Seite - 245 - in The Future of Software Quality Assurance

Security: It’s Everyone’s Business! KeithYorkston Abstract Security isn’t only a bit of software that can be bought, installed and forgotten with the occasional upgrade thrown in. Security isn’t only that set of password rules we are supposed to follow. Security isn’t only that locked filing cabinet, or a guard and a scan card reader at the front door. It includes all those things,andmany,manymore.Weallneedto thinkaboutsecuritydifferently.Every organisation has thousands of vulnerabilities—weaknesses that could be exploited by a malicious attacker. And, as a malicious attacker, I only need to find one vulnerabilitytoexploit. Itcouldbeahelpfulstaffmemberholdingthedooropenfor a “fellow smoker”, or a person in Finance who believed that last phone call asking them to process “that important invoice”. It might be an open comms port on the productionweb server,or the unpatchedserver in the test environment.Or it could be the report listing last week’s customer contacts that is mailed to the sales staff each Monday (including the sales staff who have left the organisation). I mention these because my colleaguesand I haveused all these techniques (andmanymore) to test organisations.We aresecurity testers. Keywords Softwaresecurity · Softwarequality · Security testing · Security tester 1 Introduction Yourorganisationhasbeenhacked.Thinkforaminute—whomighthaveinstigated this attack?What typeofpersonsprings intoyourmind? Did you have an image of a darkened room, with a faint green glow showing empty energy drink cans and a young, angry guy furiously pounding a keyboard? Did you imagine a vast roomfull of people in the strange uniformsof a totalitarian K.Yorkston Expleo Group, London, UK ©The Author(s) 2020 S.Goericke (ed.), The Future of Software QualityAssurance, https://doi.org/10.1007/978-3-030-29509-7_19 245