Taiab's Blog

From QA to Security: Why Testers Make Good Hackers

Md. Taiab

Md. Taiab

2025-02-19 ยท 2 mins read


People are surprised that I do both QA and security. To me they've always felt like the same instinct pointed at different targets. The skills transfer almost directly.

Both Are About Breaking Assumptions

A developer builds for the happy path. A QA engineer asks "what if the input is empty / huge / wrong type?" A security tester asks "what if the input is malicious?" Same muscle โ€” refusing to assume the user behaves โ€” just a different threat model.

The Negative-Testing Mindset

QA taught me to test what shouldn't happen:

  • What if I submit this form twice?
  • What if I skip a required step?
  • What if I send a value the UI never offers?

That last question is one keystroke from security testing. "The UI only offers options A and B" becomes "what if I send option C the server didn't expect?"

What QA Already Gives You

|----------|---------------------|
QA skillSecurity application
Boundary testingBuffer/overflow edge cases
Input validation testingInjection (SQL, XSS)
Auth/role testingBroken access control, IDOR
Reading network trafficIntercepting and modifying requests
Reproducible bug reportsWriting clear vulnerability reports

The New Muscle to Build

The genuinely new part is thinking like an attacker โ€” chaining small issues into real impact, and understanding why a flaw is exploitable, not just that it's wrong. QA stops at "this behaves incorrectly." Security continues to "and here's how someone abuses it."

You Don't Have to Choose

The best testers I know carry both. A QA engineer who understands security writes better test cases. A security tester who thinks like QA writes clearer reports and finds the boring-but-critical bugs scanners miss. The overlap is the advantage โ€” lean into it rather than picking a side.

Md. Taiab

Written by Md. Taiab

Follow

Md. Taiab is a Software QA Engineer and security enthusiast based in Dhaka, Bangladesh. He interned as a QA Engineer at Battery Low Interactive Ltd. and competes in CTFs and programming contests โ€” ranked Top 3% globally on TryHackMe and Champion of GUB Junior IDPC 2023.

Comments disabled โ€” add your CommentBox.io project ID to .env.local as NEXT_PUBLIC_COMMENTBOX_ID