Monday, April 30, 2012
The term “penetration testing” is not unheard these days and perhaps many of us are familiar with this type of testing. In this piece of writing we have discussed how the penetration testing tools emphasize up on the network security.
About Penetration Testing
- Penetration testing is yet another testing methodology that has been adopted for testing the security of a computer network or system against the malicious attacks.
- It provides a way to evaluate the security level of the computer network by bombarding the network with false simulated attacks as malicious attacks from the outside as well as inside attackers.
- The aliens, foreigners or outside attackers do not hold any authorized access to the computer system or network but the inside attackers do have that access, but it is limited to a certain level.
- The whole process of the penetration testing is dependent on an active analysis.
- This active analysis carries out an assessment of all the potential vulnerabilities of the computer network or system that are merely a consequence of its poor security level as well as configuration level.
- Apart from this, the known and unknown flaws form both the hardware as well as software system contribute to these vulnerabilities rather than only operational weaknesses.
- Therefore they are to be blamed equally.
- This active analysis is successful only if it is carried out from the view point of a malicious attacker and is concerned about the active exploitation of the recognized vulnerabilities.
About Network Security
- The network security depends up on the effectiveness of the testing.
- And the testing in turn is affected by the effectiveness of the tools that are employed in the testing.
- The tools indeed affect the network security, since if the tools are reliable and efficient in finding vulnerabilities, obviously there will be more improvement in the security mechanisms.
Reasons why Penetration Testing holds good for Network Security
There are several other reasons why the penetration testing tools holds good for the network security:
- They are effective for the determination of the feasibility of the similar vectors of attack.
- Help in the identification of the vulnerabilities which possess a very high risk when the exploitation of a combination of low level risks is done following a particular sequence.
- Prove quite effective in the determination of the vulnerabilities that cannot be detected with the help of application vulnerability scanning software or automated testing processes.
- Assist in the assessment of the measure of the operational and business impacts of the attacks on the computer network or system.
- Successfully test the effectiveness of the network defenders in detecting and responding to the attacks.
- Provide the evidence in support of the investments that need to be made in the security field of the computer system or network.
So many software development processes have come up with the specifications and benefits of their own. The iterative development is one such development strategy which has been identified as an agile software development process.
The basic practices of the iterative development have been discussed here. But, before moving on to the approaches will have brief discussion regarding the iterative development.The iterative part forms the first half of the heart of the cyclic software development process with the other half being formed by the incremental development.
The iterative development strategy was the resultant of the response to the weaknesses spotted in the water fall model of the software development and testing. Like any other cyclic software development process, the iterative development process also has its starting with an initial planning and ends up with deployment and it has so many cyclic interactions happening in between the ned points.
The iterative development process forms an important and non neglect-able part of the following processes;
- Rational unified process or RUP
- Extreme programming or XP and
- Various other agile software development methods
The idea of a simple business process improvement has been implemented in the iterative development which has its flow like as shown below:
Plan à DO à Check à Act
What is meant by Iterative Development?
- Iterative development is itself an agile software development strategy which has its basic idea revolving around the use of the iterations in smaller intervals of time called the incremental.
- This agile software development strategy helps the testers and the developers to exercise their past experience of the learning in to the current testing scenario.
- With every new iteration, the design of the software system or application is modified and is incorporated with some new functionalities or features.
- The procedure for the iterative development process consists of the following steps:
- The Initialization step
- The iteration step and
- Project control list
- The first step i.e., in the initialization step involves the building up of the foundation or the base version of the proposed software system or application.
- Actually, a base version is created so that the user can react with the software product and also to have a key sample of the problems of the software system or application and also possible solutions that are easy to understand and implement.
- The control list contains all the tasks that have to be performed in order to complete the software development process.
- As the analyzation phase progresses, the project control is also revised timely and frequently as and when any change in the requirements is wanted.
- With every iteration, a task from the project control list is accomplished or redesigned.
- The below mentioned are some of the goals of the iterative development process:
- Straight forward
- Redesigning supportive at that particular stage etc.
- Every iteration is analysed on the basis of the below mentioned factors:
- Structure of the iteration
- Achievement of goals and
Based on the results of the above factors, the project control list is modified accordingly.
Phases of Iterative Development
The whole iterative development consists of the following 4 phases:
- Inception phase: It involves identification of the project scope, risks and both the functional as well the non functional requirements.
- Elaboration phase: It involves the delivery of a working architecture fulfilling all the requirements and mitigation of the top risks.
- Construction phase: It involves implementing the production ready code in to the architecture.
- Transition phase: It involves delivery of the project in to the production environment.
Sunday, April 29, 2012
The term “penetration testing” is not so rare and perhaps many of us familiar with this type of testing. In this piece of writing we have discussed the penetration testing in more detail.
About Penetration Testing
- Penetration testing is another testing methodology adopted for testing the security of a computer network or system against the malicious attacks.
- Penetration testing evaluates the security level of the computer network by bombarding the network with false simulated attacks as malicious attacks from outside as well as inside attackers.
- The outside attackers do not hold any authorized access to the computer system or network but the inside attackers do have than access but only to a certain level.
- The whole process of the penetration is based on an active analysis.
- This active analysis assesses all the potential vulnerabilities of the computer network or system that are merely a result of its poor security level as well as configuration level.
- Apart from this, the known and unknown flaws form both the hardware as well as software system contribute to these vulnerabilities rather than only operational weaknesses.
- This active analysis is carried out from the view point of a malicious attacker and is all about the active exploitation of the recognized vulnerabilities.
Steps in Penetration Testing
- First step in the penetration testing is always the identification of the vulnerabilities.
- The identified issues and vulnerabilities are then brought to the notice of the whole development team.
- A number of penetration tests are then carried out on that particular system along with the coupling of the information with the active assessment of the risks associated with the computer system or network.
- A whole lot of effective procedures are designed to reduce the affect of these vulnerabilities.
Advantages of Penetration Testing
There are several other reasons why the penetration testing holds good:
- It is effective for the determination of the feasibility of the similar vectors of attack.
- Helps in the identification of the vulnerabilities which possess a very high risk when the exploitation of a combination of low level risks is done following a particular sequence.
- Proves quite effective in the determination of the vulnerabilities that cannot be detected with the help of application vulnerability scanning software or automated testing processes.
- Assists in the assessment of the measure of the operational and business impacts of the attacks on the computer network or system.
- Successfully tests the effectiveness of the network defenders in detecting and responding to the attacks.
- Provides the evidences in support of the investments that need to be made in the security field of the computer system or network.
Penetration testing has been recognized as an important component of the security audits. The penetration testing can be carried either way round i.e., either through the black box testing route or through the white box testing route.
The path to be taken is decided by the amount of knowledge that the tester has about the system or network under testing. If the tester has got a brief knowledge then the black box testing route is followed else the white box testing techniques are preferred.
Another thing to be determined before starting the testing is the location of the system that has to be tested and also its extent.
Penetration testing if carried through white box testing
For following the white box approach to penetration testing, the testers needs:
- to have the full knowledge of the system infrastructure,
- to have the full knowledge of the source code,
- to have the full knowledge of the IP address and
- to have the full knowledge of the network diagrams etc.
In some cases the grey box approach to penetration testing can also be followed based on how much information is available. Black box approach is useful for simulating an outsider attack whereas the white box approach can simulate and insider attack.
Saturday, April 28, 2012
Production verification is also an important part of the software testing life cycle like the other software testing methodologies but is much unheard of! Therefore we have dedicated this article entirely to the discussion about what is production verification testing?
This software testing methodology is carried out after the user acceptance testing phase is completed successfully. The production verification testing is aimed at the simulation of the cutover of the whole production process as close to the true value as possible.
This software testing methodology has been designed for the verification of the below mentioned aspects:
- Business process flows
- Proper functioning of the data entry functions
- Proper running of any batch processes against the actual data values of the production process.
About Production Verification Testing
- Production verification testing can be thought of as an opportunity for the conduction of a full dress rehearsal of the changes in the business requirements if any.
- The production verification is not to be confused from the parallel testing since there is a difference of the goal.
- We mean to say that the goal of the production verification testing is to verify that the data is being processed properly by the software system or application rather than comparing the results of the data handling of the new software system software or application with the current one as in the case of parallel testing.
- For the production verification testing to commence, it is important that the documentation of the previous testings is produced and the issues and faults that were discovered then are fixed and closed.
- If there is a final opportunity for the determination of whether or not the software system or application is ready for the release, it is the production verification testing.
- Apart from just the simulation of the actual production cut over, the real business activities are also simulated during the phase of the production verification testing.
- Since it is the full rehearsal of the production phase and business activities, it should serve the purpose of the identification of the unexpected changes or anomalies presiding in the existing processes as a result of the production of the new software system or application which is currently under the test.
- The importance of this software testing technique cannot be overstated in the case of the critical software applications.
- For the production verification testing, the testers need to remove or uninstall the software system or application from the testing environment and reinstall it again as it will be installed in the case of the production implementation.
- This is for carrying out a mock test of the whole production process, since such kind of mock tests help a lot in the verification of the interfaces, existing business flows.
- The batch processes continue to execute alongside those mock tests.
- This is entirely different from the parallel testing in which both the new and the old systems run besides each other.
- Therefore in parallel testing, the mock testing is not an option to provide accurate results for the data handling issues since the source data or data base has a limited access.
Entry and Exit Criterion for Production Verification Testing
Here we list some of the entry and exit criteria of the production verification testing:
- The completion of the User acceptance testing is over and has been approved by all the involved parties.
- The documentation of the known defects is ready.
- The documentation of the migration package has been completed, reviewed and approved by all the parties and without fail by the production systems manager.
- The processing of the migration package is complete.
- The installation testing has been performed and its documentation is ready and signed off.
- The documentation of the mock testing has been approved and reviewed.
- A record of the system changes has been prepared and approved.
Friday, April 27, 2012
Software testing like any other process of the software development cycle is a very critical and important phase and so does it has been dedicated an entire cycle called software testing life cycle. Without software you will not have any direction in the way of software development.
The overall efficiency of the software testing depends a whole lot on the professionals or individuals performing it. This article is about the people who are involved with the software testing.
- Developer: A developer as the name suggests is responsible for taking care of all the development activities like:
(a) Preparation of the test plan before the coding of the software system or application starts.
(b) Creation of the input test data as per the various software testing methodologies are to be used.
(c) Preparation of the documentation of the expected outcomes of the different test cases.
(d) Testing the source code according to their personally developed schemas.
(e) Documentation of the actual test results.
(f) Validation of the code whose actual output is same as the expected outcome.
(g) Filling up the project documentation repository with the results of the unit testing and the test data used as input.
(h) Active participation in the process of the code reviews to ensure that the unit testing is complete.
- Data architect or Data Modeler: Data architect is responsible for taking care of the management of all the issues regarding the architecture and build of the software system or application:
(a) Testing of the scripts written in data definition language (DDL) as per their personally developed schema.
(b) Filling up the project documentation repository with the tested and validate DDL scripts.
- Senior Developer or System Tester: A team consists of more than one senior developers or system testers and they are responsible for taking care of the actual software testing of the software system or application. They share some responsibilities with the developers:
a) Active participation in the process of the code reviews like the developers for determining that the unit testing has been completed successfully.
b) Preparation of the test plan
c) Creation of the test data for input to input to test cases.
d) Preparation of the documentation of the expected outcomes of the different test cases.
e) Implementing the code in the testing environment
f) Execution of the work streams that are comprised of the system tests along with their scripts.
g) Validation of the actual results of the tests.
h) Creation of the defects if required for some kinds of testing techniques like fault injection techniques, in defect management tracking tools etc.
(i) Filling up the project documentation repository with the results of the system testing and the test data used as input.
- Data base Administrator: They share the responsibilities of the following tasks:
a) Creation of the system, quality assurance, release testing, user acceptance and integration environments.
b) Execution of the scripts written in DDL or data definition language and DML or data manipulation language in the environments as specified in the test plan.
c) Preparation of the restores and back ups.
- Integration Tester or Senior ETL Designer: They are responsible for:
(a) Participation in the system test reviews for ensuring the completeness of the system.
(b) Preparation of the integration test plan.
(c) Creation of the integration test data.
(d) Documentation of the expected outcomes of the integration test results.
(e) Implementing code in the integration testing environment.
(f) Validation of the actual integration test results.
- Quality assurance people
- QA software tester
- User acceptance tester
- Release manager
- Production support specialists
Security is the top priority, be it any type of application or software. It has an importance that keeps growing with every phase of the software system or application development. Its importance is also reflected in the open source and commercial projects. Security is a very vast topic and there are many ways to implement and maintain security for all the stages. The data filtering of user input is one such way and this article is focused on this.
About Filtering of User Input
Being practical, almost all the applications or software systems depend on some external input or data to process and give out output or to start some process.
- This input or data is supplied by the user or in some cases by some other applications (may be bots, web services clients, and scanner and so on).
- Nobody knows what might be the nature of the user input, it can be either harmless or it can be malicious. - So it becomes mandatory for every developer to filter out this incoming foreign data.
- Input filtering is one of the important processes of the security mechanism of any application software and is independent of the environment and language.
- Today there are so many tools available that serve the purpose of filtering the input or data, for example, CGI for Perl.
- Foreign data can constitute of anything ranging from a web form to the results of the data base queries and also cookies, files, web services data, environment variables, server variables and so on.
- The filter tools support all these kinds of user inputs.
- The testing, validation as well as filtering of the custom or user input data every now and then can be quite annoying as well as time and effort consuming task.
- It is quite common that while testing the tester may forget to write a test and if written also it might be incomplete.
- The filtering tools and extensions help curb these types of traps.
- Usually filter tools follow two types of filtering methodologies:
- Logical filtering: It involves a strong and stringent analysis of the input data, checking for the correctness of the formats and the expected type is returned if the data passes the test.
- Sanitizing filtering: It involves determining whether or not to allow certain characters in a string. The data format is really not cared about in this type of filtering and a string is always returned.
How can filters be useful?
- It is quite a misconception that filters provide an object oriented interface. It is not so.
- There are some filters that are also capable of turning ordinary line breaks in to effective HTML tags.
- Using the filters you can decide which input formats are to be made available to the users or you can put up a default format.
- While the application is working up on the user input, keeping it as secure as possible prevents many security hazards.
- One of the most severe security risks is encountered whenever the full HTML is posted without being filtered.
- Most of the PHP filters are considered to be dangerous as they allow the execution of the code driven queries and other things on the data base of the web site.
- For better input filtering, one needs to explore the modules for installing special filters that allow one to embed references to other resources, videos and so on.
- Input filtering is much similar to filtering water for drinking and other uses.
- In some of the cases the application functions with the malicious data also, this leads to a kind of robustness of the application.
Thursday, April 26, 2012
What is a testing framework?
- Testing framework is considered to be an object oriented approach to testing since it helps in providing suitable environment and language for testing the software system or application.
- A testing framework can be defined as a set of concepts, assumptions and tools that are the means for providing support for testing the software systems or application.
- The testing frameworks are generally used in the automated testing and such testing frameworks are called the test automation frameworks.
- The main advantage here for which the testing frame works are used is that they reduce the overall testing and development cost by a large amount.
- If any change or modification is made to the test cases, then all the tester needs to do is to update the test case file since the start-up script and the driver script will remain the same.
- This reduces the hectic task of updating the scripts when the changes have to be made to the software system or application.
- The testing framework if chosen properly can help in reducing the development costs by a big margin and the lower cost can be maintained throughout the development process.
- These costs are basically due to the maintenance efforts, test scripting and development processes.
- Using any approach with testing frame work has a great impact on the costs.
Types of Testing Frameworks
- Linear testing framework: This is commonly used for the code that is procedure oriented and is generated by the tools using techniques such as recording and playback.
- Structured testing framework: This testing frame work is composed of the control structures and hence got the name. It is constituted by control structures such as switch, while, for, if-else condition statement etc.
- Data driven testing framework: This testing frame work involves persisting of the data outside a test in either a spreadsheet or a database.
- Key word driven testing framework
- Hybrid testing framework: This type of frame work is the resultant of the combination of two or more types of above mentioned testing frame works.
What does testing framework account for?
- A testing frame work is said to account for the following things:
- Definition of the format so that the expectations can be expressed.
- Creation of a mechanism for driving or hooking an application that is under test.
- Execution of the tests.
- Reporting of the results.
- The execution of the powerful and complex tests eats up a lot of time and it also requires quite large budget when only capture tool is used.
- Since the tests are created ad hoc, it becomes very difficult to track these functionalities and reproduce them.
- A test automation framework serves as a better support option when it comes to the automated testing.
- The testing frameworks and other tools are incorporated in to a test automation interface for carrying out the integration as well as system testing.
- The test automation interface is employed for the mapping of the tests without putting them in to the way of the development process.
- Test automation frameworks are known for improving flexibility and efficiency of the test scripts.
- There are 3 main core modules of any test automation interface:
1. Interface engine: The engine lies on the top of the environment and consists of a test runner and parser.
2. Interface environment: It consists of project library and frame work library.
3. Object repository: It consists of object application data recorded by the testing tool.
The concept of software testing seems like an amalgam of similar terms, all mixed up in to each other. We all get confused sometimes between the different but similar sounding terms.
For greater understanding of the software testing, one needs to know exactly what all the inclusive terms mean and how and where they are used or implemented. This piece of writing is dedicated to the cause of removal of such confusions. In this article we are going to clear three major concepts of software testing namely test plan, test strategy and test scenarios.
1. Test Plan
- It does the same as a normal plan would do i.e., detail out a systematic approach to the accomplishment of a certain task.
- For the test plan the task is the successful completion of a particular software testing.
- A test plan gives a detailed approach of all the processes or activities to be undertaken during the testing.
- A test plan marks the work flow of the software testing mechanism.
- A test plan states the strategy to be followed to make the software testing successful.
- It provides a means to check whether or not the software system or application meets all the requirements and specifications as mentioned by the client or the customer in the documentation.
- The test plan is usually created by the testers.
- A typical test plan includes the following fields:
(a) Compliance test or design verification: performed on the product samples while the actual product is in development stage.
(b) Production test or manufacturing: performed during the assemblage process of the product for assuring quality and performance.
(c) Commissioning test or acceptance: performed while the product is being installed.
(d) Repair test or servicing: performed during the product’s service life.
(e) Regression test: performed on an existing version of the product to ensure the working of the functionalities.
- The level of the design of the test plan depends on the complexity level of the software system or application.
- For more complex systems high level test plans are created.
- Apart from the above mentioned tests, a typical test plan must cover about the test methodologies, test coverage and test responsibilities. - It also states what all requirements are to be verified in the testing.
2. Test Strategy
- Test strategy forms an essential part of the test plan.
- To put it simply we can say that the test strategy is nothing but a superficial sketch or outline of the actual test plan of the software development cycle.
- A test strategy is developed just to inform the project developers about the approach that is to be followed during the testing.
- The key components of a typical test strategy are objectives of the testing, test methods, test duration, resource requirements and test environment.
- Test strategies give the description of the risk mitigation, tests to be carried out and not to forget the entry and exit criteria for the tests.
- For each level of software testing, an individual test strategy is created.
3. Test Scenario
- Test scenarios form an essential component of the scenario testing.
- These test scenarios provide a hypothetical measure to help the tester out of some complex problem encountered during the testing.
- The main characteristics of a typical scenario are its complexity, credibility, motivational story with a reasonable outcome.
- The scenarios are usually lengthy as compared to the length of the test cases probably because of more number of steps are present in a test scenario. 2 or more scenarios together make up a scenario file.