During the last year, we went to many conferences and fairs and talked to a lot of people. In describing what we do and what our product is intended for, we have experienced some confusion. While the meaning of software testing is clear, the difference between security and functional testing is not always evident. Therefore, we decided to take a look at the topic.
The first question asked should probably be: What is the job of a software tester? Software testers are involved in the quality assurance stages of software development and deployment. They conduct automated and manual tests to ensure the software created by developers performs as expected and any bugs or issues are removed within a product before it gets deployed to everyday users (source1, source2). The software tester is important since the perspective he takes during execution is the difference between both methods.
Functional tests are conducted out of the view of users. The questions they ask are “Can the user do this?” (capability test), “Does the features work?” (feature test) and “Does the software meet the user expectations?” (UA/UI test) (source). By testing the functionality the product is tested as it is meant to be used. It is assured that specific functions and activities of the code are working but the security and reliability of the software application are neither tested nor warranted. The functional testing approach does not protect the software from unwanted third-party access. There are only enough functional checks so the customer can not cause misbehaviors and massive failures. Not all those who use the product do so for the original purpose and not all users have good intentions. Issues regarding security vulnerabilities may not be detected while taking in the perspective of common users.
That is where non-functional testing comes in. Non-functional testing concerns issues of software that are not necessarily associated with a particular function or user action, such as scalability or any other performance behavior under certain constraints, and most importantly, security. Security testing is getting more and more important.
In fact, security testing is essential for software that processes confidential data to prevent system intrusion by hackers (source1, source 2). But not just confidential data has to be protected. IoT and embedded devices are currently among the largest boom markets. Their omnipresent integration in daily life, as well as in critical infrastructures and industrial facilities, makes security issues unpreventable. However, practice shows that the code quality of software projects is often insufficient and companies lack test experts to deal with it. Nevertheless, those tests are mandatory and should be part of every software development process.
Of course, the two testing approaches cannot be clearly distinguished. When performing both security and functional tests, bugs from the other discipline can be found. However, this does not mean that one procedure is dispensable. The two testing methods should be conducted and evaluated independently from each other to ensure that all vulnerabilities are found and a high-quality product is offered to users and customers in the end.
If you are wondering why not always both test methods are used or why many potential threats are still not found in existing systems - we have some answers and a solution for you. One of the main problems is the shortage of manpower. The lack of skilled professionals makes it difficult for companies to find highly qualified developers and testers. Both test approaches together require a lot of time: This time slows down release circles and causes additional costs, which many companies want to keep as low as possible. This is why testing is neglected in many development projects despite its high relevance.
You are dealing with problems in software testing as a project manager, developer or tester? Have a look at the advantages of FAST and why to get in contact with Code Intelligence!
Get in-depth guidance that will lead you into the world of application security!