Vitaliy Shchur is an expert QA engineer with more than 10 years of experience testing web applications and mobile platforms. His experience includes work with big names like Check Point Software and Perimeter 81, where he was responsible for testing in multi-platform environments and ensuring data security for remote workers.
Vitaliy shared his thoughts on security testing, test environment management, and protecting confidential data.
1. How do you ensure security during testing in multi-platform environments (Windows, macOS, iOS, Android) in a remote work setting?
For this task, a thorough approach is needed that encompasses the entire range of both hardware and software security measures. Our adherence to the Zero Trust philosophies allows us to maintain security protocols while granting the bare minimum required access to test environments.
Compromising the security of tested components is obviously not an option, so we virtualize our test labs. We use Parallels, VirtualBox, and UTM to get the job done. For environments where component isolation is a must, we use Docker and Kubernetes. To maintain the security of our automated and manual testing exploits, we deploy our test environments on Amazon EC2 instances. AMIs allow us to quickly reclaim lost test environments to ensure our testing pipeline is never interrupted. More importantly, though, using EC2 instances allows us to maintain clear control over who can access the test environments.
We test mobile platforms in both secure real-device and secure-emulator environments. All mobile platform communication is conducted exclusively over encrypted channels (VPN or ZTNA technologies) that are immune to data exfiltration.
2. What methods do you use to test the security of mobile and web applications in a remote work environment?
We apply several layers of protection in this case. First, we conduct static (SAST) and dynamic (DAST) code analysis, which helps identify vulnerabilities during the development and testing stages. We also perform API security testing using automated tools such as OWASP ZAP and Postman. In addition, we execute manual testing for common vulnerabilities like SQL injections (SQLi), cross-site scripting (XSS) and cross-site request forgery (CSRF).
For our mobile apps, we use MobSF and Burp Suite Mobile Assistant, which help us analyze code and network interactions. Additionally, we conduct reverse engineering tests to identify ways our security mechanisms could be bypassed.
We also regularly engage third-party auditing companies to conduct independent security assessments of our code and final builds.
3. In your experience working with Salesforce applications, what specific security measures have you implemented during testing in a remote environment?
Salesforce requires increased attention to access control and data protection. One of the key aspects of testing was ensuring that there was strict role-based access control (RBAC) to prevent unauthorized data usage. We verified API interface security and tested it for vulnerabilities, such as unauthorized data retrieval through access token manipulation (this isn’t a vulnerability in SfDC; it’s just an example of what you have to test for in any secure environment).
For user interface protection, we checked for XSS vulnerabilities (this is a standard test for any web application) in Visualforce and LWC components. We made sure that sessions were being handled correctly and that the right data was being stored in the browser. Lastly, we made active use of monitoring tools like Splunk and Salesforce Shield to detect unusual activity in the system and respond to potential threats.
4. How do you address security issues when testing functionality in multi-platform environments like macOS and iOS?
Evaluating software on the macOS and iOS platforms requires stringent access controls and protections for the evaluation environments. We limit access to the macOS and iOS test builds via Mobile Device Management (MDM) so we can centrally manage the test devices and their settings. To ensure code security, we use app signing mechanisms and secure containers inside the test devices to make sure the test apps can’t be subbed out or modified in any way.
We also use Frida and the iOS Security Suite to find potential code vulnerabilities. Even if one is found, though, it’s not a big deal because we test on dedicated lab devices that have zero physical connection to the corporate network. Even if a test device is compromised, there’s no way the corporate network can be accessed.
5. How do you manage security testing when working with confidential data in a remote team?
Test data are kept in encrypted containers (Vault, AWS KMS), making any kind of data leakage or unauthorized access virtually impossible. To ensure we don’t send real data anywhere, we use data masking and generation of synthetic data. All of our employees who have access to this sensitive kind of information are bound by non-disclosure agreements (NDAs), and any kind of moving around in our systems that they do is logged and analyzed with standardized SIEM tools.
6. How do you use automated testing to ensure security in applications during remote work?
Security testing is done automatically and is deeply embedded in our CI/CD process. We have put in place SAST, DAST and IAST routines that check code for vulnerabilities using specialised tools.
Selenium tests run with proxy tools let us analyze the traffic being sent and received for possible data leaks. Security tests are also integrated into GitHub Actions and GitLab CI/CD pipelines. This integration gives us a way to automatically check for security issues in the code at various stages of the development process.
7. How do you ensure data security during testing using Selenium or other automation tools?
When we use Selenium for testing, we ensure that data protection is tight. All test labs are isolated from the main system and run in their own environments, so no sensitive data can leak through. The user accounts and tokens we use to run tests are safely stored in Secret Manager, from which they are dynamically loaded into the test environment just before we start executing our test scenarios. We also make sure none of the API requests made from the tests into the main system are real; if the tests need to talk to the main system, we make them use mock requests, and keep confidential information out of the system logs.
8. As a QA team leader for macOS and iOS, what security measures do you take to protect information in a remote work environment?
When I manage the team, I enforce rigorous security protocols. These involve the use of mobile device management (MDM) for controlling corporate devices, virtual private network (VPN) connections that must be used to access any company resource, and endpoint security solutions like SentinelOne.
9. What experience do you have with analyzing and testing security when working with reports and documentation in a distributed team?
All our documentation is stored in systems where access rights are managed (Confluence, Jira). To prevent leaks, we use DLP systems that control data transfer. Sensitive information is encrypted and only accessible to employees with the right kind of access. This gives us a remote work security level that satisfies all our compliance requirements.
