Security Testing

Cybersecurity has been a hot topic for many businesses and government organizations. However, if asked to prove existing security defenses actually are effective, most organizations would not be able to attest to effectiveness because the defenses have never been tested. While security testing is a specialty area that involved special skills, tools and environments, it is also a shared responsibility across the organization and the project lifecycle.

Testers can and should be actively involved in testing functional security controls as part of their normal testing effort. However, care must be taken not to violate company policies and laws in doing such testing. 

In this session, we will explore the need for security testing and what functional testers can do to at least verify and validate that basic functional security controls are working as designed. In addition, we will discuss how to raise awareness of security threats in audiences such as senior management and non-technical teams. We will also examine case studies of how security testing could have prevented some of the most insidious attacks over the past few years.

Topics covered

  • Introduction to security testing
  • Why security testing is often neglected
  • How to think like an attacker
  • How to stay out of trouble
  • Case studies of famous cyberattacks – and how they could have been avoided
  • How to design and perform tests of typical functional security controls
  • How to assess the value of digital and physical assets and use that information to prioritize security defenses and security testing

Learning objectives

  • Understand the importance of security testing
  • Learn the most common vulnerabilities
  • Know what must be in place before any security test is attempted
  • Able to design security tests that are achievable for a functional tester
  • Understand the motivations and thought processes of an attacker
  • Understand how to raise the visibility and awareness of cybersecurity in the organization
  • Learn how to make security testing a lifecycle activity
  • Learn how to assess the value of digital and physical assets


This tutorial is half presentation and half exercises. You will be presented information needed for security, then work through exercises for applying that information.

Who should attend

This course is intended for all testers and other stakeholders, e.g., IT-auditors, who want to expand their expertise in security testing. The course is also appropriate test leaders and test managers who need to understand security testing for their organization. The course addresses security testing in both traditional sequential life cycles as well as from an Agile iterative life cycle perspective.

Tutor: Randall Rice

Randall (Randy) Rice ( is a leading author, speaker, consultant and practitioner in the field of software testing and software quality. He has over 40 years experience in building and testing software projects in a variety of environments and has authored over 70 training courses in software testing, security testing and software engineering. Randy was the chair of the ISTQB Advanced Security Tester Working Party which created the 2016 Advanced Security Tester Syllabus. Randy is co-author with William E. Perry of the books, Surviving the Top Ten Challenges of Software Testing and Testing Dirty Systems.