Why Application Security Testers Should Have Developed Apps Before

Why You Want App Security Testers That Are Former Developers

Why Application Security Testers Should Have Developed Apps BeforeSuccessful security testing of an application during the Software Development Life Cycle (SDLC) is best accomplished if the tester has intimate knowledge of how software is designed, the intricacies of software engineering, methodologies, and processes. This knowledge allows a security engineer to better understand how an application functions and how weaknesses in code may occur. They understand the full life cycle of development, the workflows, phases, and time constraints associated with app development. Someone who has built an application from scratch will find more security issues based on their development experience.  It is disadvantageous to utilize a security tester who doesn’t have this knowledge on software development. They often do not know the subtle indicators that a security tester who has developed applications will know, and may miss out on potentially critical vulnerabilities.  Understanding how applications are developed and why certain coding practices work is important in providing a more comprehensive security test of the application.

Former Developers Understand the Full Development Life Cycle

Developers have a firm understanding of the software development lifecycle.  A developer will understand the constraints of the SDLC, including how budgets and unclear requirements can lead to vulnerabilities.  They understand how test code can introduce vulnerabilities and where these issues may lie.  Developers have typically gone through all of the phases of the SDLC and understand the security vulnerabilities that can arise in each phase. This understanding is a crucial factor that allows seasoned developers to test an application more thoroughly than a non-developer would.  The knowledge acquired from having been a developer allows the security engineer to write a more detailed security recommendations detailing how the application can mitigate security vulnerabilities.

Building an App Provides Experience on The Business Needs Surrounding Production

The workflows of the SDLC, and the model of software development used (e.g. Waterfall vs Agile/Scrum) are intimately connected with the business needs and the production of corporate products. With waterfall methodologies, subsystems are typically developed relatively independently and integrated late in the life cycle, leading to potential integration and security issues where the subsystems interact.  Within agile methodologies, core functionality is developed first and some necessary security functionality may be delayed or not developed.  Security engineers who are former developers understand this and can look for clues for where security issues may arise.  Former developers also know the pressure development teams are under and know where shortcuts may be taken.  When these shortcuts are taken, technical debt often results that may lead to security vulnerabilities.

Developing an App Previously Provides Better Insight Into the SDLC

Organizations have shown a great level interest in the DevOps movement recently. The DevOps approach offers integration across traditional corporate silos and is seen to allow for more supportable products and services. Frequently being much more responsive to proposed change as well.  Security testers who have been developers previously work very well with this development approach as they have previously worked through all phases of the SDLC.

For dynamic security assessments, former developers and current security engineers are acquainted with the frequent misunderstandings of the application’s requirements that may result in security vulnerabilities (e.g. fail open). This often happens due to miscommunication during the requirements phase of the SDLC. A former developer is better equipped with testing  applications and detailing remediation software engineers will better understand and identify with.

Former developers will also understand the shortcomings of the traditional SDLC, and know at a deep level where security must be inserted to create a Secure SDLC (SSDLC). When security requirements are not present, new development takes place without performing threat modeling. If there is no clear security architecture, security engineers who have previously developed applications are best positioned to identify the failures and communicate with the development team to address the matter.  


There is an increasing trend in today’s IT sectors for software to meet security standards. Security testing is a must – and should be done as early and often in the SDLC as possible. This task is best delegated to a security engineer who is also a former software engineer.  Such an engineer is more familiar with the common pitfalls of software development, and is also knowledgeable of corporate workflows that might result in vulnerabilities. As a result, he or she is better equipped to assess and report on applications in a way that will make remediation quick, efficient, and effective.

About The Author

Steve Kosten

No Comments

Leave a Reply