By Elvira Khusainova, Senior Test Automation Engineer at Deutsche Telekom ITTC Hungary
"Security isn't a department anymore. It's a mindset — and testing is where it begins." -- Elvira Khusainova
In 2025, it’s no longer a surprise when your mobile app gets breached. What’s surprising is how early in the process those breaches could’ve been stopped—if the right people had been asking the right (destructive) questions.
Those people? Increasingly, they’re QA engineers. And more of us are embracing a new identity: part tester, part ethical hacker.
Testers Who Think Like Attackers
Traditional QA was all about confirming expected behaviors. But that’s only half the story. What if the user isn’t just a user—but an adversary?
"A test that only proves something works is incomplete. A real test must also try to prove it can be broken," Elvira says.
In her current role at Deutsche Telekom, Elvira blends Selenium-based UI automation with OWASP ZAP, Burp Suite, Postman, and even tools like Metasploit. Her test scripts don’t just validate buttons — they simulate brute-force attacks, check for misconfigured JWTs, and fuzz APIs for XSS and CSRF risks.
QA Tools Are Turning into Security Tools
We’re seeing an accelerating trend: testing frameworks and QA platforms are being infused with features once exclusive to penetration testers. According to Elvira, many tools used by QA engineers now double as security assets.
Here’s how that shift looks in practice:
- Selenium WebDriver is still the go-to for UI testing — but now it's often used alongside OWASP ZAP or Playwright for deeper analysis.
- Postman, a staple of API testing, is increasingly paired with Hoppscotch or Burp Suite to simulate unauthorized access or injection attempts.
- Jenkins and GitLab CI aren’t just for test automation anymore — they now run embedded security checks like OWASP Dependency Check as part of the build process.
- Even test specs are evolving. Elvira’s teams supplement BDD with threat modeling, converting user stories into potential attack trees before the first line of code is even written.
AI Is Accelerating the Shift
In her team’s latest initiative, Elvira led the use of LLMs to generate attack simulations and identify potential business logic vulnerabilities. This wasn’t just about test coverage — it was about threat discovery.
“We trained a local GPT agent on past exploit data. It began surfacing edge-case scenarios our regression suite missed for years.”
Here’s how AI is redefining her QA strategy:
- Automatic generation of malicious user flows
- Auto-conversion of requirements into attack trees
- Simulated user behavior under duress (load + intrusion)
The QA–Security Culture Gap
Despite the benefits, there’s still a gap. Many organizations silo security into isolated audit teams. Elvira argues this is outdated:
"By the time a security review happens, it’s already too late. QA should own security from day one."
She advocates for cross-training, giving junior testers exposure to tools like Kali Linux or OWASP Juice Shop, and embedding basic threat modeling into agile sprint planning.
What Comes Next?
Elvira sees a future where:
- Every QA hire knows how to run a vulnerability scan
- CI pipelines fail not just on broken features, but on open ports or weak auth
- Security becomes a shared language, not a handoff
Her next project? Embedding accessibility testing, performance under exploit, and secure-by-default test frameworksinto enterprise release cycles.
Final Thought
Testers have always been defenders of user experience. In 2025, they’re also defenders of trust, data, and uptime.
It’s not just about "does it work?" anymore. It’s about "can it break us?"
And that’s a question QA should be asking first.