Professional Documents
Culture Documents
Security Testing
June, 2009
© iStockphoto/alexandru_lamba
© iStockphoto/Manu1174
online training
English & German
www.testingexperience.learntesting.com
r
s te
Te vel
d
i fie d Le on
e rt nce so
C va ng
Ad omi
c
Editorial
Dear readers,
One of my professors at the university said once to all of us: Computer scientists
are at some point criminals. What he meant was that we or some of us – computer
scientists – at some point like to try things that are not that “legal”. The most of
us are “clean”, but some of us are “free time hackers”!
Nowadays the hackers are almost away from the 17 years old guy, trying to pen-
etrate in some website and so on. They are now adults, with families, cars, pets,
holidays and a job. They are professionals earning money for acting as such.
Application Security is not only important and essential for the companies and
their businesses, technology and employees. Application Security is a macroeco-
nomic aspect for the countries. There are a lot of secret services or governments
agencies working on getting technology or information by advance hacking the
server and databases of top companies or governments worldwide. When we hear
that some countries could be behind the penetration of the USA electricity net-
work, you can imagine what is going on outside.
Are we testers prepared for that job? I’m not! Last year we had the first tutorial
by Manu Cohen about Application Security Testing. It was amazing what you can
do in few minutes using the right tools!!! Even as computer scientist your eyes
get wide open. We saw after the first tutorial that we need to give the attendees at-
tack skills; they should learn also to attack and to think how a hacker thinks. The
second tutorial some weeks ago had two days introduction into practical hacking.
It was an even bigger success.
We - as testers - have to be given specific knowledge on security testing to do the
job in the right way. As well as this tutorial by Manu Cohen there is an initiative
called ISSECO. ISSECO has defined a syllabus for a certification as professional
for secure software engineering. This is more than testing; security already starts
with the requirements and design of the application. It is a part of the whole pro-
cess. This is a step in the right direction!
Security is getting essential and that’s why we will issue a new magazine on this
topic called Security Acts. The first issue is going to be released on October 2009.
It appears quarterly too. Please send us your proposals for articles.
The program for the Testing & Finance is ready and I hope to see you there. We
have great speakers!
Last but not least I want you to pay attention to our new e-learning portal www.
testingexperience.learntesting.com. You can register for ISTQB Certified Tester
Foundation Level and very soon for the Advanced Level. Enjoy learning!
Yours sincerely
37
Case Study: An Automated Software Testing Framework (ASTF) Example........................................ 39
by Elfriede Dustin
The need for a structured security test approach!............................................................................. 45
by Andréas Prins
Business Logic Security Testing and Fraud......................................................................................... 48
by James Christie
Demystifying Web Application Security Landscape............................................................................ 55
by Joel Scambray
by Mandeep Khera
Customer Success Story - Advertorial.................................................................................................. 59
by Vladan Konstantinovic
How to conduct basic information security audits?............................................................................ 61
by Nadica Hrgarek
45
The need for a structured
security test approach!
by Andréas Prins
7
by Manu Cohen-Yashar
© iStockphoto.com/LeeTorrens
4
© iStockphoto.com/fredpal The Magazine for Professional Testers www.testingexperience.com
The Liability of Software
Producers and Testers
by Julia Hilterscheid
12
© iStockphoto.com/RichVintage
31
rity
© iStockphoto.com/alexsl
© iStockphoto.com/JordiDelgado
Advanced Software Test Design Techniques, Decision Tables and Cause-Effect Graphs 66
by Rex Black
Load Testing In 10 Steps.......................................................................................................................71
by Shai Raiten
Testing the Enterprise Security: Anti-Spam and Anti-Virus . ...............................................................74
by Dr. Marian Ventuneac
Software Test Automation: Frame Your Own Requirements.............................................................. 77
by Suri Chitti
Database Auditing................................................................................................................................. 79
by Craig Steven Wright
Project-Based Test Automation............................................................................................................ 86
by David Harrison
Software Configuration Management-SCM......................................................................................... 89
by Mahwish Khan
Align for Good Test Design.................................................................................................................... 93
by Richard van der Pols, Andrew Jong, & Jeanne Hofmans
The new ISTQB® Certified Tester Advanced Level Focus on practical know-how.............................. 99
by Professor Mario Winter
Masthead............................................................................................................................................. 102
Index Of Advertisers............................................................................................................................ 102
© iStockphoto.com/fotoIE
Dìaz & Hilterscheid ist
Deutschlands erster Trainingsprovider
mit dem neuen Syllabus für
ISTQB® Certified Tester Advanced Level Test Analyst
(deutsch)
Buchen Sie bis Ende Juni einen CTAL Kurs bei uns
und sie bekommen
15% Rabatt!
www.training.diazhilterscheid.com
© iStockphoto.com/fredpal
Identity is one of the most popular challenges The authenticator is given to the client is trivial. Passwords are the weakest form
applications face today. Almost every applica- for immediate interaction with the ap- of authentication, but usually this is all
tion has to know who it is talking to and needs plication, so that he/she will not need to we have got. Governments have failed to
to do something about it. Unfortunately we go through authentication every time he/ distribute a strong form of authentication
know that identity is poorly handled, as Iden- she interacts with the application. The ap- to their citizens, e.g. smart passports, and
tity theft is one of the world’s greatest prob- plication might use the authenticator as a thus there is no strong authentication for
lems today. key to find the identity information in the the masses. Some employers and large
cache. organizations have managed to do so and
What exactly is identity? After decades of
they enjoy a much safer authentication.
working with Identity, we finally understand 6. The user logs out and the authenticator is
that identity is nothing more than some infor- deleted. • After authentication the application
mation that describes an entity. It turns out needs to look for the identity information
All the above introduces a substantial chal-
that entities have multiple identities, each rel- it needs. This information might be stored
lenge for the application.
evant on a different context of execution. For in several stores managed by the IT pros
instance, a person (entity) has one or more • The identity information is usually sen- that usually do not know and care about
professional identities, a personal identity, a sitive. Credentials are always sensitive. the application. The application needs to
social identity etc. Keeping sensitive information in a persis- know where and how to look.
tent store in a secure manner is not easy.
An application that needs to work with an en- In the age of distributed applications,
A security professional and IT profession-
tity’s identity needs to know which identity to globalization and company mergers and
als should be consulted before writing the
look for. acquisitions, it is quite common that not
code. To overcome these issues, profes-
just the information is stored in several
The life cycle of identity management from sional infrastructure for identity manage-
data stores, it is stored using several dif-
the application’s point of view would look ment like MS Active Directory or IBM
ferent technologies. The application must
something like this: Tivoli are often used. Interacting with
master these technologies if it wants to
these will, however, raise more issues, as
1. Registration: The entity stores its identity find the data.
we will see later on. Unfortunately today
information in some identity management
almost every application requires users to What happens when the store moves as a
store that will be used by the application
register and supply some identity infor- result of a company acquisition or simply
later in the life cycle. This store is usually
mation. It is easy to understand that the because of an upgrade?
managed by IT professionals.
more your identity information is spread
It turns out that interacting with profes-
2. Authentication: The entity sends some out, the less secure it is. Users are not
sional identity management systems is
form of credentials to enable the applica- happy to register as they know that some-
not that easy.
tion to determine who it is. where there is an application that does not
secure their identity. Users might choose • When the application finally has the in-
3. The application searches the identity not to make business with an application formation it needs, it is time to figure
stores for all the identity information it that requires registration. out the authorization rules and to apply
needs.
them. These rules might be complex and
• When every application has its own iden-
4. The application uses the identity infor- subject to frequent changes, so the appli-
tity management, users end up having a
mation for authorization, personalization cation has to use some sort of dynamic
growing number of passwords. Unfor-
and for its business activities. decision processor to execute authoriza-
tunately, a human user cannot handle so
tion. The rules must be protected and the
5. The application creates an authentica- many passwords, so passwords are repeat-
processor must be efficient as everything
tor and caches the identity information. ed and become weak. The security threat
goes through authorization. This is not an
Please fax this form to +49 (0)30 74 76 28 99, send an e-mail to info@testingexperience.com or subscribe
at www.testingexperience-shop.com:
Billing Adress
Company:
VAT ID:
First Name:
Last Name:
Street:
Post Code:
City, State:
Country:
Phone/Fax:
E-mail:
32,- € 60,- €
(plus VAT) (plus VAT)
Claim-based implementation.
STS STS
Biography
2. Token
Manu Cohen-Yashar is an international
1. Req Claims 3. Send Token
expert in application security and distrib-
uted systems.
4. Receive Token
Currently consulting to various enter-
Client 5. Send Claims RP prises worldwide and Germany banks,
architecting SOA based secure reliable
and scalable solutions.
As an experienced and acknowledged
architect Mr Cohen-Yashar was hosted
by Ron Jacobs in an ARCast show and
spoke about interoperability issues in the
I hope that by this time you are all convinced that claim-based authorization infra- WCF age.
structure is what you need. The question is where to find it? Mr Cohen-Yashar is a Microsoft Certified
Microsoft is about to introduce a family of technologies under the name “Geneva”. Trainer and
http://msdn.microsoft.com/en-us/security/aa570351.aspx trained thousands of IT professionals
worldwide.
1. Geneva Server – A ready-to-use STS. Mr Cohen-Yashar is the founder of an
2. Geneva Framework – A complete object model for building claim-based ap- interoperability group in cooperation with
plications and STS. Microsoft Israel in which distributed sys-
tem experts meet and discuss interoper-
3. CardSpace Geneva – An Identity selector to enhance to user usability ability issues. http://www.interopmat-
ters.com/
• Helps users manage multiple identities for the Web
A wanted speaker in international
• Helps users select an appropriate identity for a given relying party conventions, Mr Cohen-Yashar lectures
on distributed system technologies, with
• Protects user privacy specialization on WCF In which he is con-
• Gives consumers non-phishable credentials sidered one of the top experts in Israel.
Manu won the best presentation award
IBM has a well-known Identity management infrastructure called Tivoli. It is not a in CONQUEST 2007.
surprise that Tivoly supports claim-based applications: http://www.ibm.com/devel- Mr Cohen-Yashar is currently spending
operworks/tivoli/library/t-ucitfim2/ much of his time bringing application
http://www-01.ibm.com/software/tivoli/features/soa/soa-mgmt/secure-web-serv. security into the development cycle of
html major software companies (Amdocs,
Comverse, Elbit, IEI, The Israeli defense
Oracle Identity Federation is Oracle’s implementation of the claim-based model: System…)
http://download.oracle.com/docs/cd/E10773_01/doc/oim.1014/b25355.pdf Mr Cohen-Yashar is giving consulting
services on security technologies and
The beauty is that all these technologies interoperate with each other using WS*- methodologies (SDL etc)
standards. Mr Cohen-Yashar is known as one of
the top distributed system architects
I would like to end this article with an optimistic view to the future and hope that,
in Israel. As such he offers lectures
after years in which the identity issue was forgotten, with claim-based authoriza-
and workshops for architects who want
tion identity will be handled better. Users will feel more secure as applications will
to specialize in SOA, and leads the
handle their identity better and damage from identity theft will decline.
architecture process of many distributed
projects.
BE SAFE! ISSECO ®
SOFTWARE
ENGINEERING ISSECO
SECURE SOFTWARE ENGINEERING
®
· requirements engineering
· trust & threat modelling
· secure design
· secure coding
· secure testing
· secure deployment
· security response
· security metrics
· code and resource protection.
PLEASE CONTACT:
Malte.Ullmann@isqi.org
WWW.ISSECO.ORG
'PUP©TDIJGGOFSQIPUPDBTFDPN
© iStockphoto.com/RichVintage
A recent decision taken by the German Fed- principal project milestones are specified, the legal requirements. Very often, the tester is not
eral Court of Justice regarding the liability of detailed concept is created, in which the vari- even responsible for the delays that have oc-
a freelancer working for a company indirectly ous functions are defined. Whilst the rough curred; these could have been caused by bad
effectively reverses the principles relating to concept is drafted in coordination between project planning, late software requirements
the liability of software producers and testers, customer and contractor, the technical depart- specified by the customer, or inadequately
which had been applicable so far. If certain ment, the responsible marketing personnel defined requirements. Nevertheless, the tester
services or insufficiently tested products cause and the designers, the fine concept serves the is the person that has to somehow cope with
damage to the customer and require that the technical department and the programmers as the virtually impossible task of delivering a
customer’s employees have to rectify this dur- a guideline for designing the individual steps. product of at least satisfactory quality. Qual-
ing their regular working time, the customer This includes the description of the data archi- ity - due to the fact that everybody knows that
can now hold the causer(s) of the damage li- tecture and the business logic of the system. quality cannot be added by the testers. He will
able with greater chance of success. Based on the detailed design, the programmers brave the gap and hope that the defect will not
will develop the procedures and functions as occur at the customer as often as it has during
What does this mean for customers, software
well as the database structures required. It is testing, and he will have to release the soft-
companies and for testers?
therefore possible for all project stakeholders ware – albeit reluctantly. For the customer this
There are various reasons why software prod- to look at the detailed design and inform them- situation can result in severe implications re-
ucts end up being deficient. Firstly, it can and selves at any time about contents and objec- sulting from the defect.
does happen that the requirement definitions tives of the project and to align their activities
Up to now, „only“ the customers of the soft-
are inadequate. When specifying the require- accordingly.
ware producer had to bear the brunt in the
ments for a project, the prime concern is the
In order to develop software that is in accor- wake of inadequately performed or omitted
careful planning of the development process
dance with the customer’s requirements, a testing, e.g. if the program did not implement
and a precise specification of the properties
well functioning quality management is indis- the requirements of the business processes.
of the product in the contract. Clearly, many
pensible. Defects introduced into the software Development deficiencies of this type not only
customers and contractors are aware of this
during the definition phase and programming lead to increased customer costs, but quite fre-
important criterion. It is, however, all the more
cannot be discovered if the test process is not quently also to situations where the customer’s
amazing that projects are frequently started in
managed by a professional test manager. employees have to try and rectify the software
a “vacuum”, i.e. that contracts or project docu-
deficiency during operation. This had the ef-
mentation are only available in a rudimentary In the development of software, the time pres-
fect that the employees were often less effi-
form. This means that the requirements for sure also plays an important role as a possible
cient and motivated. In addition to this, an in-
the program were not specified in a way that cause for bugs. Each tester knows the panic
adequate performance on part of the software
makes them capable of proof, and it will after- when time is running out at the end of projects,
producer has an impact both on the customer’s
wards be difficult or downright impossible for when the development or release of software is
and the software producer’s external presenta-
either party to determine whether the delivered delayed, and if a contractually agreed delivery
tion, since both parties can end up with a bad
product is in accordance with the objectives, deadline cannot be met. The customer already
reputation. Moreover, it was the aggrieved
i.e. whether or not it is free from defects. threatens with a claim for damages, or – even
customer who was usually the one paying the
worse – has even been able to push through a
Another reason why software is often ends up bill, since he was the one who had to prove
penalty clause that automatically applies when
being faulty is that the detailed concept has not judicially or extrajudicially, which work was
the deadline is exceeded.
been performed properly. left undone as a result of the rectification of
As a result, management, technical depart- the damage and the financial loss that has been
On the basis of a schedule, which is inevita- caused by this.
ments and sales department put pressure on
bly drafted as a rough concept at the start of
the tester, especially in cases where the de-
the project, and in which the contents and the Up to now, customers have only rarely been in
livery deadline cannot be put back e.g. due to
Advertisement
As the importance of security continues to have begun to trumpet the growth of malicious 1. Ignore
dawn on the Software Industry 2.0, organiza- hacking and other incidents of cyber abuse,
2. React
tions of all sizes are trying to discover what deep questions surrounding the confidentiality,
constitutes software security “due care” for integrity, and availability1 of digital data have 3. Prevent
their customers. This brief paper will review been raised. Are the risks underlying this brave
key principles surrounding security in the de- new world greater than the rewards? Let’s examine each of these approaches briefly
velopment lifecycle (SDL), covering econom- to set the stage for a deeper discussion of se-
In parallel, software development organiza- curity in the software development lifecycle
ic drivers, industry benchmarks (or the lack
tions of all sizes are trying to discover how (SDL).
thereof), a prototypical SDL model, and what
to protect their end users from unreasonable
we’ve seen work/not work with real-world
risks. Of course, this raises yet another ques- Ignorance is Bliss
SDL implementations.
tion: what constitutes “reasonable”? Put an-
The dirty little non-secret of the technology
Few question that software occupies an in- other way, what is the standard of software
industry is that few software development-
creasingly central role in our everyday lives. security “due care”?
oriented companies are doing anything serious
From computer operating systems and appli-
To date, the software industry has adopted the about security. Recent surveys suggest that,
cations, to mobile phones, television, the In-
following fundamental approaches to estab- despite some uptake of outsourcing and tools,
ternet, VoIP, GPS navigation, software-driven
lishing this standard: most firms do not allocate significant budget
medical systems, air traffic control, the electric
or headcount for application security outside
grid, and so on, human activity (and perhaps
1 Confidentiality, integrity, and availability of standard operational IT security processes
even human existence itself) has come to rely
(CIA) are often cited as the defining properties of [1]. Although some in the information security
heavily on software.
information security. Some authorities also include a industry would bristle at the implication, the
But is that reliance justified? As more and more fourth “A” for “accountability,” typically understood to question remains: Is ignoring the problem sim-
of our lives becomes digitized, and headlines refer to the keeping of tamper-resistant activity logs to ply good risk management?
provide non-repudiation.
2009 (extrapolated), courtesy of National Vulnerability Database
Figure 1: Software vulnerabilities released between 1997 and
• expecco basics
Joel Scambray, CISSP, is co-founder and (specification, execution
CEO of Consciere, provider of strategic and report generation
security advisory services. He has as- of tests)
sisted organizations ranging from small
startups to Microsoft Corp. address infor-
mation security challenges and opportu-
nities for over a dozen years, in diverse
roles including consultant, corporate 12:00 – 13:00
leader, entrepreneur, and co-author of • lunch
the Hacking Exposed book series.
The author wishes to acknowledge im-
portant contributions to this article from
Andre Gironda, Birgit Lahti, and Kevin
Rich. 13:00 – 15:00
• prototype test
implementation in your
domain
• creation and
specification of tests
15:00 – 15:30
• coffee break
15:30 – 16:30
• individual specified
application possibilities
• interactive feedback
round
Security tests are an important part of the risk complete re-write from the 2.X version series of the scope. For instance, a DMZ may be
management process and executives realize incorporating the results of the last 6 years of tested from the internet or from the LAN as
the benefits of an independent security test: research. well – with obviously different results. Then,
It introduces a neutral view on the target and the testing channels have to be defined. Our
The main purpose of the OSSTMM is to pro-
can improve security when the proposed sen- example DMZ may be tested not only on the
vide a scientific methodology for the accurate
sible measures are successfully applied. But communication layer but on the process layer
characterization of operational security and is
there are often also questions to answer after as well (e.g. patching process).
adaptable for penetration tests, ethical hack-
such an audit.
ing, security assessments and so forth. In the The test type defines the knowledge about the
How secure is the target, and are there aspects EU-sponsored project, Open TC, it became target and the test. Common known testing
that have not been tested? How much has our the standard for testing and measuring trusted types are black box and white box; the OSS-
security improved since the last test? How computing systems. Most of all, an OSSTMM TMM, however, distinguishes six types, each
does our security compare to other companies compliant test defines the target clearly, and detailing different results. The rules of engage-
in our industry? This article is a brief intro- results are reproducible, something unusual ment are protecting the customer and the tester
duction into the Open Source Security Testing in the current methods of ethical hacking and on legal, ethical and procedural aspects.
Methodology Manual (OSSTMM), which can penetration testing.
When all the above has been defined well, it is
answer these and other follow-up questions.
Preparation and Testing clear which tests in the OSSTMM have to be
OSSTMM is a freely available manual that performed on the scope. OSSTMM tests define
provides a methodology for a thorough secu- Before the test can actually start, the assets only what is to be done, but do not dictate any
rity test of physical, human (processes) and that have to be secured must be defined. The tools. One test for data networks for example
communication systems. A core aspect are the protection mechanism for the assets are the is requesting that server uptime has to be veri-
security metrics – the Risk Assessment Values targets to test. The engagement zone is the fied to latest vulnerabilities and patch releases.
(RAV) – which express the final security level area around the assets, the test scope is every- Another example is that responses to UDP
of the tested system as a numerical value. The thing needed to keep the assets operational, packets with bad checksums to a collection of
current release candidate of OSSTMM 3.0 is for instance, processes or network protocols. ports have to be verified. The tools to use and
an approximately 150-page document and is a The test vector defines the interaction points how to use them is left up to the tester.
Classification Description
Vulnerability is the flaw or error that:
(a) denies access to assets for authorized people or processes,
(b) allows for privileged access to assets to unauthorized people or processes, or
(c) allows unauthorized people or processes to hide assets or themselves within the scope
Weakness is the flaw or error that disrupts, reduces, abuses, or nullifies specifically the effects of the
five interactivity controls: authentication, indemnification, resistance, subjugation, and continuity.
Concern is the flaw or error that disrupts, reduces, abuses, or nullifies the effects of the flow or
execution of the five process controls: non-repudiation, confidentiality, privacy, integrity, and alarm.
Exposure is an unjustifiable action, flaw, or error that provides direct or indirect visibility of targets or
assets within the chosen scope channel.
Anomaly is any unidentifiable or unknown element which has not been controlled and cannot be
accounted for in normal operations.
Certification
ISECOM (Institute for Security and Open Methodologies) offers several OSST-
MM-specific certification and training schemes. The ISECOM Licensed Auditor
(ILA) program provides quality assurance and support for obtaining OSSTMM
certified audits from a properly accredited auditing company. OPST (OSSTMM
Professional Security Tester) and OPSA (... Analyst) is a certification for persons.
Additional information may be found on http://www.isecom.org/.
Advertisement
www.testingexperience.com The Magazine for Professional Testers 21
Agile TESTING DAYS
Berlin, Germany
The Agile Testing Days is the European conference for the worldwide professionals involved in the agile world.
We decided to choose Berlin as one of the best connected capital in Europe and also for its very good price/service ratio for hotels
and flights. Berlin offers also a lot of fabulous places to visit in your spare time.
Come and enjoy the conference!
Participant
Company:
First Name:
Last Name:
Street:
Post Code:
City, State:
Country:
Phone/Fax:
E-mail: ds
en 2009
rd h
Billing Address (if differs from the one above) Bi 30t ,
y
Company: a rl une
E J
First Name: by
Last Name:
Street:
Post Code:
City, State:
Country:
Phone/Fax:
E-mail:
Remarks/Code:
Tutorial
Using the Agile Testing Quadrants to Cover Your Testing Needs, by Lisa Crispin Early Bird 600,- €
Managing Testing in Agile Projects, by Isabel Evans and Stuart Reid (plus VAT)
State of the art and future of Agile Testing, by Alessandro Collino 700,- €
Agile Inspections Leader - How to perform an efficient agile inspection, by Tom Gilb (plus VAT)
Acceptance Test Driven Development (ATDD) in Practice, by Elisabeth Hendrickson
Designing a Lean Software Development Process, by Mary and Tom Poppendieck
Conference
1 day (first day), 450* / 550 EUR 1 day (second day), 450* / 550 EUR
Early Bird 700,- €
(plus VAT)
2 days 700* / 850 EUR
850,- €
Included in the package: The participation on the exhibition, at the social event and the catering in course of the event. (plus VAT)
Notice of Cancellation
No fee is charged for cancellation up to 60 days prior to the beginning of the event. Up to 30 days prior to the event a payment of 50% of the course fee becomes
due and up to 15 days a payment of 100% of the course fee becomes due. An alternative participant can be designated at any time and at no extra cost.
Settlement Date
Payment becomes due no later than the beginning of the event.
Liability
Except in the event of premeditation or gross negligence, the course holders and Díaz & Hilterscheid GmbH reject any liability either for themselves or for those
they employ. This also particularly includes any damage which may occur as a result of computer viruses.
Applicable Law and Place of Jurisdiction
Berlin is considered to be the place of jurisdiction for exercising German law in all disputes arising from enrolling for or participating in events by Díaz & Hilter-
scheid GmbH.
Security Testing 1. Offer the business analyst support in improving their testing. Extensive knowledge
making test cases of structure-based techniques and tooling such
Security testing is a relatively new topic to as dynamic analysis, static analysis and, of
me, but one that is becoming more and more 2. Offer assistance to preparing unit tests
course, unit test frameworks are requirements
important in today’s internetbased society. 3. Participate in design, code and test case for the 2009 test consultant.
Having studied the techniques and tools avail- reviews
able for security testing during the last month, The Technical Test Analyst
one thing became very clear to me: It requires 4. Provide pro-active feedback
extensive technical know-how and skills. It is As a result of a number of trends, I see a need for
5. Develop and execute system test cases testers with substantial technical background.
not that difficult for someone with network-
ing and/or programming background, but a Security testing has already been mentioned,
6. Build automatic regression test suites
domainbased tester will have difficulty in per- but also testing other non-functionals such as
forming security testing and using the tools. 7. Make notes for retrospective meetings reliability and performance requires technical
This brings us back to a very fundamental skills. Agile development and the different fo-
Note that no less than three of these tasks (2, 3
discussion: “What is required to become a cus of many test improvement actions are also
and 6) require extensive technical knowledge.
professional tester?”. “Does a programming important drivers for requiring more technical
A tester that wants to survive in an agile team
background help in becoming a better tester?”. test professionals. The ISTQB Advanced Lev-
must understand unit testing, coding and have
In the past the gurus have shown to be in dis- el scheme offers a complete 5-day module on
some knowledge of test automation. In agile
agreement on this. Having been a programmer technical testing which may seem irrelevant to
projects, I see many so-called domain-based
myself, I have always found it to work to my many testers today, but I’m convinced will be-
testers, who are not performing adequately in
benefit. It is easier to understand where defects come more and more important to the testing
such an environment.
can be found, it is easier to see technical risks professional in the near future or even already
and, of course, it is easier to communicate with Test consultancy today.
a developer. In fact, most developers will take I’m off to my daily scrum meeting, and will be
Where a few years ago the focus for test pro-
you more seriously if you are able to speak reviewing a set unit test cases thereafter …….
cess improvement was almost always on im-
their language.
proving the system test and/or acceptance test,
Agile development we nowadays encounter more and more clients
who understand that if you want to improve
With agile development becoming more and testing, a thorough unit and integration test are
more popular these days, many are doing their also needed. To only improve the higher test
stand-up meetings, 4-week sprints, developing levels is much less efficient. Also, different
user-stories etc. This also changes the role of types of defects will be found by unit and in-
the traditional test analyst. Within agile devel- tegration testing, making the test process more
opment, the role of a test analyst is often char- effective. With this in mind, a test consultant
acterized by the following tasks: needs to also be able to consult developers on
Security is especially important in online ap- played page (e.g., in a guest book or an auction Finally Rethinking The Situation
plications, yet far too little attention is paid to site page). The browser processes this actually
it. Perform a quick risk assessment just prior trustable website including the harmful code The lion’s share (over 90%) of an IT security
to implementation, jerry-rig a plug for the big- and thereby sends the current login informa- budget is invested in network security, e.g.,
gest holes, and you’ll have the software up and tion back to the hacker. Even though compa- for firewalls and intrusion detection systems,
running in no time. Then a few days later, the nies take security absolutely seriously, reports even though according to Gartner, 75 percent
first bytes of customer data are stolen. Does it regarding successful attacks are a daily occur- of the hacker attacks take place directly via
have to happen this way? rence. What’s happening here? the application and not the networks. To spend
money specifically
In an incredibly short time, online security on where the great-
risks have become the primary risk for busi- est danger lurks
nesses. One reason is that nowadays business- requires rethinking
critical applications have to be accessible the situation. Ide-
online at any time to customers, partners, and ally, pains are taken
internal users. Continuous availability opens in software devel-
the floodgates for friend and foe. Interactive opment to ensure
contents exacerbate the whole thing. Statistics that no security
show that hackers don’t have to be asked twice loopholes even ex-
to do what they do. Currently, one of the fa- ist, or to remedy
vorite modes of attack is cross-site scripting these immediately.
(XSS). For example, a hacker tries to manipu- Those who are late
late a web application in such a manner that with their testing
damaging script code is embedded in the dis- Fig. 1: Quality vs. security are wasting money.
However, the problem isn’t that easy to fix, be-
cause the software is geared to preferably pro-
WHAT IS SECURITY TESTING? vide what is described in the functional speci-
There are various definitions and terminology involved in this relatively new area of fications. As a result, checks are performed on
software quality assurance. Many choose to cut corners by including security con- what the applications are supposed to do, but
straints as functional requirements and test these in the same way as other functional not on what they are not supposed to be able
requirements. Even more prefer to avoid the topic altogether and simply shift the to do. Developers with expertise in the field of
responsibility to an external provider. This may prove to be a cost saver in the short secure development are a rare breed. One of
run, but the actual costs of reduced security consciousness is reflected by the latest the rare examples of this can be seen in the de-
published figures. In order to implement and maintain a secure software application, velopment of new operating systems. Testing
dedicated security testing is essential. also has to be tailored to the new requirements.
Some terminology to consider in this regard: Unfortunately, one rarely sees a penetration
Security test: The process to determine that an IS (Information System) protects data test as part of a test concept. Likewise, the
and maintains functionality as intended. skills profile of a tester, who is supposed to
Penetration test: A penetration test is a method of evaluating the security of a com- verify the functionality, is different to that of a
puter system or network by simulating an attack from a malicious source, known as a security tester. While one is looking for things
hacker, or cracker. that don’t work, the other should be looking
XSS: Cross-site scripting (XSS) is a type of computer security vulnerability typically for the undesired functionalities that allow too
found in web applications which allow code injection by malicious web users into the much to take place – in other words, we’re
web pages viewed by other users. talking about real detective work.
6. Monitoring operating systems continu- • Automated security tests check web ap-
ously plications and services for flaws
7. Making assessments and feedback loops • Any discovered flaws are saved with the
part of the first step corresponding priority depending on the
Biography
Serge Baumberger is a leading inter-
national consultant and trainer. He is a
recognized expert in the area of software
testing and quality management. Serge
is head of Application Quality Manage-
ment at beteo, which is a specialist
IT-consulting company in Application
Lifecycle Management.
In April, Testing Experience introduced a new concept in online learn- ◦◦ Automated slide presentations;
ing by partnering with TSG to bring ‘Learntesting’ to the global mar-
◦◦ Professional voice-overs;
ket.
◦◦ Course text pdf transcripts.
Jose Diaz interviews Mike Smith, CEO of TSG to find out how Learn-
testing is breaking new ground in the field of virtual learning for the • Interactive quizzes and exercises with supporting voice-overs;
testing community:
• Exam-style questions and answers with supporting explanations;
1. What is the new ‘Learntesting’ all about?
• Formal ‘mock’ exam assessments;
The first thing to say is that Learntesting itself is not new; it has been
around for over 5 years providing online ISTQB Certified Tester Foun- • Virtual classrooms led by tutors to support higher-level learning
dation Level training, fully accredited by ISEB! However, we have now objectives, exercises and exam revision sessions;
used the experience of two previous implementations to transform the • A communication centre, including:
technology and business model into a completely new global service.
As well as providing a range of online content to help testers achieve ◦◦ email;
certification, the new Learntesting service provides ongoing support via ◦◦ forums;
its approach to Virtual Learning.
◦◦ noticeboard.
2. What do you mean by Virtual Learning?
• A private library of testing and testing-related ebooks;
There are many different terms used in this field, including distance
learning, CBT (Computer Based Training), Virtual Education, Virtual • Administration and accredited tutor support from a growing 24x7
Learning Environments (VLE) and Learning Management Systems global network of accredited training providers;
(LMS). With Learntesting, we have built our own standards-based Vir- • Self-registration system for students;
tual Learning Environment utilising an ‘industrial-strength’ LMS to
support the current and ongoing needs of anyone interested in software • Additional resources, including papers, presentations, templates
testing. This environment provides: for testers and sample exam questions;
• High-quality course content presented in a variety of formats to • Provision of ISTQB Foundation Level exam vouchers redeemable
cater for different learning styles, including: at test centres throughout the world.
◦◦ Tutor videos;
By creating its own virtual learning environment, Learntesting does not • 24x7 accredited tutor support;
just offer online courses which are available to run on a one-off basis • Advanced Level ebook access within the Learntesting ebook li-
within a simple hosted environment. It goes much further by providing brary.
a number of value-adds that are appreciated by business and individual
alike and which serve as key differentiators . All students registering
with Learntesting courses are provided with their own unique ‘seat’ in
© Jana Noack
Register at www.testingexperience.learntesting.com to
take advantage of this special offer
* Note this offer is valid until 31st July subject to places remaining available. The exam price is not included and is payable separately
on booking an exam date.
© iStockphoto.com/JordiDelgado
Executing a web application vulnerability scan teria. Vulnerability scanners will typically be available, but discusses some of the strengths
can be a difficult and exhaustive process when used by testers with various backgrounds like and weaknesses of these tools and gives insight
performed manually. Automating this process functional testers, network security testers, in how to use them in a vulnerability analysis.
is very welcome from a tester’s point of view, pen-testers, and developers, each of them hav-
hence the availability of many commercially ing a different view on how to review these Using a web vulnerability scanner
and open-source tools nowadays. tools, causing different result interpretations. Vulnerability scanners are like drills. Although
Sometimes this leads to comparing web vul- the first are designed to find holes and the lat-
Open-source tools are often specifically cre-
nerability scanners with other security-related ter for creating them, their usage is similar.
ated to aid in manual testing and perform one
products, which is like comparing apples and
task very well, or combine several tasks with Using drills out-of-the-box will possibly yield
oranges4.
a GUI and reporting functions (e.g. W3AF), some results, but most likely not the desired
whereas commercial web vulnerability scan- Another explanation is the diversity in a test ones. Without doing some research into the
ners, like e.g. IBM Rational Appscan, HP basis. The vast amount of technologies and several configurations of the machine, the
Webinspect, Cenzic Hailstorm, and Acunetix ways to implement these in web applications possible drill-heads, and the material you are
Web Vulnerability Scanner, are all-in-one test make it difficult to define a common test strat- drilling into, you are more than likely to fail
automation tools designed for saving time and egy. Each application requires a different ap- in drilling a good hole and may come across
improving coverage. proach, which is not always easy to achieve, some surprises. Likewise, running vulner-
making it hard to compare results. ability scanners out-of-the-box will probably
Web Application Vulnerability scanners basi-
cally combine a spidering engine for mapping Finally, like testers, vendors also have dif- show some results, but without reviewing the
a web application, a communication protocol ferent views on how to achieve their goals. many configuration options and structure of
scanner, a scanner for user input fields, a da- Although vulnerability scanners might look the test object, the results will not be optimal.
tabase with attack vectors and a heuristic re- the same on the outside, the different underly- Also the ‘optimal configuration’ differs in each
sponse scanner combined with a professional ing technologies can make interpretation and situation. Before using a vulnerability scanner
GUI and advanced reporting functions. Com- comparison of results more difficult than they efficiently, it is necessary to understand how
mercial vendors also provide frequent updates appear to be. scanners operate and what can be tested.
to the scanning engines and attack vector da- In essence, scanners work in the 3 following
The Web Application Security Consortium
tabase. steps:
(WASC) started a project in 2007 to construct
Evaluating web vulnerability scanners “a set of guidelines to evaluate web applica- 1. identify a possible vulnerability
tion security scanners on their identification
Over the past years many vulnerability scan- of web application vulnerabilities and its 2. try to exploit the vulnerability
ner comparisons have been performed 1, 2, 3 and completeness.”5. Unfortunately this project
the most common conclusion is that the results 3. search for evidence of a successful ex-
has not reached its final stage yet, although a
are not consistent. ploit
draft version has been recently presented6.
This great diversity in results can partially be For each of these steps to be executed in an
This article focuses on the difficulties review-
explained by the lack in common testing cri- efficient way, the scanner needs to be config-
ing and using vulnerability scanners. It does
ured for the specific situation. Failing in con-
not provide the best vulnerability scanner
1 http://www.networkcomputing.com/ figuring one of these steps properly will cause
rollingreviews/Web-Applications-Scanners/ 4 http://en.hakin9.org/attachments/con- the scanner to report incomplete and untrust-
2 http://ha.ckers.org/blog/20071014/ sumers_test.pdf worthy results, regardless of the success rate
web-application-scanning-depth-statistics/ 5 http://www.webappsec.org/projects/ of the other two steps.
3 http://anantasec.blogspot. wassec/
com/2009/01/web-vulnerability-scanners-compari- 6 http://sites.google.com/site/wassec/
son.html final-draft
t1FSGPSNBODFUFTUJOHUPPMPòFSJOHGFBUVSFTPGDPOUFNQPSBSZQSPEVDUT
t-PXIBSEXBSFSFRVJSFNFOUTUPPMGPS4.#BOEFOUFSQSJTFTFDUPS
t&BTZBOEJOUVJUJWFUPVTFFOWJSPONFOUXJUIRVJDLUFTUQSFQBSBUJPOT
t5SVFTJNVMBUJPOPGSFBMMJGFMPBEVTJOHBSDIFUZQFNFUIPEPMPHZ
t2VJDLUFTUSFQPSUTHFOFSBUJPOXJUINPSFUJNFGPSSFTVMUTRVBMJUZKVEHNFOU
t7BSJBCJMJUZBOETDBMBCJMJUZPGUFTUQSPDFTT
t1SFEJDUBCJMJUZBOEQSPEVDUJWJUZGPSQFSGPSNBODFUFTUJOHQSPGFTTJPOBMT
t3FUVSOPOZPVSJOWFTUNFOUCBTFEPOZPVSRVBOUJUBUJWFSFTVMUT
The Ugly
The most difficult errors to find in a web-application are application and business
logic errors. Although these errors are usually a combination of other vulnerabili-
ties, they also contain a functional element contributing to the problem. Examples
of logic errors are password resets without proper authentication or the possibility
to order items in a webshop and bypassing the payment page. Since logic errors are
a combination of security problems and flaws in the functional design of an applica-
tion, practically all vulnerability scanners have problems detecting them. Commer-
cial vendors like IBM and Cenzic do have a module for defining application logic
attacks, but these are very basic modules and require extensive parameterization.
When testing for logic errors, manual testing still is necessary, although vulnerabil-
ity scanners can be used for the repetitive or strenuous parts of the test. Practically
all commercial vendors, but also e.g. Burp Suite Pro, have an option to use the
vulnerability scanner as a browser. Hereby the tester chooses the route to test the
application, while the scanner can perform automatic checks in the background.
Biography
Conclusions
Dave van Stein is a senior test consul-
Vulnerability scanners can be very useful tools in improving the security and qual-
tant at ps_testware. He has close to
ity of web applications. However, like any other testing tool, being aware of the
8 years of experience in software and
limitations is essential for a proper use. With their efficient scanning of communi-
acceptance testing and started special-
cation problems and bad practices, they can save time and improve the quality and
izing in Web Application Security at the
security early in the development of web applications. When used for testing user
beginning of 2008. Over the years, Dave
input filtering and sanitizing, they can save time by rapidly injecting various at-
has gained experience with many open-
tacks. However, manual reviewing of the results is essential and, due to the limited
source and commercial testing tools and
amount of attack vectors, additional manual testing remains necessary.
has found a special interest in the more
Fully automated testing of business and application logic is not possible with vul- technical testing areas and virtualization
nerability scanners. Here vulnerability scanners have the same limitations as other techniques. Dave is active in the Dutch
test automation tools. However, when used by experienced security testers, they can OWASP chapter, and he is both ISEB/
save time and improve the test coverage when used to automate the most strenuous ISTQB-certified and EC-Council ‘Certified
parts of the security testing process. Ethical Hacker’
Web application vulnerability scanners can be powerful tools in the hands of expe-
rienced testers, but running them out-of-the-box with default settings demote them
to nothing more than expensive toys.
16 http://www.acunetix.com/websitesecurity/rightwvs.htm
photocase.de © froodmat
Become IREB® Certified Professional for
Requirements Engineering.
The task of requirements engineering (RE) as throughout the entire lifecycle. A number of dis-
first step within system development is to deter- ciplines rely directly on the results of RE - if they
mine the requirements on a system, to document are incorrect, the associated projects often exceed
them adequately, to test and to manage them their budgets and deadlines or fail altogether.
- Requirements Documentation
- Acquiring Requirements
- Requirements Management
- Tools
by Rex Black
If you are a software tester, software devel- Assess the Risks In addition to being aware of the failures, you
oper, development or test manager, or another need to be aware of the underlying bugs them-
other software professional concerned with Applications tend to have characteristic secu- selves. Depending on the kind of applications
quality and security, you probably know that rity risks. These risks often arise from the im- you’re writing, you’ll want to read appropriate
developing secure software is no longer sim- plementation technology. For example, C and books and Web sites for hints on common in-
ply desirable—it’s completely essential. C++ are notorious for their lack of inherent secure coding constructs, how developers can
array range checking, and consequent buffer- avoid them, and how testers can find them. For
Some developers might assume that most overflow bugs, which allow hackers to insert example, entering “secure programming” in
security problems arise from the operating malicious code into very long input strings. the Amazon.com search engine yields dozens
system or networking layers, well below the People writing applications with databases of books, some general, some quite specific.
application code they are working on. How- have to worry about SQL injection, where
ever, recent figures for Web-based applica- hackers put queries into otherwise-benign Once you are aware of the kinds of security
tions from the Open Web Application Secu- fields and gain access to sensitive data. risks that could affect your software, do a se-
rity Project (www.owasp.org) show that over curity risk analysis. Identify the specific risk
three-quarters of security exploits arose from Security risks can also arise from the business items that you should be aware of. Meet with
applications (see Table 1). application domain. For example, since they stakeholders to determine the level of risk in
deal in money, banking applications are attrac- terms of likelihood and impact. Likelihood re-
So, you know you need secure code, but how tive targets for criminals and a major source lates to the chances of any given risk becoming
to get there? What are your security risks? of worry for bank IT departments. Applica- an actual security bug in your software. Impact
What security failures and bugs do you have? tions that store personal information, such as relates to the effect on customers, users, and
What do these security risks, failures, and bugs medical history, are subject to regulations like your software should the bug be exploited.
mean? How can you reduce security risk in a HIPAA that require strict privacy controls. Your analysis of the risks and their associated
way that doesn’t create new problems? How
Risk awareness is the first step in risk reduc- levels of risk will allow you to create a priori-
do you monitor your progress over time? This
tion. Companies have been reluctant to let out- tized list of potential security failures. 1
article will outline seven steps that will allow
you to answer these and other questions as you siders know about the security failures they’ve
had, but some of their failures make the news,
Test to Know Where You Stand
improve your software’s security.
and users report others. For example, If you’re like most software development or-
Exploited Vulnerability Percent the Open Web Application Security ganizations, you don’t have the luxury of start-
Occurrence Project, www.owasp.org, provides ing over with new code on every project. How
good information for those develop- secure is that collection of existing code? If
Server Applications 41% ing Web applications, as does the you’re like many organizations, you haven’t
Non-Server Applications 36% World Wide Web Consortium’s secu- really had a chance to check. So, check the
Operating System Issues 15% rity page, www.w3.org/Security. Car- security of your existing software through a
negie-Mellon’s Software Engineering security test.
Hardware Issues 4%
Institute’s CERT Coordination Cen-
Communication Protocol Issues 2% ter, www.cert.org, provides a broader This type of test is often called a penetration
look at computer security issues. Last test. Its purpose, as the name suggests, is to
Others 2%
but not least, check out the search- discover ways in which hackers and other un-
Network and Protocol Stack Issues 1% authorized users can penetrate your system.
able Risk Digest archives, catless.ncl.
Encryption Issues 0% ac.uk/Risks, for great anecdotes and Such a test is useful to check for security fail-
commentary on software risks, includ-
Table 1: Occurrence of Security Exploits by Vulnerability 1 I describe the process of risk analysis in
ing security-related risks. my books Managing the Testing Process and Pragmatic
Software Testing.
Any time you make a process change, you The last step of this process is to do every- 6. Examine the real-world results by moni-
should monitor how those process changes thing all over again, on every single project. toring important security metrics.
affect the real world. For example, a couple That’s something of an overstatement, since 7. Institutionalize the successful process
years ago I was training for a marathon, but you don’t need to start from a clean slate. You improvements.
I hurt my ankle by overtraining in hills. So, will need to repeat process, though, using your
I switched to a training schedule that focused existing work as a baseline: Carefully following this process will allow
on low-impact aerobic exercises like bicycling your organization to improve your software
1. Re-assess security risks. security in a way which is risk-based, thor-
and elliptical machines while my ankle healed.
Did this process change help me achieve suc- 2. Re-test the application for security fail- oughly tested, data-driven, prudent, and con-
cess? Two real world measures applied: ures. tinually re-aligned with real-world results.
1. Based on the symptoms in my ankle, did 3. Re-analyze the software for security
it heal while I continued this training reg- bugs.
imen, and could I gradually reintroduce
running to the training? The answers to 4. Re-evaluate patterns in security risks,
both questions were “yes.” failures, and bugs.
This book excerpt from “Implementing Au- User Interfaces (GUIs) and those that do • Testing scenarios to be supported include
tomated Software Testing,” Addison Wesley not (for example, back-end message in- individual applications/SUTs or compo-
March 2009, by Dustin, Garrett, Gauf, pro- terface testing). nents, and coordinated and concurrent
vides a case study of how the authors suc- interaction with multiple applications or
• Support applications that use different
cessfully implemented an automated software components.
types of network protocols such as TCP/
testing framework (ASTF), using mostly
IP, DDS, CORBA, etc. • Capture/document test results at both the
open-source tools.
test step and test case levels.
• Support the integration of multiple com-
We first define our ASTF requirements and for
mercial testing tools from different ven- The framework additionally needed to provide
the purpose of this case study they were as fol-
dors (as new or better products emerge). the following capabilities and be able to:
lows:
• Support testing without having to install • Select and execute one or more (batch)
• Support applications1 running on multiple
the ASTF on the same computers as the tests to be run at a specified time.
distributed computers.
System-under-Test (SUT), i.e. the ASTF
• Verify that the system configuration is
• Support applications developed in differ- should not impact SUT applications and
valid prior to test execution.
ent languages. configurations, and should require very
low footprint. • Provide the status of test execution:
• Support applications running on different
types of OSs. • Allow for test input data to be inserted to • Percent complete
one or more SUTs using existing appli-
• Support applications that have Graphical • Pass/fail status
cation interfaces. SUT interfaces include
1 Note application here refers to either the
GUI, message-based, command-line, file- • Generate a searchable electronic log of
SUT or AUT based, for example. test results.
Test Results
...
Key Design Features • The test suite had to be scalable and por- we evaluated STAF/STAX which met our re-
table. quirements this automation framework.
Our framework design consisted of the follow-
ing key design features: We then searched for a framework that would We determined that end-to-end automation
provide automation tasks as defined in Figure would be possible using STAF/STAX; see
• We used a single design/approach to sup- “Automation Tasks,” i.e., a framework that Figure “End-to-End Automation with STAF
port testing at the system level and on in- would provide for automation startup, system and STAX.”
dividual applications. setup, test case execution, test case output
• The goal was to leverage commercially analysis, test case cleanup, results notification,
available automation test tools and open- and automation completion.
source tools and products to the maxi-
mum extent possible.
Automation Tasks
For each automated test, the test execution
• We planned for ongoing insertion of au-
needed to be managed or coordinated. We
tomation test tools and products from
found, among other tools, Software Testing
multiple vendors (to be able to use the
Automation Framework (STAF) to meet our
best tools and products as the market
needs. We could manage the test case execu-
changed).
tion through STAF-provided services. How
Automation Startup
Results Notification
Automation Completion
STAX Job
<block>
<loop>
Testcase Output Analysis Log, Process
<message>
<log>
Testcase Cleanup Process <import>
<job>
<iterate>
Results Notification Email, HTTP <paralleliterate>
<hold>
<release>
Automation Completion <terminate>
Test Manager • Allows browsing of test cases to be run We used STAF, which comes with a test man-
ager GUI called STAXMon. It did not provide
The Test Manager is generally the central fea- • Allows selection of test cases to be run
all of the features described above, but because
ture of the test automation tool. Here which • Allows monitoring of test case execution it’s open-source we were able to add the need-
test cases and the number of them to be run ed features easily. See Appendix C of the book
are selected, or the timing of when the batch • Allows for statusing of test case execu- “Implementing Automated Software Testing”
test file is to run is dictated. A Test Manager tion, including how many steps are com- for more details describing how STAF/STAX
as part of the ASTF should have the following plete, how many are left, how many tests met our framework needs. See also the section
minimum set of requirements: have been run, and their pass/fail status on Redstone Eggplant that describes how it
• Allows test case development and modifi- • Allows an operator to bring up test case met our capture/playback needs.
cation, including various test data forms, reports
test data pools, etc.
TRAINING
There is no doubt that application security is a vital issue for any modern application. Unfortunately there
is no plug that you can press to turn it on. Application security should be implemented throughout the
product life-cycle.
The ISSECO course will teach you the how and when. The course will introduce the technology but never
the less the methodology. Furthermore you will learn the security logic and how it can be achieved without
breaking the budget.
Contents
• View Of The Attacker
• Explain The Definition Of The Terms Hacker, Cracker And Ethical Hacker
• Show Examples Of Famous Hackers And Their Attacks
• Point Out The Different Skill Levels
• Modes Of Hacking
• Hacker Motive
• Illustrate The Process Of Hacking
• Outline Common Hacking Tools
• View Of The Customer
• Explain Why Customers Expect Secure Software
• Trust & Threat Models
• Methodologies
• Requirements Engineering
• Secure Design, Secure Coding, Secure Testing, Secure Deployment
• Hands-On Workshop
• Security Response
• Explain The Difficulties Of Fixing Security Issues Via Standard Maintenance Processes
• Code & Resource Protection
Source
Source
Code
IDL File Parse IDL Generate Source
Code
Interface Code
Code
◦◦ Generates lexical analyzer and pars- Our lesson learned was to report actual results
er functionality in Java (other lan- only to simplify autogeneration of source code.
guages are supported as well) We put comparison logic in a separate utility
and were then only concerned with comparing
• StringTemplate (www.stringtemplate. expected results (text, integer, etc.) with the
org/) actual results from the test run, as described in
Figure “Reporting Modularity”
◦◦ Uses ANTLR; developed by the
same team
◦◦ Provides pluggable templates; code
can be generated in multiple lan- Common Data Parser
guages without modification of the Data Format
autogen code
• JAXB (https://jaxb.dev.java.net/)
◦◦ XML to Java object binding based
on XML schema
Specifications
◦◦ Generates Java classes used to inter-
pret XML data
Expected results
Figure 8 Reporting modularity
Most testers who normally test functionality for example to execute a security review at the field will be seen as code because there is not
are unfamiliar with application security test- requirements phase. If a vulnerability is found the right validation, and as a result characters
ing. In the meantime the business runs enor- at the end of the development lifecycle, a lot in the data are executed as code. This is ex-
mous risks, because security is not covered by of rework must be done. The project members plained in figure 1, where you can see that the
our regular tests. The unfamiliarity with secu- have to change the software and the designs, data in the password field has an effect in the
rity testing causes us, the testers, to leave out but they have to also change the architecture, background in the code.
these types of tests in our strategy. Our knowl- this is very expensive. Besides this, you have
If a security test does not take place or no at-
edge of testing, however, is very useful for ap- to execute a couple of retests; just retesting the
tention is given to security during develop-
plication security testing. The experience we security issue is not enough. When some ba-
ment, the application could contain dangerous
have with structured testing, the collaboration sic principles are changed, the performance or
vulnerabilities, which causes enormous risks
between disciplines, and the knowledge of functionality could be changed as well. A re-
for the organization. The assets of the organi-
risk analyses are instruments we need in this test of these is therefore necessary. If the tester
zation are, as an attack happens, in danger.
situation. Security testing with a structured had spotted the vulnerability when reviewing
approach throughout the entire development the requirements, the changes could have been A structured approach
lifecycle gives a good understanding of the made even before the coders started their de-
software quality and protects us from known velopment. This would have saved a big part To avoid all this and gain an insight into the
security risks. of the budget, which would otherwise have to quality of the application, a structured ap-
be spent on analyzing, fixing, testing and re- proach is necessary to reduce the costs of
The present situation testing the fix. damage and risks. This can be achieved by an
approach for application security and, more in
At present, most testers don`t have any expe- Most professional testers don`t give any atten- detail, a test approach.
rience with security testing. Those who are a tion to security testing, even though this is an
little aware of security, execute a security test important part of the quality of the application.
(penetration test) at the end of the develop- If you also realize that just one security vulner-
ment lifecycle. This late execution is caused ability is enough to make the entire application
by the fact that it is unknown to the custom- useless, you cannot
ers as well as to the professional testers that deliver a good in-
the best results can be achieved by integrating sight into the quality
Banking Application
security testing into the test process, and these without testing the
test activities start already in the design and application for se- Username: 6717
GUI
development phase. One of the reasons for this curity. For example,
lack of insight is that security testing seems to if there is an entry Password: 1’ or `1’=’1
be different from functional testing. This is point where SQL-
demonstrated, for example, by the different injection is possible //entered as data
security tooling you need for security testing. in just one field in the
The testers are not familiar with this tooling. application, you can
Another reason for late or non-execution of a Select name from users
lose all your data.
CODE
security test is that the client does not know With SQL-injection where usrnme=`6717’
what security testing really means. the data for the da- and psswrd=`1’ or `1’=`1’
This approach, where security testing is exe- tabase is executed as
code to manipulate //executed as code
cuted just before the application goes into pro-
the data. Some data data
duction, is inefficient and very expensive. The
tester should apply his expertise much earlier, that is entered in a Figure 1 An SQL-Injection example
Biography
Andréas Prins is a senior test coordina-
tor, specialized in security testing and is
a member of the business development
team within Sogeti Netherlands B.V.
Andréas has developed different security
courses and trains both clients and his
own colleagues.
As a member of the development team,
he works on different test innovations
like cloud testing and the testing of non-
functional requirements..
Advertisement As a test expert, Andréas sets up test
innovations for the customers of Sogeti.
© iStockphoto.com/ Palto
IREB
Certified Professional for
Requirements Engineering
- Foundation Level
http://training.diazhilterscheid.com/
training@diazhilterscheid.com
15.07.09-17.07.09 Berlin
16.09.09-18.09.09 Berlin
18.11.09-20.11.09 Berlin
When I started in IT in the 80s, the company functional testing. In reality, it had become If there are control failures that reflect poorly
for which I worked had a closed network re- somewhat detached from conventional test- applied or misunderstood business logic, or the
stricted to about 100 company locations with ing. business rules, then will we as functional tes-
no external connections. Security was divided ters detect that? Testers test at the boundaries.
According to the glossary of the British Com-
neatly into physical security, concerned with Usually we think in terms of boundary values
puter Society’s Special Interest Group in Soft-
the protection of the physical assets, and logi- for the data, the boundary of the application or
ware Testing (BCS SIGIST) [1], security test-
cal security, concerned with the protection of the network boundary with the outside world.
ing determines whether the application meets
data and applications from abuse or loss. Do we pay enough attention to the boundary
the specified security requirements.
of what is permissible user behavior? Do we
When applications were built, the focus of
SIGIST also says that security entails the worry enough about abuse by authorized us-
security was on internal application security.
preservation of confidentiality, integrity and ers, employees or outsiders who have passed
The arrangements for physical security were
availability of information. Availability means legitimately through the network and attempt
a given, and didn’t affect individual applica-
ensuring that authorized users have access to to subvert the application, using it in ways
tions. There were no outsiders to worry about
information and associated assets when re- never envisaged by the developers?
who might gain access, and so long as the
quired. Integrity means safeguarding the ac-
common access control software was working I suspect that we do not, and this must be a
curacy and completeness of information and
there was no need for analysts or designers to matter for concern. A Gartner report of 2005
processing methods. Confidentiality means
worry about unauthorized internal access. [2] claimed that 75% of attacks are at the ap-
ensuring that information is accessible only to
plication level, not the network level. The
Security for the developers was therefore a those authorized to have access.
types of threats listed in the report all arise
matter of ensuring that the application reflected
Penetration testing, and testing the security of from technical vulnerabilities, such as com-
the rules of the business; rules such as segrega-
the network and infrastructure, are all obvi- mand injection and buffer overflows.
tion of responsibilities, appropriate authoriza-
ously important, but if you look at security in
tion levels, dual authorization of high-value Such application layer vulnerabilities are ob-
the round, bearing in mind wider definitions of
payments, reconciliation of financial data. viously serious, and must be addressed. How-
security (such as SIGIST’s), then these activi-
ever, I suspect too much attention has been
The world quickly changed and relatively ties can’t be the whole of security testing.
given to them at the expense of vulnerabilities
simple, private networks isolated from the rest
Some security testing has to consist of routine arising from failure to implement business
of the world gave way to more open networks
functional testing that is purely a matter of logic correctly. This is my main concern in
with multiple external connections and to web
how the internals of the application work. Se- this article. Such failures can offer great scope
applications.
curity testing that is considered and managed for abuse and fraud. Security testing has to be
Security consequently acquired much greater as an exercise external to the development, an about both the technology and the business.
focus. However, it began to seem increasingly exercise that follows the main testing, is nec-
detached from the work of developers. Securi- essarily limited. It cannot detect defects that Problem of fraud and insider abuse
ty management and testing became specializa- are within the application rather than on the It is difficult to come up with reliable figures
tions in their own right, and not just an aspect boundary. about fraud because of its very nature. Accord-
of technical management and support. ing to PriceWaterhouseCoopers, in 2007 [3]
Within the application, insecure design fea-
We developers and testers continued to build tures or insecure coding might be detected the average loss to fraud by companies world-
our applications, comforted by the thought without any deep understanding of the appli- wide over the two years from 2005 was $2.4
that the technical security experts were ensur- cation’s business role. However, like any class million (their survey being biased towards
ing that the network perimeter was secure. of requirements, security requirements will larger companies). This is based on reported
vary from one application to another, depend- fraud, and PWC increased the figure to $3.2
Nominally, security testing was a part of non- million to allow for unreported frauds.
ing on the job the application has to do.
Enter Username
and password
Includes
User
User Threatens
Authentication Brute Force
Authentication
Includes
Includes
Show Generic Mitigates
Error Message Harverest (e.g.
guess) Valid
Includes User Accounts
Mitigates
Validate Pass- Includes Hacker/
Application/ word Minimum Mitigates Malicious User
Server Length and Dictionary
Complexity Attack
Includes
A Community
over 110,000 C
Are you on the
www.ist
*March52
2009 The Magazine for Professional Testers www.testingexperience.com
y Worldwide!
Certifications*
e right track?
tqb.org
References
[1] British Computer Society’s Special Interest Group in Software Testing (BCS
SIGIST) glossary. http://www.testingstandards.co.uk/glossary.htm
[2] Gartner Inc. “Now Is the Time for Security at the Application Level”, 2005.
http://www.sela.co.il/_Uploads/dbsAttachedFiles/GartnerNowIsTheTimeForSecu-
rity.pdf
[3] PriceWaterhouseCoopers, “Economic crime- people, culture and controls. The
4th biennial Global Economic Crime Survey”, 2007.
[4] US Secret Service “Insider Threat Study: Illicit Cyber Activity in the Banking
and Finance Sector”, 2004. http://www.secretservice.gov/ntac/its_report_040820.
pdf
[5] CobiT 4.1, IT Governance Institute, 2007. http://www.isaca.org/
[6] CobiT IT Assurance Guide, IT Governance Institute, 2007.http://www.isaca.
org/
[7] OWASP Testing Guide, V3.0, 2008. http://www.owasp.org/index.php/
Category:OWASP_Testing_Project
[8] Gupta, S. “SOX Compliant Agile Processes”, Agile Alliance Conference, Agile
2008. http://submissions.agile2008.org/files/CD-966.pdf Biography
[9] IDEF0 Function Modeling Method. http://www.idef.com/IDEF0.html
James lives in Perth in Scotland . He
[10] OWASP “Threat Modeling”, 2007. http://www.owasp.org/index.php/Threat_ is currently working as a consultant
modeling through his own company, Claro Testing
Ltd (www.clarotesting.com).
[11] OWASP Code Review Guide “Application Threat Modeling”, 2009. http://
James has 24 years commercial IT expe-
www.owasp.org/index.php/Application_Threat_Modeling
rience, mainly in financial services, with
[12] Microsoft,” Improving Web Application Security: Threats and Countermea- the General Accident insurance company
sures”, 2003. http://msdn.microsoft.com/en-us/library/ms994921.aspx and IBM (working with a range of blue-
chip clients) throughout the UK and also
in Finland.
His experience covers test management
(the full life-cycle from setting the strat-
egy, writing the test plans, supervising
execution, through to implementation),
information security management, proj-
ect management, IT audit and systems
»I have the simplest of tastes.
I am always satisfied with the
analysis.
In 2007 he successfully completed an
MSc in IT. His specialism was “Integrat-
BEST .« ing usability testing with formal soft-
ware testing models”. He is particularly
The Java GUI Testtool Oscar Wilde
interested in the improvement of testing
System & load testing processes and how the quality of ap-
Robust & reliable plications can be improved by incorpo-
Easy to use rating usability engineering and testing
Cross platform
techniques.
Well-established
James is a Chartered IT Professional and
Swing/SWT/RCP & Web
a professional member of the British
www.qfs.de Computer Society (MBCS). He holds the
Quality First Software GmbH
ISEB Practitioner Certificate in Software
Tulpenstraße 41 Testing and is a member of the Usability
82538 Geretsried Professionals Association.
Germany
Fon: +49. (0)8171. 91 98 70
U.S. Government passes the stimulus package A lot of these attacks are occurring at the Web In spite of all the attacks, regulations, and all
and includes $355M for cyber security. Hack- application layer meaning through the Web the hype, why aren’t companies and govern-
ing against Government sites including electric sites. ments doing something about it? One reason
grid intensifies. New regulations for privacy is that most people still don’t quite understand
Hackers are getting smarter. They are no lon-
are being passed or proposed across Europe, what Web application security means or they
ger trying to attack the network layer which
Asia, and Americas (http://lastwatchdog.com/ don’t believe they’ll ever get hacked. In this
has gotten a lot more secure over the last few
senate-bill-mandates-strong-federal-role-in- article, we are going to try and demystify the
years with a vast majority of organizations de-
ternet/). Hacking against government agencies application security landscape and also bust
ploying firewalls and Intrusion Detection Sys-
and corporations across the globe continues at some of the myths around this space.
tems (IDSs). The low-hanging fruit for hack-
a faster rate than ever. From social networking
ers are Web applications. Why? Because that’s Before we look at Web application security,
sites like Facebook and Twitter to large corpo-
where the vulnerabilities are. Our research let’s define a Web application. Most consum-
rations like Heartland to government agencies
shows that Web application vulnerabilities ers and even a lot of IT professionals don’t
like Utilities and Pentagon – no one has been
continue to dominate amongst the total pub- realize that Web sites that allow us to do busi-
spared. Even countries are using cyber wars as
lished vulnerabilities, as is evidenced from the ness transactions online are powered by Web
the latest lethal weapons against one another.
chart below. applications. And, in some cases there are hun-
dreds or even thousands of these
applications acting as the engine
for Web sites. Simply put, a Web
application is a software pro-
gram that’s written in a browser-
supported language like HTML,
and is accessed over the browser.
This is different from the older
ways of applications that used to
have fat clients which accessed
the server.
Technically, the fact that these
Web applications are vulnerable
is not a new phenomenon. The
fact is that they have always been
vulnerable since the early days of
the Web in the late 90s. However,
hackers started exploiting these
vulnerabilities in the early 2000s
as networks got more secure and
hackers realized that most Web
sites were wide open for hack-
ing.
So, how did these applications
get deployed with so many vul-
Source: Cenzic Application Security Trends Report – Q3-Q4, 2008 nerabilities? First, most develop-
Mandeep has been with Cenzic, an application security software company, since 2003
as the Chief Marketing Officer driving the strategic, product, and outbound marketing
functions. Prior to joining Cenzic, Mandeep managed marketing functions for Veri-
Sign’s Managed Security Services product line, as the Vice-President of Marketing for
Maaya, a Web-Services Software company, as Vice-President of Worldwide Marketing
for UCMS, an eCRM software company and as the Vice-President of Marketing and
Engineering for Embarcadero Systems Corporation, a logistics management software
company.
Previously he was with Hewlett-Packard for 11 eleven years in various positions includ-
ing as a general manager of a software business unit.
Overview
Hypo Alpe-Adria-Bank a.d. Belgrade has
been conducting business in Serbia since
2002. As a part of Hypo Alpe-Adria-Bank In-
ternational, the most successful regional bank
in the Alpe Adriatic region, it is today among
the top 5 most important financial institutions
in Serbia, with a presence in all large industri-
al centers, enabling orientation towards long-
term investment financing with its stability
and significant financial potential, which has
positioned Hypo Alpe-Adria-Bank a. d. Bel-
grade as one of the most important banks in
the development of the Serbian economy.
Challenge
Hypo Alpe-Adria–Bank a.d. Belgrade needed
to implement a completely new front-end sys-
tem that was to be deployed throughout all
branches in Serbia. The new system needed
to support the daily business of all branches
in the country, and it had to be capable of
handling high numbers of simultaneous on-
line users. Mission-critical for the bank was to sophisticated infrastructure. lution was able to successfully generate the
have a strong, robust and reliable application application load on demand by emulating
With an integrated traffic recorder within the
that can cope well with great workloads on a workload of real-life bank tellers and manag-
LoadXpert tool, PSTech was able to capture
daily basis. ers with a virtual user technology implemented
and parameterize the encrypted traffic between
in LoadXpert tool. During each test, PSTech
The bank needed to test the bandwidth of the web browser and application servers. Captured
was able to monitor in real time all relevant
new system before it went live for daily usage. traffic was later shaped into a library consist-
performance indicators and metrics using the
PSTech has provided the bank with an effec- ing of test commands, test cases and user ar-
LoadXpert Performance Monitor component.
tive and reliable solution. chetypes. Based on usage scenarios defined
After each test, LoadXpert reports provided
by the bank, PSTech generated different load
PSTech Solution PSTech with all relevant information about the
scripts to be used by a load generator com-
application performance during the test.
By using the LoadXpert performance testing ponent within the LoadXpert tool, in order to
tool, PSTech developed a solution implement- produce the required application load. After several rounds of testing, critical is-
ing a robust test methodology supplied by sues were discovered that needed extra atten-
LoadXpert, that supports complex usage sce- tion, which in the end resulted with a greatly
narios and data processing, secure protocols improved application response time and in-
and a distributed server farm integrated with creased capacity to handle hundreds of users.
Along with metric analysis of the application
response under load, the LoadXpert tool also
pinpointed bottlenecks within the application
and its test bed that needed to be improved be-
fore going live. This sort of information was
very valuable since it unveiled possible issues
before they happen in the real world.
Results
Our efforts resulted in:
• Average page response time reduced by
30%
• Workload throughput increased by 40%
• Dramatically decreased percentage of
functional errors during high load, by a
factor of 10
• Increased supported number of users by
30%
• Increased workload capacity (requests
This per second) by 250%
so-
About PSTech:
Managing information security has become auditors, lack of information security aware- Clause 6 of this standard requires performing
more complex and the numbers of internal and ness and communication by top management, internal ISMS audits at planned intervals (at
external security threats are increasing. Con- information security requirements and pro- least once a year) to determine whether secu-
ducting an information security audit makes cedures are not established, costs to involve/ rity objectives, controls, processes and proce-
good business sense to assess threats and hire IT security specialists being too high, etc. dures of the ISMS are compliant, efficient and
security risks to information systems, to de- Another problem is that most internal auditors executed as planned.
velop risk mitigation strategies and to ensure and IT employees are not familiar with infor-
Internal ISMS audits shall be conducted by in-
that identified security risks remain within ac- mation security audits.
dependent, competent and adequately trained
ceptable levels. The purpose of this article is
Organizations that have implemented a qual- auditors. Internal information security audi-
to provide guidance on how to conduct basic
ity management system in conformance with tors should have the following knowledge
information security audits as part of the in-
international standards (e.g. ISO 9001, ISO and skills: communication and report writing
ternal audit programme.
13485, etc) can take advantage from internal skills, sufficient knowledge needed to perform
Introduction audits when performing basic information se- technical security testing (i.e. knowledge in
curity audits. The international quality man- utilizing the penetration tools selected to de-
Every business relies on the continuous and agement standards ISO 9001:2008 and ISO tect vulnerabilities), working knowledge of
safe operation of information technology to 13485:2003 require conducting internal audits application programming, network engineer-
maximize effective achievement of organiza- (clause 8.2.2). ing skills, system administration skills, risk
tional goals. Today’s organizations face a num- management skills, knowledge to interpret
ber of challenges in managing information se- Internal audits should be conducted at defined
the requirements of information security stan-
curity. Software vulnerabilities, unauthorized intervals by independent and skilled internal
dards in the context of an ISMS audit, skills to
intrusions, increased spam delivery, infection auditors for management review and internal
conduct an internal audit in accordance with
of systems and data by viruses, worms or purposes. All elements of a quality manage-
ISO 19011:2002, etc.
Trojan horses (backdoors), phishing attacks, ment system (e.g. design control, process and
denial of service (DoS) attacks, computer-as- production controls, corrective and preventive The three core elements of information secu-
sisted fraud, website defacements, economic actions, software, management review, docu- rity (also known as the CIA triad) according to
espionage, laptop or mobile hardware theft, ment and record control, etc) should be au- ISO/IEC 27001:2005 are:
insider threats, non-compliance (e.g. security dited. The results of the internal audit activity
• Confidentiality of information – protect-
policy not followed by employees) and other should lead to continuous improvements, pro-
ing access to it from unauthorized users
threats to information security are just a few of cess innovations, risk mitigation, corrective
or systems.
many challenges for organizations. It is very and/or preventive actions, corrective action
important to note that information security is a closures, lessons learned, observations, etc. • Integrity of information – safeguard-
continuous management process that requires ing the accuracy and completeness of
ISMS
ongoing attention and a well established risk information and processing methods.
management process. ISO/IEC 27001:2005 is an information securi- Examples of integrity incidents are: an
ty management framework which helps orga- unauthorized user deletes a record from a
To protect valuable IT assets such as comput- nizations to establish a documented informa- database, changes a statement in a source
ers and laptops, servers, networks, and sensi- tion security management system (ISMS). The code, executes an application, etc.
tive data and to detect security risks/threats, purpose of ISMS is to ensure adequate and ap-
companies should conduct regular information • Availability of information – ensuring
propriate security controls that adequately pro-
security audits. However, many companies ig- information and associated assets are
tect information assets. ISO/IEC 27001:2005
nore this important fact and do not perform available to authorized users or systems
standard can be used to assess compliance
their own basic information security audits when requested or needed. Examples of
of the ISMS by internal and external parties.
for various reasons, such as lack of qualified common availability incidents are: autho-
The following websites provide a review and An audit report should provide a complete, ac-
brief description of currently available vulner- curate and concise record of the audit. It should
ability assessment tools: www.securitywizard- be prepared by the lead auditor and signed by
ry.com, sectools.org. the audit team members. Audit reports increase
top management awareness of security issues
Company assets to consider when conducting and assist top management in decision-making
information security audits may include, but processes. An audit report usually includes the
are not limited to: following information:
A risk is the potential that a given threat will exploit vulnerabilities to cause
loss or damage to an asset or group of information assets and thereby
cause harm to the organization. It is measured in terms of a combination of
the probability of an event and the severity of its consequences. [After ISO/
IEC 13335-1:2004] Biography
Information is an asset which, like other important business assets, has Nadica Hrgarek holds a B.Sc. in informa-
value to an organization and consequently needs to be suitably protected. tion systems and a Master of Science in
[ISO/IEC 27002:2005] Information can be in various forms: printed or writ- information science from the University
ten on paper, stored electronically, transmitted by post or e-mail, shown on of Zagreb, Croatia.
corporate videos, spoken in conversation or exists as knowledge acquired by Since March 2007 she has been a mem-
individuals. ber of the RA/QA department at MED-EL
Elektromedizinische Geräte GmbH (www.
Information security is preservation of confidentiality, integrity and avail- medel.com), a hearing implant company
ability of information; in addition, other properties, such as authenticity, located in Innsbruck, Austria. Nadica
accountability, non-repudiation, and reliability can also be involved. [ISO is currently working as a Senior QA
27002:2005] Specialist – Quality Improvement. Her
responsibility covers all aspects of qual-
Industrial espionage is unauthorized collection of confidential, classified or ity improvements ranging from coordina-
proprietary documents. tion of corrective and preventive actions,
non-product software validation support,
conducting training, internal and supplier
Advertisement audits, etc.
Nadica is a certified ISTQB tester (full
advanced level), ISO 9000 internal and
lead auditor and has conducted more
than 20 internal, product, process and
supplier audits.
She is co-founder and Head of the Advi-
- the tool for test case design and test data generation sory Board of the Croatian Testing Board
(CTB), which was founded in 2008. She
is also a member of the German Associa-
tion for Software Quality and Training
(ASQF).
© Pitopia / Klaus-Peter Adler, 2007
www.casemaker.eu
Introduction past, then we’ll want to use state-based test- have one test per row in the truth table.
ing, which we’ll cover in a moment.
The following is an excerpt from my recently- So, what kind of bugs are we looking for with
published book, Advanced Software Testing: The underlying model is either a table (most decision tables? There are two. First, under
Volume 1. This is a book for test analysts and typically) or a Boolean graph (less typically). some combination of conditions, the wrong
test engineers. It is especially useful for ISTQB Either way, the model connects combinations action might occur. In other words, there is
Advanced Test Analyst certificate candidates, of conditions with the action or actions that some action that the system is not to take un-
but contains detailed discussions of test design should occur when each particular combina- der this combination of conditions, yet it does.
techniques that any tester can—and should— tion of conditions arises. Second, under some combination of condi-
use. In this first article in a series of excerpts, I tions, the system might not take the right ac-
If the graph is used, this technique is also re-
start by discussing the related concepts of de- tion. In other words, there is some action that
ferred to as a cause-effect graph, because that
cision tables and cause-effect graphs. the system is to take under this combination of
is the formal name of the graph. However, it’s
conditions, yet it does not.
Decision Tables important to keep in mind that any given deci-
sion table can be converted into a cause-effect Consider an e-commerce application like the
Equivalence partitioning and boundary value graph, and any given cause-effect graph can be one found on our RBCS Web site, www.rbcs-
analysis are very useful techniques. They are converted into a decision table. So, which one us.com. At the user interface layer, we need
especially useful when testing input field vali- you choose to use is up to you. I prefer deci- to validate payment information, specifically
dation at the user interface. However, lots of sion tables, and they are more commonly used, credit card type, card number, card security
testing that we do as test analysts involves so I’ll focus on that here. However, I’ll show code, expiration month, expiration year, and
testing the business logic that sits underneath you how the conversion can be done. cardholder name. You can use boundary value
the user interface. We can use boundary values analysis and equivalence partitioning to test
and equivalence partitioning on business log- To create test cases from a decision table or a
the ability of the application to verify the pay-
ic, too, but three additional techniques, deci- cause-effect graph, we design test inputs that
ment information, as much as possible, before
sion tables, use cases, and state-based testing, fulfill the conditions given. The test outputs
sending it to the server.
will often prove handier and more powerful correspond to the action or actions given for
techniques. that combination of conditions. During test ex- So, once that information goes to the credit
ecution, we check that the actual actions taken card processing company for validation, how
In this article, we start with decision tables. correspond to the expected actions. can we test that? Again, we could handle that
Conceptually, decision tables express the with equivalence partitioning, but there are ac-
rules that govern handling of transactional We create enough test cases that every combi-
tually a whole set of conditions that determine
situations. By their simple, concise structure, nation of conditions is covered by at least one
this processing:
decision tables make it easy for us to design test case. Frequently, that coverage criterion is
tests for those rules, usually at least one test relaxed to say, we cover those combinations of Does the named person hold the credit card en-
per rule. conditions that can determine the action or ac- tered, and is the other information correct?
tions. If that’s a little confusing, the distinction
When I said “transactional situations,” what I Is it still active or has it been cancelled?
I’m drawing will become clear to you when
meant was those situations where the condi- we talk about collapsed decision tables. Is the person within or over their limit?
tions—inputs, preconditions, etc.—that exist
at a given moment in time for a single trans- With a decision table, the coverage criterion Is the transaction coming from a normal or a
action are sufficient by themselves to deter- boils down to an easy-to-remember rule of suspicious location?
mine the actions the system should take. If the at least one test per column in the table. For
cause-effect graphs, you have to generate a so- The decision table in Table 1 shows how these
conditions are not sufficient, but we must also four conditions interact to determine which of
refer to what conditions have existed in the called “truth table” that contains all possible
combinations of conditions and ensure you the following three actions will occur:
Conditions 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Real account? Y Y Y Y Y Y Y Y N N N N N N N N
Active account? Y Y Y Y N N N N Y Y Y Y N N N N
Within limit? Y Y N N Y Y N N Y Y N N Y Y N N
Location okay? Y N Y N Y N Y N Y N Y N Y N Y N
Actions
Approve? Y N N N N N N N N N N N N N N N
Call cardholder? N Y Y Y N Y Y Y N N N N N N N N
Call vendor? N N N N Y Y Y Y Y Y Y Y Y Y Y Y
V
Real Approve
account
S
V
Active Call
S
account vendor
Within
limit
S
Legend
A B A B
S
A causes B A causes B
V
A1 V B A1 B
A2 A2
Zero before Normal after At limit after Just over limit At limit before Max after
transaction transaction transaction after transaction transaction transaction
Conditions 1 2 3 5 6 7
EP
EP
Real account? Y Y Y Y Y Y
Active account? Y Y Y N N N Within limit Over limit
Within limit? Y Y N Y Y N BVA
0 limit limit + 0.01 max
Location okay? Y N - Y N -
Conclusion
In this article, I’ve shown how to apply decision tables and cause-effect graphs to
the testing of sophisticated and complex internal business logic in applications.
Decision tables are a great way to test detailed business rules in isolation, espe-
cially for transactional types of situations. However, we will need to look at two
additional techniques, use cases and state-based test techniques, to deal with the full
range of internal business logic testing we need to do. I’ll address those techniques
in the next two articles in this series.
Biography
With a quarter-century of software and
systems engineering experience, Rex
Black is President of RBCS (www.rbcs-us.
com), a leader in software, hardware,
and systems testing. For over a dozen
years, RBCS has delivered services in
consulting, outsourcing and training for
software and hardware testing. Employ-
ing the industry’s most experienced and
recognized consultants, RBCS conducts
product testing, builds and improves
testing groups and hires testing staff for
hundreds of clients worldwide. Ranging
from Fortune 20 companies to start-
ups, RBCS clients save time and money
through improved product development,
decreased tech support calls, improved
corporate reputation and more. As the
leader of RBCS, Rex is the most prolific
author practicing in the field of software
testing today. His popular first book,
Managing the Testing Process, has sold
over 35,000 copies around the world,
including Japanese, Chinese, and Indian
releases. His five other books on testing,
Advanced Software Testing: Volume I,
Advanced Software Testing: Volume II,
Critical Testing Processes, Foundations
of Software Testing, and Pragmatic
Software Testing, have also sold tens of
thousands of copies, including Hebrew,
Indian, Chinese, Japanese and Rus-
sian editions. He has written over thirty
articles, presented hundreds of papers,
workshops, and seminars, and given
about thirty keynote speeches at confer-
ences and events around the world. Rex
has been President of the International
Software Testing Qualifications Board
and is a Director of the American Soft-
ware Testing Qualifications Board.
Most software companies perform load test- Maximum user load - Determine how many possible concurrent users for the application.
ing on their products. Load testing is one of users can run on your testing hardware con- Using the work distribution for each scenario,
the most important testing types today. When figuration. calculate the % user load per key scenario.
the Amazon website crashed for two hours For example, the distribution of load for a key
This is probably the most important step!
on 6/6/2008, it would have been difficult to scenario could be similar to that shown in the
calculate the exact amount that outage cost Step 2 - Identify Key Scenarios (or Pro- following table.
Amazon, because customers could come back
later for purchases. However, the stock closed
files) Scenario % of users Sum
down 4.6 percent at $80.63. Everyone thought: What are scenarios? Login 60 600
“They know how to handle load”.
Scenarios are anticipated user paths that gen- Registration 10 100
In this article, I’m not going to talk about load erally incorporate multiple application activi- Buy 30 300
testing tools or advanced testing techniques, ties.
but rather, I would like to talk about 10 ba- Total 100 1000
sic steps that are the foundation for creating a How do you identify scenarios?
Step 4 - Identify Metrics
good, precise and powerful load test suite. Key scenarios are those for which you have
specific performance goals or those that have Metrics are a derivative of your performance
Step 1 - Identify Objectives a significant performance impact. These sce- objectives. They are used to measure your ap-
The purpose of this step is to identify and write narios represent business activity of users over plication’s real-time performance in compari-
the performance objectives of your applica- time. son with your performance objectives. In ad-
tion. The key question you should ask yourself dition, they also help you to identify problems
For example: Open ‘about window’ will take and bottlenecks within your application.
is:
less resource than perform ‘buy’ action.
“How should my application behave under Network-specific metrics: This set of met-
The “Buy” action, as opposed to “Open about rics provides information about the overall
load?”
window”, will involve multiple actions like: “health” and efficiency of your network, in-
The main parameters we should consider are: SQL, Credit Card validation, IIS. cluding routers, switches, and gateways.
Response time - The time that the application Step 3 - Identify the Workload System-related metrics: This set of metrics
would take to display a certain output or per- help you identify the resource utilization on
form a certain calculation. Example: the prod- Identify the distribution / ratio of the work -
your server. The set includes CPU, memory,
uct catalog must be displayed in less than 3 For each key scenario, identify the distribution
disk I/O, and network I/O metrics.
seconds. / ratio of the work. The distribution is based
on the number of users executing the scenario Platform-specific metrics: Platform-specific
Throughput – The rate of successful message (according to their profile). metrics are related to software that is used
delivery over a communication channel. Ex- to host your application, such as the .NET
ample: the system must support 100 requests For an existing application this information
Framework common language runtime and
per second. can be provided from IIS log/counters as de-
ASP.NET-related metrics.
scribed in step 1.
Resource utilization - A frequently over- Application-specific metrics: These include
looked aspect, resource utilization defines how For a new application this information can be
custom performance counters embedded in
much resource your application consumes in based on market research, historical data, mar-
your application code that monitor the applica-
terms of CPU, memory, disk I/O, and network ket trends and prototypes.
tion’s “health”. You might use custom counters
I/O. Calculate the users load per scenario - Based to determine the number of concurrent threads
on the previous data, calculate the maximum waiting to acquire a particular lock or the num-
Example: The production environment has 10 computers and the load testing en-
vironment has 2 computers. The load test showed that 2 computers can hold more
than 1000 users, so 10 computers can hold approximately 5000 users? NO!
Biography
100 concurrent users 200 concurrent users 400 concurrent users
Shai Raiten is Team System MVP, cur-
rently working for Sela Group as ALM
senior consultant and trainer specialized
in Microsoft technologies, especially
Team System and .NET technology.
Shai has 6 years experience that re-
volves around Software/Hardware QA,
Test Management, Automation and load
testing. In the past he worked as load
There is no doubt that 10 computers are stronger than 2, but we need to take into expert for a big outsourcing company.
consideration that we have different hardware and configurations for each environ-
ment that can affect our results.
So why perform load testing if the results are inconclusive to production?
Load Testing helps you to estimate the behavior of the application under load.
Summary
That being said, I’m sure that for expert performance test engineers the above rules
of thumb are obvious – you have tried them in trial and error situations. For all the
other testers, who would like to know how to start a performance and load test and
get things done, I hope I have explained in simple enough words what the basic
step by step actions are that I suggest should be followed, in order to create a good,
precise and powerful load test suite. Good luck!
Resources
Team System Team Edition – http://msdn.microsoft.com/en-us/teamsystem
Windows Performance Counters - http://msdn.microsoft.com/en-us/library/
aa373083(VS.85).aspx
Shai’s Blog – http://blog.microsoft.co.il/blogs/shair
Enterprise Anti-Spam and Anti-Virus solutions Anti-Spam and Anti-Virus Solutions Tested Enterprise Solutions
are widely used to protect corporate e-mail Overview
servers against various external threats includ- Representative Anti-Spam and Anti-Virus
ing spamming, viruses, spyware, and phishing Anti-Spam and Anti-Virus enterprise products solutions from Marshal8e6, Barracuda Net-
attacks. Usually claiming a high rate of mali- for protecting e-mail servers are commercial- works and Symantec were tested as part of this
cious message filtering (between 95-99%), it is ized as software-based solutions, hardware work.
hard to argue that its main purpose is realized. appliances or security virtual appliances. MailMarshal SMTP, a Gateway Security
However, no comprehensive benchmarking Software-based filtering solutions require pre- product from Marshal8e6, is an enterprise
on how such security solutions stand against installed and configured operating systems Anti-Spam and Anti-Virus software solution
internal attacks is currently available. Relying running on hardware or virtual appliances. providing anti-spam, e-mail threat protec-
on various commercial and open-source tech- Such solutions are built for specific network tion, content security, policy enforcement and
nologies (Microsoft .NET, MySQL, PHP, Li- infrastructures and servers, often come with a data leakage prevention services. Running on
nux, Apache HTTP server, etc.), the majority lengthy list of hardware and software require- Windows platforms, the product provides a
of Anti-Spam and Anti-Virus enterprise solu- ments, and significant effort could be required Web-based interface built on Microsoft .NET
tions employ Web-based applications to allow to configure and integrate them within the ex- framework for remote access and management
remote configuration, administration and man- isting infrastructure. of quarantined e-mail from both inside and
agement of spam-quarantined e-mails. While outside the enterprise.
The security integrated hardware and software
Web-based applications are often found to be
solutions are considered to be more robust, Multiple security products from Barracuda
vulnerable to a wide variety of security vulner-
high-performance, scalable and cost-effective Networks tested include Barracuda Spam and
abilities (including SQL Injection, Cross-Site
than the traditional software-based solutions. Virus Firewall, Barracuda Web Filter, Bar-
Scripting, Denial of Service, Privilege Esca-
Such products are deployed as hardware appli- racuda IM Firewall and Barracuda Message
lation, etc.), such enterprise security solutions
ances, embed hardened operating systems and Archiver. Built on a hardened Linux kernel,
make unfortunately no exception.
various pre-configured commercial and open- Barracuda Spam and Virus Firewall is a hard-
This paper highlights the need of vendor-cer- source security software, are control-locked ware appliance, with various open-source and
tified security testing for Anti-Spam and Anti- by the vendors and require limited configura- commercial software solutions for Anti-Spam
Virus enterprise solutions, in order to protect it tion to be done by customers for integration and Anti-Virus protection of e-mail servers.
against internal attacks. In a structured effort purposes. Additionally, the product is recommended
to benchmark and potentially improve various for protecting the enterprise against spoof-
Security virtual appliances bundle virtual
enterprise security products, the author’s re- ing, phishing, spyware and Denial of Service
machines for allocating the required physical
cent research done in collaboration with Data (DoS) attacks. Barracuda Web Filter is an in-
hardware resources (CPU, memory, disk stor-
Communication Security Laboratory from tegrated solution for web filtering, providing
age, network interface) with hardened operat-
University of Limerick, (Ireland) is presented. protection against spyware and malware, con-
ing system and a variety of pre-installed and
Various security vulnerabilities identified in tent filtering and web access control. Barra-
pre-configured security software packages,
high-profile enterprise Anti-Spam and Anti- cuda IM Firewall provides powerful manage-
including firewalls, anti-spam, message fil-
Virus products commercialized by vendors ment and monitoring functionality for internal
tering, and web filtering solutions. With the
such as Marshal8e6 [1], Barracuda Networks and external instant messaging services, while
proliferation of virtualization and cloud com-
[2], and Symantec [3] are discussed, while the Barracuda Message Archiver is an effective
puting, security virtual appliances are quickly
implications of vulnerabilities exploitation and enterprise-class e-mail archiver.
adopted by companies worldwide, mainly due
the risks for the enterprise are analyzed.
to the increased availability, minimal depen- Symantec Brightmail Gateway Virtual Edi-
dency on the hardware hosting the virtualiza- tion is an enterprise virtual appliance built on
tion platform, minimal required configuration a hardened RedHat Linux, providing protec-
and cost-effectiveness.
You might think of doing test automation for rate from your test process. Neither should may want to find out the specific actions that
many reasons. You need to look at your rea- you have two test processes – one manual and caused the errors. You might want to have your
sons closely. Do your reasons look like text one automated. You should have a single test automated system do some cleanup or backup
book examples such as ‘I want to avoid having process and your automated test system should following a run. You might want to have your
my testers do repetitive tasks that can easily be plug into it. Here are some examples of pro- results formatted in a particular way and sent
automated’? Then ask yourself this question: cess-centric requirements: You might be using to key stakeholders. You might want to have
‘If I can avoid having my testers do repeti- a test management tool to streamline your test defects to be automatically logged to a track-
tive tasks that can easily be automated, will process. You would be forgetting something if ing system (though such features are specific
it yield a tangible benefit to my test process?’ you were not expecting the automated system utilities offered by some tools and may not be
You should have a sound statement of purpose to integrate with your tool. Your application worthwhile building from scratch in your en-
for test automation. It should be something might need substantial configuration before vironment, in the absence of such tools). You
like this. ‘Over the next two years, my key you execute test cases on it. You should expect might have a practical need to have test data
web-based product ‘WebClassRoom’ will go your automated test system to automate the parameterized, say if it is not uncommon for
through two major releases. Each release will configuration before running actual tests. You you to test patch versions delivered to specific
have several patch cycles. I need an automated might have a certain pattern of running tests clients when running tests with their specific
test system that can regression test a patch ver- that you would like to be replicated in your data. You might have requirements about the
sion in 1 week. This will add value to my patch automated test system. You might be in pos- usability of the automated system, particularly
testing process.’ session of a certain automation tool that you when the end users may not be skilled automa-
would like to be utilized in your automated tion test engineers.
This statement alone is far from being all that
system. This is fair because tools are expen-
you need from test automation. You should At the end of this important exercise, you will
sive, and instead of leaving the tool decision
completely articulate what you need and ex- have a list of requirements that are centered
to the design stage you might consider its use
pect from the automated test system. These around your test process. Having these require-
as a requirement if you possess it. There are a
should be your test automation requirements. ments is not sufficient to decide whether you
number of reasons why you could end up hav-
Traditionally, you would begin by looking at will go for automation or not. Assessments,
ing a certain tool without having been actively
two things: a functional test automation tool estimations, feasibility and ROI consider-
involved in the tool acquisition process. These
that would allow you to translate your func- ations, etc will have to follow. However, it is
could be strategic alliances or tie-ups with
tional test cases into automated code and/or a an important and first step towards successful
vendors (decisions made at a higher level of
tool that could simulate a number of users to test automation. Test automation implemented
management), mergers with other companies
generate a load and test your application for around process-centric requirements is more
(thereby acquiring their tools), and tool pur-
performance-related factors. This approach is likely to add value to your testing. Being sure
chases made by other groups in your organiza-
more likely to jade your requirements in terms of what you want will keep you ahead of the
tion (and not utilized). The tool you possess
of the features available on commercial tools game, whichever way you choose to imple-
may not be best suited to your test process
and make you end up with a list of generic ex- ment the automation – whether you wish to
or applications. However, most tools can be
pectations like cost reduction, avoiding manu- do it in-house or seek the services of a vendor
made to work in most circumstances with the
al tedium, increasing test coverage etc. These specializing in providing automated test solu-
right skills and effort. There are expectations
are goals that may or might not be realized and tions. Going to a vendor with a list of specific
that are feasible from automated runs but not
should not be your requirements requirements that tell more about your process
so feasible from manual testing. For example,
is much better than going with a wish list of
You should rather look at your test process to you might be tempted to look at and retrieve er-
generic benefits.
come up with your requirements. You do not rors from the application or database logs fol-
want to have an automated test system that lowing an automated run, knowing fairly well
aims to meet generic goals but stands sepa- that the activity on the application is constant
and intended in automated runs. Further, you
Advertisement
Database Auditing
by Craig Steven Wright
Databases are the proverbial keys to the king- • Physical security long run and leave the organization less
dom for the majority of organizations. They secure.
• Change control
hold most of the Intellectual Property that has
• Archive audit records and purge the audit
value and are the end goal of many attacks. • Disaster recovery
trail – After you have collected the re-
In the past, the database was commonly pro-
• Separation and restriction of production, quired information, archive audit records
tected inside the organizational firewall. Today
test and development environments that are of interest and purge the audit
in a web 2.0 world, the database is there for
trail of this information. Maintaining a
all to access any time they wish. This includes • Scripts, jobs or batch files historical trail is useful and will help fu-
attackers and others who should not have ac-
• The storage of user names and passwords ture reviews.
cess.
in an unencrypted format Check Triggers
Database systems are both the most over-
looked and the most crucial areas in need of • Application patch level Database triggers are procedural code that is
securing. Most of the reason for both security • User and role rights automatically executed in reaction to selected
and compliance comes down to information events on a particular table, row or field in a
stored on databases, and in many instances • Configuration parameters database. A security test of a database should
all the critical information held by a company It is also necessary to check that processes and check that these are used and where. Triggers
will be found on its database. This is not to control are in place to restrict the use of default need to be set to fire when events that are de-
state that other systems are not important, but and simple passwords. fined in policy occur.
that databases, though often overlooked, form
the keystone of our information systems. A ba- System triggers
Principles for Developing a Database
sic knowledge of SQL is assumed throughout Review Strategy System triggers allow the activation of con-
this section. In any event, it is important to trols that start when system events take place.
have someone involved with a security review When testing databases in order to ensure that These events can include:
who understands and knows how the database they are secure: test generally, then specifical-
system is configured. ly. In any security reviewing involving a data- • The start- up and shutdown of the data-
base, start with gathering the system configu- base,
At the same time as we are opening database ration. Some of the key checks include:
access, we are doing less to protect them than • Logon and logoff from users,
ever. There is light at the end of the tunnel. • Protect the audit trail – Has the organiza- • Privileged access, and
NIST, DASA and the Centre for Internet Secu- tion protected the audit trail so that audit
rity have detailed guidelines for securing these information cannot be added, changed, • The creation, altering and dropping of
database systems. or deleted without being recorded and schema objects.
logged?
Database Security Using autonomous transactions also allows a
• Audit normal database activity - The pro- log to be written for the above system events.
Database security is about both the specifics of cess of gathering historical information Any comprehensive review of a database secu-
the database itself and also the system and net- about particular database activities that rity should check what (if any) system triggers
work it runs on. There are some general areas may be reviewed as a baseline. Knowing exist and ensure that these are aligned with the
that you may also want to address when testing the baseline provides a starting point to policy of the organization. An example trig-
a database. These include: find changes that are out of the ordinary. ger would be sending an alert if a user with
administrative access has been added to the
• Policies and procedures • Audit only pertinent actions – In order to database.
• Patches avoid cluttering the meaningful informa-
tion with useless audit information, audit Update, delete, and insert triggers
• Operating system security only the targeted database activities. It is
Defense in depth requires an understanding
all too easy to let the scope of an engage-
• Setup files of the users’ actions at multiple levels. This is
ment grow. Due to time and cost limita-
not just access to the database, but access at
• Service privileges tions, this will only hurt the process in the
the detailed row level for selected events and
This additional cost often puts people off. produced by the database that are sent to • Triggers,
However, the savings in the long run and the a remote system), or
• Constraints,
increased ease with which databases may be • Between the client and the database (such
verified can make it worthwhile. as firewall logs, IDS/IPS devices and host • Procedures and functions,
based events and logs). • Rules,
Authorization Rules
Auditing within the client entails using the • Table space and storage details associated
Authorization rules are controls which are in- evidence available on the client itself. Client
corporated into the data management systems with the database,
systems can hold a wealth of database access
to restrict access to data and may also restrict tools and the logs that these create. These logs • Sequences used, and finally the entities
the actions taken by the users when they are may contain lists of end-user activity that a within the database.
accessing the data. For instance, an authoriza- user has performed on the database. In respect
tion rule could be used to restrict a user with Each of the tables will also display detailed
of web based systems, the web server itself
a particular user name and password to read information concerning the structure of each
may be treated as a client of sorts.
any record in the database but not to modify of the fields that may be viewed at a single
those records. To obtain an adequate audit trail from client glance. In large databases a graphical view is
systems alone, all data access must have oc- probably the only method that will adequately
In Oracle the privileges are: curred using client tools under the control of determine if relationships between different
• Select. This gives the user the capability the organization conducting the audit. In the tables and functions within a database actually
to query the object. event that data access can transpire using other meet the requirements. It may be possible in
means, it is rare that sufficient evidence will be smaller databases to determine the referential
• Insert. This gives the user the capability available. This option by itself is the entirely integrity constraints between different fields,
to insert records into the table or view. worst option available to the reviewer, but it but in a larger database containing thousands
• Update. This updates records in the table can provide additional evidence in support of of tables there is no way to do this in a simple
or view. the other methods. This is chiefly used in the manner using manual techniques.
event of a forensic investigation.
• Delete. Delete enables the user to delete When conducting an audit of a database for
records from a table or view. CASE (Computer Aided Software Engi- compliance purposes, it is not just security
functions such as cross-site scripting and se-
• Alter. This allows the user to alter the neering) Tools quel injection that need to be considered. Re-
table. CASE tools can be a great aid to auditing da- lationships between various entities and the
tabase systems. CASE or Computer-Assisted rights and associated privileges that are asso-
• Index. This allows the user to create in-
Software Engineering tools not only help in ciated with various tables and roles also need
dexes on a table.
the development of software and database to be considered. The CASE tools allow us to
• References. This enables the user to cre- structures, but can be used to reverse-engineer visualize the most important security features
ate foreign keys that reference the table. existing databases and check them against a associated with a database. These are:
discrepancy report. that may result in damage to the database if vulnerabilities. Nessus for instance has a vari-
it was running on the large system. This pro- ety of plug-ins associated with Oracle, Micro-
Next, the capability to create a complex ERD
vides a capability for the reviewer to validate soft SQL and My SQL databases. These plug-
or Entity Relationship Diagram in itself adds
the data in the database against the business ins allow Nessus to check for vulnerabilities
value to the audit. Many organizations do not
rules and constraints that have been defined by associated with these particular database sys-
have a detailed structure of the database, and
the models and generate detailed integrity re- tems as well as also checking for application
these are grown organically over time with
ports. This capability gives an organization ad- vulnerabilities and operating system vulnera-
many of the original designers having left the
vanced tools that will help them locate faulty bilities that may be associated with the system
organization. In this event, it is not uncommon
data subsets through the use of automatically and may affect the database. Further, many of
for the organization to have no idea about the
generated SQL statements. the database vendors also provide free tools.
various tables that they have on their own da-
Microsoft SQL server comes with the SQL
tabase. Vulnerability Assessment Tools server analyzer. This product looks at the best
Another benefit of CASE tools is their ability Any database sits on top of another operating practices for the SQL database and can ana-
to migrate data. CASE tools have the ability system. As such tools such as NMAP may be lyze against these best practice statements.
to create detailed SQL statements and to rep- used to check for open ports on the database
licate through reverse-engineering the data Local Security
system and determine if there are other ser-
structures. They can then migrate these data vices running on the host. This is important as The security of the database overall is only
structures to a separate database. This is useful standards (such as PCI-DSS) call for the re- ever as good as the security of the system it
as the data can be copied to another system. striction of other services to the host allowing resides on. Anyone with physical access to the
That system may be used to interrogate tables only those that are necessary. This means that host or administrative access to a system can
without fear of damaging the data. In partic- the database has to be a bastion. compromise a database. At the least copying
ular, the data that has migrated to the tables of the data is possible – stories of people who
does not need to be the actual data, meaning That is the system needs to be built for purpose
have purchased hard drives from organizations
that the reviewer does not have access to sen- and should not be shared with other applica-
that have not wiped the data on the drives and
sitive information but will know the defenses tions. Next vulnerability and assessment tools
that have sold them via eBay only to have re-
and protections associated with the database. ranging from Nessus through to commercial
covered data are a near daily occurrence.
This is useful as the reviewer can then per- assessment tools such as CORE IMPACT may
form complex interrogations of the database be used to check the database for a variety of No database can be considered compliant with
2 - 4 September 2009
nd th
http://2009.eurospi.net
Tutorial Day
4 Stream Conference Day Experts from Industry
Mixture of Industry and Research Session and Research from
24 Countries
SPI Manifesto Event
EU Certificates Day
Exhibition
This article sets out a project-based experience Let’s take a look at each of the parts of this Unit Testing
of Automated Testing in the context of soft- pattern in a little more detail:
A key part of the process, underpinning all
ware developed with the Java-Swing program-
Foundation the efforts that follow, is that of Unit Testing.
ming framework. In terms of business domain,
Typically, the developers will use a standard
the software represented an advanced costing This part is really crucial to the success of a
unit testing framework, which for Java would
tool for use by underwriters in the re-insurance project-based QA/Test effort. Its role in the
most likely be JUnit1.
business. However, we focus here on the pat- pattern is to set out the fundamental project is-
tern of solution more than the domain-specific sues which must be achieved in order to maxi- Defect Management
re-insurance aspects. mise the success of the overall QA effort. This
This part of the QA/Test process reflects that
naturally affects also the possible successful
This article is based on material from the forth- part which turns testing into a genuine Quality
outcome of any automated testing effort. For
coming book “Automated Functional Testing Assurance process. As hinted in the Founda-
an automated testing effort to be given at least
for Java-Swing”, to be published by the author tion part of the pattern, it is important for a de-
some chance of success, the QA/Test team
in April, 2009. velopment project to recognize the importance
needs strong support from both the IT as well
of defects, not just as negative things to be got
Structure of Project QA Activities as the business parts of a project. The collabo-
rid of, but as extremely positive, naturally oc-
ration from the IT group is particularly impor-
The structure of the Quality Assurance (QA) curring items of project life. Indeed, defects
tant for the pattern presented here, as we need
activities in this project-based development are to be aggressively sought within a project if
IT involvement in specializing the application
setting, can be summarized as shown in Figure the deeply negative characteristics of them are
slightly to enable access to the internals of the
1, below: to be avoided that of their impact on the user
application.
community if they are deployed to
the productive environment.
User Acceptance Test
End-to-End Testing Manual Testing
Defect Management
Manual Gadget ‘Classic’ Performance Load ... Yes – Manual Testing. This is al-
Testing Testing Automated Testing Testing ways a theme in the project-based
Testing QA/Test story, particularly for
projects that are at the very be-
Unit Testing
ginning of their development. In
Foundation: Team engagement these cases, it is quite usual that
Roles & responsibilities within the project a large part of the functionality of
Buy-in to QA/Test process from the project the software will have to be manu-
Establish & communicate the QA/Test process ally tested. This arises from the
unfortunate fact of project life that
Figure 1 – QA/Test Pattern software in its initial development
phase is usually highly volatile in
In this pattern you can see that the ‘classic’ In order for good collaboration to happen, terms of its user interface design, thus preclud-
automated testing, of the type that we will ad- such things as team engagement and having ing automated testing.
dress here, is only one part of the overall Qual- a clearly established set of roles & responsi-
ity Assurance effort. The target of our QA work bilities, is essential. Having a clear technical Gadget Testing
on this project was, from the outset, to develop process set out is one thing, but this must be This part of the testing process is a catch-all for
a strategy which could be termed Agile, in that communicated to all project members by the the testing which uses specialist executables
it fitted in with the iterative build cycle on the QA workstream. that fulfill specialist testing tasks. This form
project, as well the highly seasonal nature of of testing would be used if the software being
the development/deployment process itself.
1 http://www.junit.org
37, 175
Biography
David Harrison works as an independent
software QA/Test Manager – currently
at SwissRe, Zurich, Switzerland within
the tools development group. This group
has the mandate to develop and deploy
reinsurance costing tools to the actu-
ary and underwriter desktop. He can be
contacted at dharrison_ch(a-t)yahoo(dot)
ne: co(dot)uk.
© Katrin Schülke
This article is based on material from his
forthcoming book: “Automated Software
Testing for Java-Swing; A Pattern of Solu-
tion”, to be published in June, 2009.
Berlin, Germany
IT Law
Contract Law
German
English
French
Spanish
www.kanzlei-hilterscheid.de
info@kanzlei-hilterscheid.de
Software Configuration
Management-SCM
by Mahwish Khan
The first Law of Software Engineering is: • Scheduling constraints Purpose of Software Configuration Manage-
ment:
“No matter where you are in the system life • Customer expectations
cycle, the system will change, and the desire The goals of SCM are in general:
• Unanticipated or unexpected opportuni-
to change it will persist throughout the life
ties for an improved system • Configuration Identification: What
cycle.”
code are we working with?
Some of these changes may appear as options,
(Bersoff, et al, 1980)
while others may be mandated from above or • Configuration Control: Controlling the
Change is inevitable and software is affected by circumstances, as in loss of funding. In ad- release of a product and its changes.
by change from when it starts to be built. Even dition, many development efforts involve a
• Status Accounting: Recording and re-
though everyone knows about the high rate of progressive evolution or elaboration of capa-
porting the status of components.
change, change initiatives fail at an alarming bilities and requirements.
rate. This is because most initiatives fail to • Review: Ensuring completeness and con-
Now the point arises why SCM is important.
consider how the changes will affect the sys- sistency among components.
Why we are giving so much attention to change
tem. As change increases, so does the level of
management? So the answer is: where there • Build Management: Managing the pro-
confusion among software engineers working
is a change, there is a configuration and con- cess and tools used for build.
on a project, and confusion arises if changes
figuration needs to be managed, because if we
are not analyzed before they are made, re- • Process Management: Ensuring adher-
don’t control the change, it will control us and
corded before they are implemented, reported ence to the organization’s development
that’s never good. It’s very easy for a stream of
to those with a need to know, or controlled in process.
uncontrolled changes to turn a well-run soft-
a manner that will improve quality and reduce
ware project into chaos. That’s why SCM is an • Environment Management: Managing
error.
essential part of good project management and the software and hardware that host our
“There is nothing permanent except change”. solid software engineering practice. system.
(Heraclitus)
Software Configuration Management is an • Team Work: Facilitate team interactions
Role of Change: umbrella activity that is applied throughout related to the process.
the software process. Because change can oc-
All projects have a main objective of wanting cur in any phase of the software development • Defect Tracking: Making sure every de-
to change something, from a manual to an au- life cycle. Before we proceed, it is important fect has traceability back to the source.
tomated system. In fact, systems are upgraded to have a clear understanding of SCM and its
or replaced, presumably to provide better or activities, which are developed to:
SCM Functional Areas:
greater functionality, ease of use, reduction of The discipline of software configuration man-
operating costs, etc. As a project is executed, 1. Identify the need of change
agement defined for software projects is to en-
changes to the initial project plan and prod- 2. Control change sure that a sound SCM process is implemented.
ucts are a natural occurrence. There are some SCM is comprised of four major activities: SC
sources of change: 3. Ensure that the change is being properly
Identification, SC Control, SC Status Account-
implemented, and
• Requirements: The longer the delivery ing and SC Auditing. All SCM activities fall
cycle, the more likely it is to happen. 4. Report changes to others who may be in- within bounds of these functions.
volved.
• Changes in funding These terms and definitions change from stan-
dard to standard, but are essentially the same.
• Technology advancement Let’s look at the detail of each of the major
• Solutions to problems functions.
Maintain
Description Records Physical Establish Change
Configuration Criteria
Audits
Maintain
Configuration Establish Review &
Verification Control Org
Physical Physical
Configuration Configuration
Audits Audits Establish Change
Maintain Change
Control Procedure
Status Records
Physical
Configuration Control Revisions to
Maintain History of Audits design, specifications,
change approval etc
References:
I. Software Configuration Management from Software Quality Assurance: Prin-
ciples and Practices by Nina S. Godbole
II. Software Configuration Management from Software Engineering, A practitio-
ner Approach by: Roger S. Pressman.
© iStockphoto.com/ Andresr
Subscribe at
www.testingexperience.com
AB OU T T H E AU T H ORS
Alan Page has been a software tester for more than 14 years,
including more than 12 years at Microsoft Corporation.
Ken Johnston is group manager for testing in the Microsoft
Office business group.
Bj Rollison is a Test Architect in the test excellence organization
at Microsoft.
Authors’ website: http://www.hwtsam.com
The implementation of test design techniques techniques can be found in [2], [3] and [4]. future, as customers too are getting more and
in an organization usually has a lot more im- more aware of the fact that the quality of their
pact than initially expected. Most test profes- The Initiative products and/or services is also determined by
sionals that come in touch with test design The initiative to implement test design tech- the quality of testing.
techniques start off with a lot of enthusiasm niques often starts with the professional tester This paper starts with the testers’ viewpoint.
and are eager to implement them in the proj- who wants to bring into practice what he or The test manager sends some of his testers on
ects they are involved in …. only to find that she has learned in a testing course. Attending a testing course. He believes that using test
there is more to the implementation of test de- this course can be the result of career-planning design techniques will not only benefit the
sign techniques than simply letting the testers (possibly from within his organization), or overall product quality, but also help to better
apply the technique. based on a management decision, trying to control the test project.
With this article the authors, all of them test improve the quality and/or effectiveness of
consultants at Improve Quality Services in testing based on success stories from other
The Netherlands, will provide an overview of projects or companies. Maybe even the testing
what impact the implementation of test design process itself has to be improved because there
techniques can have on the various stakehold- have been complaints
ers in an organization (and thus in a project). from the customer
The overview provided is based on practical about the effective-
experiences in multiple domains (e.g. finance, ness of testing, e.g. too Stakeholders
medical and transport) with stakeholders like many major defects
project management, resource management, in production or dur-
test management, testers and customers/us- ing acceptance testing.
ers. For each of these stakeholders, there are Keep in mind that the
benefits coming from the implementation of purpose of testing is to
the test design techniques, such as more pre- contribute to the qual-
Customer Tester
dictable quality, clearer risk mitigation, clearer ity of the product. Test
priorities and better control (see [3] for a list design techniques are
of benefits). However, there are not only bene- one of the many means
fits: various types of cost can also be expected. by which this funda-
Naturally, costs means money involved, but mental objective can
also means resources and skills, workshops be achieved.
resource test
and training, quality of the test basis, neces- We even have seen management management
sary process improvements and creating test cases where the cus-
awareness. tomer takes the initia-
This article is applicable to implementing all tive and requires that project
types of test design techniques: specification- the supplier can show management
based (black box, also known as behavioral that test design tech-
techniques), structure-based (white box or niques have been ap-
structural techniques) and experience-based. plied. Though this is
Specification-based techniques include both mostly seen in safety-
functional and non-functional techniques (i.e. critical products, this
quality characteristics). More on test design might become com-
mon practice in the Figure 1: Stakeholders for good test design
June 22nd - 23rd, 2009 in Bad Homburg (near Frankfurt am Main, Germany)
The international well-known speakers are amongst others:
Prof. Dr. Schulte-Mattler, Dr. Mike Bartley, Dorothy Graham, Rex Black,
.%5
NDREAS 3PILLNER 4ILO ,INZ (ANS 3CHAEFER
3OFTWARE 4ESTING &OUNDATIONS
Erik van Veenendaal, Graham Bath, Vipul Kocher, Manu Cohen-Yashar,
!NDREAS 3PILLNER 4HOMAS 2ONER -ARIO 7INTER 4ILO ,INZ
0RAXISWISSEN 3OFTWARETEST ¯ 4ESTMANAGEMENT
UDY 'UIDE FOR THE #ERTI½ ED 4ESTER %XAM !US
UND 7EITERBILDUNG ZUM #ERTI½ ED 4ESTER
À
À
&OUNDATION ,EVEL
)341"