SECURITY TESTING
Security Testing for QA Engineers.
Practical checks for authentication, authorization, sessions, APIs, files and sensitive data — without turning QA into offensive security. A QA-focused, non-offensive guide to catching access, session, API and data-exposure risks before release. Built for manual QA, automation testers, SDETs and QA leads.
// What security testing means for QA
Security testing checks whether users, systems, files, APIs, sessions and data are protected from misuse, accidental exposure or unauthorised access. For QA, this is not about attacking the application — it is about verifying that the controls the team designed actually work, capturing clear evidence, and escalating anything risky.
The QA mindset
Focus on four questions: What should I verify? What evidence should I collect? When should I escalate? How do I report it clearly? Use controlled test accounts and approved test environments only.
// What QA engineers should focus on
Authentication
Can users log in safely?
Authorization
Can users only access what they should?
Sessions
Do sessions expire and invalidate correctly?
APIs
Are tokens, permissions and validation enforced?
Input validation
Are unsafe or malformed inputs handled safely?
File uploads
Are dangerous or incorrect files rejected?
Sensitive data
Is private data hidden, masked or protected?
Error handling
Do errors avoid leaking internal details?
// What QA should — and should not — do
What QA should do
- Verify the controls the team designed actually work.
- Run the same request as different roles; check each 200 / 401 / 403 / 404.
- Use controlled test accounts and approved environments.
- Capture safe, masked evidence and raise clear bugs.
- Escalate anything risky or beyond the agreed scope.
What QA should not do
- Run aggressive scans without approval.
- Attempt destructive testing on live environments.
- Test production systems unless explicitly authorised.
- Share tokens, passwords or customer data in bug reports.
- Go beyond the agreed test scope.
// Security testing workflow for QA
- 1
Understand the feature.
- 2
Identify sensitive data and user roles.
- 3
Check authentication and authorization.
- 4
Test invalid and boundary inputs.
- 5
Review API behaviour.
- 6
Capture safe evidence.
- 7
Raise a clear security bug.
- 8
Escalate high-risk findings.
// Learn the practical checks
The OWASP Top 10 translated into practical QA checks — what each risk means, what to verify, safe test ideas, evidence to collect, and when to escalate.
What QA security testing is — and what it is not. A clear comparison of QA security checks versus specialist penetration testing, with guidance on where the QA boundary sits.
JSON Web Tokens explained in plain QA language — what a JWT is, what you can safely inspect, what to check, and what never to do with real tokens.
How QA engineers can test unsafe or malformed input safely — required fields, types, length, format, special characters, HTML-like input, and API payloads.
Practical security checks for file upload features — allowed and blocked types, MIME checks, size limits, filenames, and who can access uploaded files.
// Checklists, templates & practice
Login, password reset, MFA, sessions and logout invalidation.
Role-based access, object-level access, IDOR and UI-vs-API checks.
Tokens, role checks, input validation, rate limiting and error handling.
A copyable template to capture impact, evidence and escalation safely.
Practice the QA security questions interviewers ask — OWASP, access control, sessions and more.