Hacker News new | past | comments | ask | show | jobs | submit login

I like it because it describes how specifically the vulnerabilities were found and what specifically they were. If you’re doing security review or building a secure tool there are 5 items for your checklist.



They are bad mistakes that should have never have passed QA. Think a bit. Pentesting only makes sense if you don't have a functional QA.

Its like hiring a guy with a sledgehammer to test the stability of your bridge. You should hire a structural engineer instead, before building it. If the guy with the sledgehammer is successful, you should never have built the bridge in the first place.


Think a bit more. Why have QA? If there are bugs, the SWEs should have caught them with their test suite. Think even more. Why bother with a test suite? The code should be written correctly the first time. (this is sarcasm)

People make mistakes. Systems fail. Pen tests exist to find out if your people are making mistakes, and if your system is failing.


It works like this in every other engineering discipline. Except for software, were we somehow pretend that these level of bugs are something normal.

Even the avionics and carmakers get software right, why cant we?


Other engineering fields don't do independent third party testing?

Do they deploy multiple times daily? Deal with vague sometimes contradictory client requirements? Do their tools and platforms change daily?


What? Avionics and carmakers definitely don't get software right...


Funny you mention carmakers. Wouldn’t a crash test be the carmaker equivalent to a penetration test?


crash tests verify what the designers already predicted. You don't blindly construct a car and then crash-test it to safety in a trial & error manner.


True, IF software were actually built like bridges, as in actually engineered, effects calculated, simulated, and tested ahead of time, according to required standards, only by people who are trained. licensed, and insured to do such work, and with the expectation that it will be built once (not updated with patches on an ad-hoc basis). Oh yes, and all subject to strong liability.

Instead we have project who care only about shipping their latest favorite features yesterday to meet the over-promised new capabilities to the new client/market, and figure any problems will get caught with the update cycle, and the coders scrambling to ship the first thing that'll compile and pass the test screens, with QA being a minimally funded function as yet another cost center to be minimized... Oh, and all liability for failure is disclaimed or fobbed off on the consumer for their failure to maintain proper opsec. Oh, and in many cases, the blame is put squarely on anyone who finds such a fault instead of on the builder (e.g., when the governor recently tried to jail a journalist who found an egregious flaw in a state website).

So, yeah, it SHOULD never be the case if there were proper development and proper QA. But it hasn't happened in a half century of large commercial software. So, we do really need pentesters. They're just delayed QA after all.


You're assuming some companies have ways of testing their QA effectiveness. Especially in the case where your structural engineer is incompetent.


if you think that you just need QA and then you don't need pentesting anymore you have no idea what pentesting is.

QA doesn't find XSS, SQL injection, CSRF, IDOR


If its not QA, who else is auditing and reviewing your code?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: