Security Testing for Functional QA: Finding Vulnerabilities Without Being a Pentester

Every QA professional has heard of security testing, but most consider it the job of specialised professionals — penetration testers. But what if a regular tester can and should contribute to product security?

In this talk, I'll demonstrate how a functional tester without deep security expertise can identify real vulnerabilities using basic principles and common mistakes. 

Using examples from a real project, I'll examine key vulnerability classes from the OWASP Top 10 — from Broken Access Control to SSRF —and show how they can be identified through simple but systematic checks.

You'll learn how to introduce “security hygiene” into the daily work of a QA team, and why even minimal efforts can prevent serious incidents.

This talk is based on practical experience: over the course of several months, a team of testers identified more than 15 vulnerabilities without specialised tools or access to the internal codebase.