://twitter.com/JayHarris_Sec

Questions to be answered that weren’t answered during the AMA

  • Do automation testers need security testing skills?
1 Like

A nice addon is also the OWASP TOP 10 API SECURITY, since we do a lot of API testing, it could be useful!

1 Like