Monday, April 18, 2011

I overcame my fears of Security Testing

Today I am very happy. What is so special about today?
I came 4th in the recently concluded security testing competition held at 99tests.

So, what? How does this make special? You are not even in top 3!
This competition is special for many reasons.

First Time - Security Testing
I have been testing software officially close to five years now. I have found few bugs in every application based on different quality criteria - Functionality, Usability, Performance, Testability, Install-ability but never based on SECURITY.
There were many excuses for that:
  • I don't know Security Testing.
  • I am not skilled in Security Testing and I will never be skilled at Security Testing.
  • I need to have strong programming skills. So, no security testing for me.
  • No one asks me to perform Security Testing for this application. Why should I test for this criteria if the customer has not asked for it?
  • The programmers will not fix the security bugs.
  • The books & resources on Security Testing are many & very costly.
Looking back, I feel I wasted a lot of time! 
As I believe in not taking guilt trips but learning from mistakes and moving forward, let us move on.

Date: 13th April 2011 Time: 05:44 AM IST
There was a security competition on 99tests website. 
Myself and Krishnaveni registered for the security competition.

Competition ends on 16th April - 3 days and 6hrs left

I registered to this competition as I wanted to learn about Security Testing.
How can I miss this wonderful opportunity where testers compete and log some cool bugs. Then a thought struck: What is the fun in watching others log bugs? Why be a silent spectator?
I am aware that I can't run as fast as the security experts but I can crawl if not walk!
So, I decided that I will compete as an active competitor instead of being a silent spectator!
A plan was drafted right there!

  • Convert the .chm to pdf [Converted on April 13th - 07:00 AM IST]
  • Print the book [Printed on April 13th - 01:00 PM IST]
  • Read the book [April 13th - 11:00 PM IST for half an hour]
  • Apply leave for Friday [April 14th 05:30 PM IST]
  • Sleep well [ 4 hours]
  • Read the book [April 15th 11AM IST onwards]
  • Update the computer software [April 15th 03:15 PM IST]
  • Test & log bugs [April 16th 01:30 AM IST - 08:00 AM IST
With the goal in sight, passion inside, silence outside, I started security testing.

The BIG day - Friday April 15th!
I had not slept on 14th night as the build was released to us and I was on leave the next day. When I woke up at 11 AM IST, the body was happy after a well deserved rest of 4 continuous hours.
The book Web Security Testing Cookbook was easy to understand, to the point and very informative.

There were so many topics, each topic teaching me something very interesting. As I had applied leave to office, I had the time and the resources. No disturbances. It was easy to make my family understand about the leave [They are used to my strange ways of working by now].

Lunch Time: 12:20 PM IST
After many days, I had the chance to feast on home food. I love my mother's cooking and it had its own sweet effect. I was feeling sleepy and I had two choices:
                     Sleep now when there is no disturbance or sleep when there is noise/power cut
I did not want to waste time, motivated myself to concentrate, focussed my energy on the goal!

I did not sleep. Slowly but steadily, I was getting confident about my chances in this competition. Time was ticking by, I finished a major part of the book.

Break time: 06:00 PM IST
I took a break. I went for a bath and imagined finding bugs in the application and winning the competition.
Mind was fresh after the bath. I continued reading the book along with comparing notes from OWASP guide.
This continued till 11:00 PM IST. The only breaks were for lunch or drinking water or for toilet.

Trust in Alarm: 11:00 PM IST
I was tired. I wanted to sleep but again the 'What if' question came to my mind. What if I overslept and by the time I woke up, the competition ended? As I had not logged even a single bug by now, I was nervous to sleep. Should I stay awake or sleep for two hours?
I trusted the alarm and the alarm info popped up: 2 hrs 20 mins remaining.
Alarm was set to 01:30 AM IST

Final Push! 01:30 AM IST to 08:00 AM IST
I logged seven bugs - read about the topic, tested, investigated, read, logged.
I was not sure if I had done enough. Should I log three more? Should I log 30 more? No answer as my body was searching for the nearest bed!

To be frank, I was very tired and could not concentrate. I had to sleep. The battery of 2.5 hrs could last only 6.5 hrs. Though I would have loved to log more bugs, i was happy that I gave my best!

Results
I woke up at 12:30 PM IST and first task I did was to browse to the competition page to check out the results. This was the screen displayed:

I was so happy. I am still happy. This competition and the entire 4 days effort would motivate me to achieve my goals. And I want to dedicate this victory to one person who kept on encouraging me right from the moment I registered for this competition. Thanks Krishnaveni.

I have taken the first step - I have conquered my fears of Security Testing. What about you?

13 comments:

jah said...

yes, i do have the same experience, by seeing Security testing, i felt that i'm not going to perform anything as because i dont know anything related to Security testing.....But thought of observing the bugs and learning, what is security testing...didnt take much efforts as like you...but Thanks for your book suggestion...will atleast read and understand the security testing concepts....Thanks

jah said...

but still and always i have fear on security testing...may be once i gone through the book...I can overcome the fear of security testing..lets c....

aadityas said...

Shabbaas

Allmas Mullah said...

Excellent! Doing something new can be unnerving, but conquering your fears takes you to the next level.
This post is inspirational, thanks!

Ajay Balamurugadas said...

Thanks @jah, Aditya & Allmas. :)

Darren McMillan said...

Congratulations Ajay, very well deserved.

Have you had a look at Gruyere from google? It's very worthwhile to run through the tutorial, I found it very helpful to learn basic exploits.

http://google-gruyere.appspot.com/

vipulgupta1 said...

A nice way to get out of fear Ajay :) I got out of it when I was pushed to do Security Testing while being onsite. But that was fun :)

Darren, thanks for sharing that Google link.

Regards
Vips

Anoop.S said...

Congrats Ajay, and thanks for bringing my attention to Web Security Testing Cookbook and OWASP guide.

Thanks Darren got the google-gruyere link.

You may find this useful :
http://isecom.securenetltd.com/osstmm.en.2.2.pdf

Ajay Balamurugadas said...

Thanks Darren. I did look into the Gruyere in one of the weekend testing sessions by Australia/New Zealand. Maybe its time to go back to it again.

Thanks Vipul. The quicker we overcome our fears, the better for everyone :)

Thank you Anoop. I will go through the link too. It is so heartening to receive so many links from like minded testers. :)

pardhasrinivas said...

i too felt same until i read this post is it possible to get good skills on security I am still on trials because My office PC blocked with firewall on security related terms i have to try when in home but you create a hope

Priya said...

Hi Ajay,

Can you please let me know how to get that security testing book?

Lisa Davidson said...

Great ! This is indeed a nice post. Learning never stops and if you have zeal and eagerness to achieve your target you will always grow. Security Testing Services is something that I am keen to know about. Is there a way to know how to go about Security Testing on BFSI domain, what are the key elements and best practice that one must remember. Any Suggestion?

rajnish said...

yes, i do have the same experience, by seeing Security testing, i felt that i'm not going to perform anything as because i dont know anything related to Security testing.....But thought of observing the bugs and learning, what is security testing.Thanks for your book suggestion...will atleast read and understand the security testing concepts....Thanks from logontrip.com