ExpoQA 2022 was a conference that took place in Madrid between the 31st May and 2nd June 2022. This week I will be posting some sketchnotes for the talks that I attended.

Security testing is something I’m not experienced in. I have developed a mindset where I am scared of security testing. I am especially scared of missing critical security defects which could have severe consequences for the organisation I work for. This was addressed in Dan Billings talk on exploratory security testing, and has inspired me to overcome that fear and start learning more about the topic.

#Sketchnote of talk ‘Exploring Security’ by Dan Billing at ExpoQA 2022
danbilling_exploringsecurity.jpgDownload

Key points:

  • Some testers have developed a mindset where they fear looking at security because they believe they lack the skills.
  • Exploring security involves:
    • Combining security testing and exploratory testing
    • Building security awareness and skills across the whole team, finding and encouraging others to become security testing advocates
  • Security is a part of quality, but security bugs should be treated differently to quality bugs.
  • Key areas of security are:
    • Confidentiality
    • Availability
    • Integrity
  • It can be helpful to understand what both a legitimate and malicious user might do.
  • There are 5 steps in the security testing process:
    • Model Application
    • Identify Threats
    • Evaluate Risks
    • Locate Vulnerabilities
    • Develop Mitigrations