I consider QA's role more security scanning and not truly security testing. Most QA personal have no formal study/training in serious computer security and threat assessment. Nor should they have to worry about security, as there are tons to do already.
I see running scans like Zap, Skipfish, etc.. and doing some rudimentary checks for security part of the job. However I do not consider it security testing. I usually like to make it clear in my test plans that, X, Y, Z scans are what I'm performing. And that it can only find security flaws in regards to known vulnerability signatures. And if they are serious about security, they should perform a formal threat assessment and code review by a formal security expert (such as an outside consulting firm).
We have a big Security Team/Group here in the company already.
So if assigned, what else could QA be doing that Security Team is not doing for Security Testing purposes?
To save the site from unauthorise access
Basic information is put away in web applications and the quantity of exchanges on the web increments, legitimate security testing of web applications is turning out to be essential. Security testing is the procedure that establishes that classified information stays secret and clients can perform just those undertakings that they are approved to perform
Originally Posted by Titti
security testing is done to check whether the application is secured or not,it checks to see if the application is harmed to any attacks
Since this thread is revived from a long slumber.. I guess it's a good time to provide some new insight.
What you'll want to remember in a job interview or a certification test are the 4 A's of Security.
1) Availability - The service has to be available. Can the service be easily taken out?
2) Accessibility/Authorization - Is the access given to the right people?
3) Authenticity - Can data be faked or spoofed?
4) Auditability - Are there checks and balances in the business logic and data. Can actions be traced back to their origin and verified as authentic?