Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

While the programmer should produce clean, good and optimised code, finding bugs and errors is more job for a pentester. Experienced programmers can easily detect these, but that is not their main job.

Programmer should be able to solve problems and apply the selected language for solving these problems as efficiently as possible.



You think a penetration tester should find bugs in code? They're looking for security weaknesses only, and almost never by looking at the code. Your method may be the most expensive possible.


Every bug is a weakness at some level. The most efficient way in bug bounties currently to make money is by reviewing open-source code. Manually testing takes huge amount of time. You can also automate code review for low hanging fruits with tools like semgrep or GitHub's code scanning.

Of course programmers should test their code themselves and minimise the bugs, but their work it not to look for them.


>Of course programmers should test their code themselves and minimise the bugs, but their work it not to look for them.

I have to respectfully WAT. Code review should be a part of everybody's workflow. And all programmers involved should be looking out for bugs. The best bugs are those which were never merged in the first place.


> I have to respectfully WAT. Code review should be a part of everybody's workflow.

Exactly, it is one workflow. Not their whole job. Their overall job is to solve problems with code.


what a nightmare.

Ops tech 1 - "hey... my database just dropped an entire table, i lost a week of work"

Ops tech 2 - " thats a serious bug, you should escalate"

Ops tech 1- "hey you wrote this thing, it dropped my db table, i lost a week of work... "

Great and Mighty Programmer - ' - not my job, i am a programmer for you see, and looking for bugs is beneath me, some peasant task. now begone, i must solve more problems! '

Ops tech 1 "so what do we do? this doesnt work, like, at all. completely broken, not even the most rudimentary testing was done by who ever created it"

Ops tech 2 "stop using the database, we will build an excel spreadsheet on a shared network drive"


It's a subset of the job, yes. Not to be left to a pen tester.


I would argue their job is to solve problems with working code, which requires finding/avoiding bugs.


Why a pentester and not a QA team more broadly? QA won’t necessarily review the code (haven’t met a team that did), but they will typically hammer a system with test cases and scenarios that expose unusual behavior and uncover bugs.

I’ve had pentesters review code looking for things like insecure hashing or encryption, or low hanging fruit like cress in the code, but I wouldn’t be inclined to leave what is essentially a QA process to a pentester.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: