This time in the “People in Testing” series, I had the chance to interview Dan Billing also known as “TheTestDoctor” on twitter. Dan has been a tester for 15 years, working within a diverse range of development organisations, mostly in the south west of England. He currently works as a test engineer at New Voice Media, where most of his time is spent working on the security testing needs of the business. This includes mentoring, supporting and training members of the team to use these skills also.
Daniel: What is currently your biggest challenge at work?
Dan Billing: Learning and developing skills and strategies in application security are my main challenges in testing. Without talking about technical or business specifics, the issues include ensuring that test design, strategies and processes are created that are appropriate to the organisation and our compliance obligations.
Part of my role is also to enable members of the team to do security testing. I will consult with the other feature teams. I’ll enable mentoring and learning where needed. I often set up internal workshops, one to one sessions, test collaboration, documentation and blog posts on security testing matters. It helps develop skills around the team, so that one person isn’t a blocker to getting things done, and can get started in their personal learning.
Skills development is a huge problem for organisations that are trying to build up their test strategies to include security, usually where it wasn’t considered in the past. Quite often security testing is considered an afterthought in development organisations, or it is outsourced to specialist third party consultancies.
Penetration testing and security experts are generally extremely expensive to recruit into teams, either because of rates of pay, or because the people you want to hire just aren’t easy to find and recurity.
Also recently we have seen a number of high profile hacks that have brought the most basic security vulnerabilities into sharp focus. Both the Talk Talk and the VTech hacks were done using SQL Injection, which is common, easy to identify and exploit. If it is easy for the hackers to find these vulnerabilities, why not testers too?