[alephnerd]

This may look "boring" or "uninspired" but this is what real cybersecurity and "hacking" looks like.

In most cases, security and QA are essentially two sides of the same coin - and this is why I get pissed when devs treat testing and QA as bulls**t, becuase even a relatively simple XSS attack or cred misconfig can have a massive impact.

[hvb2]

This has nothing to do with testing. This is a lack of training.

I would say they need to 'think like an attacker' at least some of the time. But this is still too high of a bar.

I think this is really a problem of rewarding people when they finish things. One way or the other. It works, so on to the next project...

[alephnerd]

As someone who has been a SWE, PM, and VC in the cybersecurity space and constantly meets with CISOs as well as has formerly been a security practitioner (I should get back to using HackerOne again for fun), I can safely say that the overwhelming majority of security incidents are due to some form of misconfig because development and code review are orthogonal to proactive security checks.

Shift-left was supposed to fix that but it failed because the primary persona to sell ended up becoming the CISO again, and not trying to find a way to make security ownership a Dev and QA responsibility as well (this is largely organizational).

[sumedh]

> This has nothing to do with testing.

A good QA can catch/test such security issues although most of such work is given to a dedicated pen tester to find weakness in the platform.