I recently had the opportunity to speak at a conference organized by the STeP-IN forum (http://www.stepinforum.org/) on Application Security Testing. I spoke about two attributes used in psychometrics “attitudes” and “personality traits” with regards to software developers and security testers. The presentation is available at http://www.aujas.com/presentations.html.
During the conference various speakers spoke about the need to look at security earlier in the SDLC, we talked about security standards etc. which would lead to reduction in the cost of security testing. It’s well accepted that the cost of fixing software buys (including security bugs) rises exponentially as the development lifecycle progresses. One of the attendees asked an interesting question, he said “this is a conference for testers, and what you are saying will reduce the work for us and might impact our jobs”.
This question reminded me of the book “Hidden in Plain Sight” by Erich Joachimsthaler, which gave examples of companies which failed to look at or accept the future and the change it brought. One such example was SONY, which pioneered the concept of music on the move or portable music with the Sony Walkman. For years it was an undisputed leader in the market segment. SONY was also big in the music industry with interest across the industry segment. The advent of the Apple iPod and digital music, simply destroyed SONY’s market leadership in this space. While SONY also created products in the digital music space, it was not prepared for the paradigm shift digital music, iTunes and the iPod brought in the consumer behavior. Incidentally Apple was not from the music industry !
As the story goes, in 2005, senior Sony executives were shocked to see Sir Howard Stringer, then chief of Sony's US operations, listening to an Apple iPod while riding an elevator in the company's US headquarters. The New York Times summarized Sir Howard's cheekiness as a "visible if unstated rebuke to the technologies [at Sony] for falling behind the curve in downloadable music by concentrating on various proprietary formats for storing and playing music."
Likewise it’s not going to help any of us turn a blind eye to the changes happening around us and not adapt to it. Security testers cannot hold on to their jobs of “testing” by hoping that developers will continue to write buggy software. They need to evolve and look at their role not as “testers” but “enablers” to release secure software.
Some day somehow the industry will find ways to develop secure software, hence testers should try and influence and add value that change, since it’s the most obvious thing to do. Like the very apt title of Eric Joachimsthaler book “Hidden in Plain Sight”.