No matter where you are in your career, when testing for software vulnerabilities, there's always room for improvement. Be it soft skills, tools, or all the little things in between, you can take your traditional black box scanning and turn it into a set of skills and deliverables that can make all the difference in the world.
Perhaps You Need Better Security Tools
The only proven way to find the most web vulnerabilities and security issues in web applications in the shortest period of time is to use a proven tool. For example by using an automated web vulnerability scanner, you can leverage the knowledge and resources of the vendor to find the maximum number of flaws unique to your specific web applications.
Web vulnerability scanners use hundreds, often thousands of iterations of web requests that test for both unknown and known web application vulnerabilities such as SQL Injection and Cross-site Scripting. The reporting available in web vulnerability scanners are also an extremely valuable asset, as you can share your high-level findings with management and technical details with developers.
You Might Need to Tweak Your Security Testing Methodology
If you see that you're still not finding anything of significance, you may not be approaching your web security testing process the right way. There's a proven "ethical hacking" methodology that encompasses:
- Enumerating your web applications and web servers
- Finding web application vulnerabilities and security issues
- Demonstrating how those vulnerabilities can impact the web environment and business
This is how the bad guys work and it's a great way to approach your web security assessments. That said it's not just about ethical hacking. If you're going to find the significant security flaws, you need to ensure you're testing your applications "with authentication" – as a trusted user – using multiple (perhaps all) user roles. You also need to test your applications from different angles: from inside your network, outside your network, and both with and without network and host-based security controls, such as firewalls, WAF and IPS.
It's virtually guaranteed you'll find different vulnerabilities from these different perspectives. Plus, you'll be several steps ahead of others (i.e. security admins, IT auditors, and even criminal hackers) because they often don't test applications to this level of detail.
Or Maybe You Just Need More Experience
You can never get too much experience – especially as it relates to web application security, because everything is continually changing. The threats to web applications (criminal hackers, malware, malicious employees) are fairly static but the vulnerabilities are evolving constantly. That's where having a good web vulnerability scanner comes in play, but it's also dependent on you having a keen eye for what to look out for.
The best way to find more and better web application vulnerabilities and security flaws is to continue doing what you're doing: testing, testing, testing. Keep in mind, however, it's not just about getting "experience" – it's critical that you're getting good experience that you're learning from and is continually helping to guide you in your approaches. As with software development and traditional QA, don't be afraid to get hands-on training or even some knowledge transfer from someone who has been doing web security testing for a while. Attending information and web security-focused shows put on by RSA, Black Hat, and OWASP can be instrumental in advancing your web security testing skills.
As a QA professional, you're in a perfect position to add even more value to the web security testing process. With a quality-focused mindset combined with the right tools and techniques that have been shown to uncover the important web security flaws, you can not only take your own QA testing to the next level but your peers, your business, and your customers will all benefit.