QA or Hacker ? - More unites us than divides us

What do we have in common ?

We're both concerned with human behaviour

Antagonist approach

We both find the risks

Technical knowledge

Architecture

Code

Environment / infrastructure

Thankless

Users will never do that ?

If they can they likely will

People think issues happen because of poor QA

We want to break stuff / prove it's broken

What are our differences?

We need to think like different types of users

Can be difficult to security test in production

Automation

Tools can support us

We can build our own tools ?

Depth of knowledge

Pentesters miss stuff too!

Hackers / red team want to find a way in

What can we learn from each other ?

Security isn't such a dark art

Can we shift security left better ?

How we can use automation

Whats the goal ?

Attempt to bridge gaps between communities

Testers tend to find security intimidating

Try and show that bugs aren't just because of poor QA

How can we shift security left

People keep saying tools will replace us

Exploration / investigation

We use information discovered to guide our testing

Some testers are shallow - on the surface only

Hackers / pentesters speaking at QA confs and vice versa

QA aren't responsible for all the bugs