Who Makes the Best Web Security Testers?

There’s been some debate in my circles recently on the topic of what type of person and background makes the best web security tester.

The issue is that web testing involves and requires a number of skills. It includes performing a staggering number of monotonous actions according to a methodology, as well as being able to use deduction and creativity to pivot off of discovered issues to find additional and more serious vulnerabilities.

Most people are good at one of these and not the other, i.e. most who can follow a methodology and not get side-tracked aren’t so great at the deep knowledge and creativity, while many who have the talent to find issues by deduction have trouble following a methodology.

So the question is simple: if you could only have one, which would you want? Do you want the non-security-guru who finishes a methodology, or a far less disciplined and focused stud with the ability to go much deeper into any given vuln?

I’ve heard both arguments over my years in webappsec. Back before I got into it full-time I heard a couple of tech veterans lambasting webappsec testing completely, saying it was, “Something for QA types — not security people.”

Being a security type I was somewhat miffed that they would think QA testers could handle such a complex and nuanced subject as security. This coming from a 10-year veteran of infosec, you understand. Naturally I was a bit defensive.

But now I’m starting to wonder how right they might have been. I’m starting to lean more in the direction of methodology completion vs. talent, which is precisely what game testers and QA types excel at. And this seems to be precisely the point that those guys were making.

I wonder where you all come down on this topic. What’s more important: completeness or depth? Discipline or talent? QA types vs. Security types for web testing?

I look forward to your thoughts.


Related posts: