Planned Ad hoc Testing

Test execution can be categorized into two broad categories:

1. Scripted test execution
2. Non scripted test execution

Scripted test execution is about execution of pre written test cases and test script while non scripted test execution includes exploratory and ad hoc testing.

Importance of Non Scripted testing

• Generally majority of test planning works include writing test cases or test script but for the bugs found we can not say the same thing. Majority of the bug found is via non scripted test execution rather then scripted test execution.

• Do we expect end-users to just execute the test script written by Test Engineer?

• Test script execution may be affected by blindness for expected result where tester looks only for the expected result and might ignore the other apparent bug.

• Not all projects have enough documentation to begin test case writing.

For non scripted testing we can say this is the technique which does not require any test documentation, try to follow the end user flow and try to cover all apparent and non apparent bug. Hence, majority of the bug are found by Non Scripted test execution

If we can say that majority of the bugs found are via Non Script test execution then for a effective testing process we need a planned ad hoc test approach and following are some pointers which can lead to a planned ad hoc test approach

ü Getting user’s feedback of previous release: Having user feedback from customer care unit, various groups or blogs can help in focusing the efforts in ad hoc testing in right direction. Often we ignore the area in our test cases creation which is part of end user flow. Sometime this information is readily available with Customer Care or we can found users to discuss about the problem areas in various groups, blogs and community sites.

ü Feature Swap: If we planned for feature swap for exploratory testing we could get better result if we swap feature in such a way that tester gets to test the feature for which he was not executing test script this would helps in getting a new eye for feature and would eliminate chances of user getting influenced by test cases he has seen and executed

ü Bug Hunt: Bug hunt is another approach for performing ad hoch testing. If done at correct stage and with proper planning bug hunt can provide bugs which normally we do not see in our regular test case execution

ü Bug density: If we found a bug around any area in product chances of having another uncovered bug in same area increases.

Security Testing: Insight Part1

security,testing

Security Testing: User Right Not Privilege

Why security Testing?? I would like to say if all people were ethical we might not need to bother so much about security testing but in this World Wide Web or World Wild Web everyone is not ethical and if you are not testing for security of your product chances are very high some one else some where would be doing that.

Security Testing is no longer seen as overhead cost because security plays very important role in deciding organization bottom-line growth.

In this post we will try to see:

1. Where does security fits into Product development life cycle
2. What are main security threats associated with application
3. How can we mitigate these security threat.

Before we deal with security testing in detail let’s understand how security testing is different from functional testing

Functional testing is testing application or product do what it is supposed to do. It is performed on behalf of a legitimate user of the product who is attempting to use it in the way it was intended to be used and for its intended purpose.

Security testing is confirming application is not doing what it is not supposed to do. Goal of security testing is to find vulnerabilities of our application. Vulnerability usually allows an attacker to trick the application into injecting data into its back end, execute commands on the system hosting the application, or use a flaw which allows for unintended access of memory to execute code with the privileges of the program.

Secure software should have following characteristics:

Confidentiality: Ensuring there is no deliberate or accidental improper disclosure of sensitive information

Integrity: Protection against deliberate or accidental corruption of information

Security Testing in software development life cycle:

Rather being a wrapper around existing feature security should be a part of Software development life cycle from the beginning

Following figure shows some activities that will add structure to the software development process

Scurity Threat Categorization:

Security Threat can be categorized into six main categories”

Spoofing:

Tampering

Repdiation

Information disclosure

Denial of service

Elevation of privilege

*STRIDE is an acronym given by Loren Kohnfelde while categorizing

Spoofing user identity.

Spoofing is an attack that involves three host: an attacker , a victim and an innocent third party. Man in the Middle attacks are good example of web spoofing where attacker spoofs “X” into believing he is “Y”and spoofs “Y” into believing he is “X”, thus gaining access to all communication between “X” and “Y”

Testing Idea:

• Attempt to force the application to use no authentication
• Can “Cookies” be replayed to bypass authentication stage
• Try forcing an authentication protocaol to use a less secure legacy version

Mitigation technique

• Use strong authentication.
• Do not store secrets (for example, passwords) in plaintext.
• Do not pass credentials in plaintext over the wire.
• Protect authentication cookies with Secure Sockets Layer (SSL).

Tampering with data.

Attacker attempts to break integrity of the data packet as they traverse to destination or modifying a dll by some unauthorized user

Testing Idea

Attempt to bypass authentication

Creating invalid hash and digital signature to verify they are checked properly

Trying to tamper the data and then rehash

Mitigation technique

• Use data hashing and signing. Use digital signatures.
• Use strong authorization.
• Use tamper-resistant protocols across communication links.
• Secure communication links with protocols that provide message integrity.

Repudiation.

Repudiation refers to performing any illegal operation in a system, with malicious intention, without the knowledge of the system administrator or the security agent.

Example of Repudition attack is someone accessing your email server and sending fake information to others

Testing Idea:

Do logging of user actions exist

Do conditions exist that prevent logging or auditing

Can incorrect data be created in event log

Mitigation technique

Create secure audit trails.

Time Stamps

Use digital signatures.

Information Disclosure.

Information disclosure refers to those data that have been exposed to unauthorized users. For example, a non-privileged user has the ability to view data containing some confidential information such as credit card number.

Testing Ideas:

Attempt to access data that can only be accessed by more privileged users using tools like network sniffers

Make the application fail or crash in such a way that attacker can get some useful information

Mitigation technique

Use strong authorization.

• Use strong encryption.
• Secure communication links with protocols that provide message confidentiality.
• Do not store secrets (for example, passwords) in plaintext.

Denial of Service.

A denial-of-service attack is an attack on a computer system that causes a loss of service to users, typically the loss of network connectivity and services by consuming the bandwidth of the victim network or overloading the computational resources of the victim system

Testing Ideas:

Flood a process with so much data it stops responding to valid request using fuzzing tool

Does application handle the malformed data gracefully

Can external influences (disk space, memory and system resource) force the application to fail

Mitigation Technique

• Use resource and bandwidth throttling techniques.
• Validate and filter input.

Elevation of privilege.

Allowing a remote internet user to run commands is the and going from a limited user to admin is example of Elevation of privilege security attack. In this type of threat, a attacker can have access to some higher privileges that the system administrator has not provided to him. In this way, the attacker can have the opportunity to access every possible area of data in which he has no access privileges.

Testing Idea:

• Check if we can execute data as code
• Can elevated process be forces to load a command shell

• Follow the principle of least privilege and use least privileged service accounts to run processes and access resources.

.

Havard: Testing Idea

Havard. Testing,Career

The Surprising Fit for Software Testing

Handy Special Characters

Often we need to test the application behavior with special characters. Here is the list of special characters

 

 

French: áàâéèçêùÉÇÈÊÂô
German: äëïöüÄËÏÖÜß
Danish: øæåéØ
Norwegian: øæåéØ
Finnish: ÄäÖö
Swedish: åÄÖö
German: ÖÄÜöäüß
French: éèêàâÉç
Italian: èùà
Spanish: áóíóúñÁÉÍÓÚ
Dutch: ëéöú
Portuguese: çãàáãêéóõíú Ã

Other CE languages:

Polish: śąńężóćŹ
Czech: áéěřčůžýíďůžŠhjbgi ghilugiu
Slovakian: áéěřčůžýíďůžŠ
Russian: no special characters, separate alphabet - Cyrillic alphabet
example: Компании, которые приобретают, уже используют или переходят на

Greek: αβγδεζηθικλμνζοπρσςτυφχψω
ΑΒΓΔΕΖΗΘΙΚΛΜΝΞΟΠΡΣΤΥΦΧΨΩ
Hungarian: Áá Éé Íí Óó Öö Őő Úú Üü Űű
[Treated as single letters] CS cs DZ dz DZS dzs GY gy LY ly NY ny SZ sz TY ty ZS zs
Turkish: Çç Iı Öö Şş Üü ğ

año.tif

Copyright symbol = ©©©©©©©©©©©©©©

šrčrřtřt
ěšč