All Posts

  • Why Security Testing?

    With the cyber world becoming more-and-more vulnerable to attacks, security is something that cannot be compromised with. In order to develop secure applications, one really needs to use a security development lifecycle. Security must be considered and tested throughout the project lifecycle of any application.

    What are the processes involved in Security Testing?

    The security testing process involves evaluating the quantum of risks within the application under test and to point out the security vulnerabilities using various techniques and tools.  By this it is possible to ensure that there is no data theft, there is no unauthorized access or there is no security compromise that has been made through assistance. Security testing involves Vulnerability scanning, Security scanning, Penetration testing, Security Auditing and Security Review.

    Vulnerability scanning is usually performed using automated software tool which scans for the basic known vulnerability. It is an automated process performed using the vulnerability scanning tool like SARA. Next in line is Security scanning, where an assessment is done manually along with the software scanning. Although tools help in building a robust application, every tool has its own bottlenecks.  That is the reason, in addition to automated scanning one is required to perform manual testing, that is going through system responses, examining the log files, error messages, error codes and the like.

    The other aspect is Pen testing or Penetration testing. A real-time simulation environment is used to perform penetration testing. It is totally a Black Box, a hackers approach, the way in which Hackers use it but is done in a controlled environment. It is performed internally within the organization without breaching any security terms. Security Auditing is for specific control or compliance issue. Usually the compliance team or the risk evaluating team performs this security assessment. So, very frequent audits make the application more error prone and less vulnerable. 

    Finally, Security Review, which is static testing, wherein security review is perform as per the industry standards by reviewing documents, architecture diagrams and performing gap analysis. It is basically done for code reviews considering the architecture diagrams and documents which are very important. All these processes in security testing ensures that the applications developed are prone to any kind of security risks. 

  • When recording HTTPS with JMeter,do the following steps mentioned below: 

    1.In HTTP Request Defaults: 

    Test Plan-> Thread Group->HTTP Request Defaults 

    Server Name or IP[IP of the server] 
    Port Number[Port number of the server] 
    Implementation [HttpClient4] 
    Protocol [https] 
    Path [/] 

    2. In Recording Controller: HTTP Request 

    Server Name or IP[IP of the server] 
    Port Number[Port number of the server] 
    Implementation [HttpClient4] 
    Protocol [https] 
    Path [/]

  • What is JMeter?

    JMeter is an open source Java application designed to load test functional behavior and measure performance. JMeter is an Apache project used by a large open source community. Being a part of Apache, JMeter has comprehensive protocol coverage and scripting capabilities.

    What can you do with JMeter?

    JMeter is used to test performance both on static and dynamic resources such as static files, Java Servlets, CGI scripts, Java objects, databases, FTP servers and more. JMeter can be used to stimulate a heavy load on a server, network or object to test its strength or to analyze overall performance under different load types. JMeter can run on any environment/platform such as Windows, Linux, Mac, etc. Its multithreading framework is highly extensible and can be used to perform automated and functional testing.

    When compared to other testing application, 80% of what is required can be accomplished with a simple, intuitive GUI and not much of scripting is required to achieve that. Since JMeter is backed by such a large community, any use case that comes to mind probably has an answer within JMeter. With JMeter one can build test scripts that are realistic and accurate.

    What are JMeter limitations?

    JMeter is not a browser as it does not perform all the actions supported by browsers. To be more precise, it does not execute the JavaScript present in HTML pages nor does it render the html page as a browser does. It has limited support for JavaScript, AJAX and complicated frameworks. Also the total number of threads (virtual users) generated by the test plan should be less than 300 per engine. 

    One of the major limitation is that everything goes through a single console. Under heavy load the GUI consumes a lot of memory and the console server alone cannot sustain such a heavy load which leads to out of memory and disconnection logs.

  • Selenium 2 is the newest addition to the Selenium toolkit. This brand new automation tool provides all sorts of test features, including a more cohesive and object oriented API as well as an answer to the limitations of the old implementation. Selenium2Library is a popular Robot Framework test library. Selenium2Library runs tests in a real browser instance which works with most modern browsers and used with both Python and Jython interpreters.

    Selenium is a set of different software tools each with a different approach to supporting test automation. The entire suite of tools results in a rich set of testing functions specifically geared to the needs of testing of web applications of all types. One of Selenium’s key features is the support for executing one’s tests on multiple browser platforms.

    Selenium is highly flexible as there are many ways one can add functionality to both Selenium test scripts and Selenium’s framework to customize test automation. Since Selenium is Open Source, the source code can always be downloaded and modifiedOperations performed are highly flexible, allowing many options for locating UI elements and comparing expected test results against actual application behavior. This is perhaps Selenium’s greatest strength when compared with other automation tools

    • by User in on 2-Dec-2013

    Need for Cloud Testing – Issues and Challenges 

    Traditional testing has limitations like latency, performance, concurrency, planning issues and is way too expensive. Cloud testing is a big game changer and surpasses the challenges faced with traditional testing. It can be used to provide flexible, scalable and affordable testing environment at all times or on demand. 

    Cloud testing typically involves monitoring and reporting on real-world user traffic conditions as well as load balance and stress testing for a range of simulated usage conditions. The availability of virtual machines eases the process of setting up, using, reusing and running test setups. Complex test setups are available as stacked templates, making it easy to integrate complex automation into various processes to build complex cloud testing systems.  

    Cloud testing is a great fit for an agile environment. It can leverage for the whole life cycle of web or mobile application, right from the beginning of development until the application is into production. Today, if you need to generate thousands of virtual users to test a specific web application then the number of servers required for that test can be deployed within a couple of minutes. Best of all, you only need to pay those servers for the duration of the test thus making it more economical and viable. 

    Cloud testing is flexible enough such that it can be used for continuous performance testing.  Test maker runs tests in multiple cloud testing environments making it possible to manage performance from different geographical locations. Tester gets a real time testing experience of applications on browsers and OS rather than simulated environments. Cloud testing eliminates the cost of building and maintaining a test lab for load and performance testing. If a specific test environment is required, just use it via the cloud. There is no need to provision expensive and difficult to manage quality test labs. 

    Cloud-based testing poses different operational challenges in the real world scenario. One of the major challenges would be creating an on-demand test environment. The current cloud technology does not have any supporting solutions that will help cloud engineers build a cost effective cloud test environment. For scalability and performance testing, the current framework and solutions do not support the features such as dynamic scalability, scalable testing environments, SLA-based requirements and cost-models. Testing security is yet another concern inside clouds as security services become a necessary part in modern cloud technology. Engineers must deal with issues and challenges in security validation and quality assurance for SaaS (Software as a Service) and clouds. Integration testing in cloud may not be performed due to lack of time or additional integration cost which subsequently affects performance of the application.  

    Cloud testing is under constant evolution, continuously bringing in new opportunities and challenges. It reduces the need for hardware and software resources and offers a flexible and efficient alternative to the traditional testing.  Finally, moving testing to the cloud is seen as a safe bet as it does not include sensitive corporate data and has minimal impact on the organizations business activities. Migration of self-testing to the cloud would bring about a notion of test support as-a-service.

  • First off what is Robot Framework? - We know the definition. It is a generic test automation framework for acceptance testing and acceptance test-driven development (ATDD). But what does this mean? Well, put simply it is a platform that empowers QA Engineers and Testers to create test, automate and manage complex workflow scripts very efficiently with its natural language syntax. 

    It uses a keyword driven automation approach and has a BDD ( Behavior Driven Development)  and a Data Driven approach as well. Once the Robot Framework is installed, a set of standard test libraries are installed with it and are available for use. These test libraries can further be extended to include Python or Java libraries.  

    (There are quite a number of external libraries that can be used with this framework and Selenium2Library is one such publically available test library. It is a python implementation of Selenium WebDriver (tool for automated testing of websites and web applications) for use with Robot Framework. It has 126 keywords that can execute Selenium Commands against the browser. The framework also allows users to extend the library and write custom commands.

    So what’s the kicker – its all open source.

    This is a blog post series on the framework and so for more on Robot Framework and Selenium2 stay tuned)

  • Success doesn’t come in a day, sometimes not even in years for some of our world’s successful entrepreneurs . Let’s just go through the ascent to success of some notable personalities, rather we call it “The Inspiring Lives”

    Henry Ford - the pioneer of modern business entrepreneurs and the founder of the Ford Motor Company failed a number of times on his route to success. His first venture to build a motor car got dissolved a year and a half after it was started because the stockholders lost confidence in Henry Ford. Ford was able to gather enough capital to start again but a year later pressure from the financiers forced him out of the company again. Despite the fact that the entire motor industry had lost faith in him he managed to find another investor to start the Ford Motor Company - and the rest is history.

    Walt Disney - one of the greatest business leaders who created the global Disney empire of film studios, theme parks and consumer products didn't start off successful. Before the great success came a number of failures. Believe it or not, Walt was fired from an early job at the Kansas City Star Newspaper because he was not creative enough! In 1922 he started his first company called Laugh-O-Gram. The Kansas based business would produce cartoons and short advertising films. In 1923, the business went bankrupt. Walt didn't give up, he packed up, went to Hollywood and started The Walt Disney Company.

    Richard Branson - He is undoubtedly a successful entrepreneur with many successful ventures to his name including Virgin Atlantic, Virgin Music and Virgin Active. However, when he was 16 he dropped out of school to start a student magazine that didn't do as well as he hoped. He then set up a mail-order record business which did so well that he opened his own record shop called Virgin. Along the way to success came many other failed ventures including Virgin Cola, Virgin Vodka, Virgin Clothes, Virgin Vie, Virgin cards, etc.

    Oprah Winfrey - who ranks No 1 in the Forbes celebrity list and is recognised as the queen of entertainment based on an amazing career as iconic talk show host, media proprietor, actress and producer. In her earlier career she had numerous set-backs, which included getting fired from her job as a reporter because she was 'unfit for television', getting fired as co-anchor for the 6 O'clock weekday news on WJZ-TV and being demoted to morning TV.

    J.K. Rowling - who wrote the Harry Potter books selling over 400 million copies and making it one of the most successful and lucrative book and film series ever. However, like so many writers she received endless rejections from publishers. Many rejected her manuscript outright for reasons like 'it was far too long for a children's book' or because 'children books never make any money'. J.K. Rowling's story is even more inspiring because when she started she was a divorced single mom on welfare.

    Bill Gates -co-founder and chairman of Microsoft dropped out of Harvard and set up a business called Traf-O-Data. The partnership between him, Paul Allen and Paul Gilbert was based on a good idea (to read data from roadway traffic counters and create automated reports on traffic flows) but a flawed business model that left the company with few customers. The company ran up losses between 1974 and 1980 before it was closed. However, Bill Gates and Paul Allen took what they learned and avoided those mistakes when they created the Microsoft empire.

    History has more to quote like ,

    • Milton Hershey failed in his first two attempts to set up a confectionary business.
    • H.J. Heinz set up a company that produced horseradish, which went bankrupt shortly after.
    • Steve Jobs got fired from Apple, the company he founded. Only to return a few years later to turn it into one of the most successful companies ever.

    The best in you - your will, your passion, your enthusiasm and your hard work , takes you there to Your Dream... Just Don’t Give Up!

    Details Courtesy : LinkedIn Blog

     

  •  

     

    Testing Web Services using Apache Bench

     

    ApacheBench (ab) is a tool for benchmarking an Apache Hypertext Transfer Protocol (HTTP) server. This shows how many requests per second the server is capable of handling.

    A point to note is that ApacheBench will only use one operating system thread regardless of the concurrency level; specified by the -c parameter. In some cases, especially when benchmarking high-capacity servers, a single instance of ApacheBench can itself be a bottleneck.  To overcome this, additional instances of ApacheBench may be used in parallel to more fully saturate the target URL.

    Apache Bench was recently used to test the capability of the Caleum server, to find the threshold of total number web requests it can concurrently serve, in its current configuration.

    Working with Apache Bench

    Installing on a Windows machine

    1.       Download the software from the link http://www.apache.org/dist/httpd/binaries/win32/ by selecting any mirrors in the site.

    2.       Select the latest version of software say “httpd-2.2.25-win32-x86-no_ssl.msi” or later

    3.       Double click and install the software. While installing provide the information

    Network Domain: localhost

    Server Name: localhost

    Admin Email: provide a real or fake email

    Leave all default check boxes checked

    4.       After installation an icon start will be displayed in the system tray. This means Apache2.2 has been installed and started.

    5.       To verify further type “http://localhost/” in browser. If Apache 2.2 has been started a message “It works!” in bold will be loaded in browser

    6.       To stop/restart the server click on the icon start ->Apache 2.2->Stop/Restart.

    To measure performance of a server you may need to point your files to Apache. Since we are doing a web service testing this step is optional

     

    Execution:

    1.       Open command prompt and go to the path where Apache Bench is installed say “C:\Program Files\Apache Software Foundation\Apache2.2\bin”

    2.       Type ab –n 100 –c 10  http://{webserver hostname:port}/{document path}

    You can also provide the authentication details as the parameters in document path.

    Other options that can be used are

    Options are:    

        -n     

    requests

    Number of requests to perform

        -t    

    timelimit

    Seconds to max. wait for responses

        -v   

    verbosity

     How much troubleshooting info to print

        -b  

    windowsize

    Size of TCP send/receive buffer, in bytes

        -C    

    attribute

    Add cookie, eg. 'Apache=1234. (repeatable)

        -H    

    attribute

    Add Arbitrary header line, eg. 'Accept-Encoding: gzip' Inserted after all normal header lines. (repeatable)

        -A    

    attribute

    Add Basic WWW Authentication, the attributesare a colon separated username and password.

        -P    

    attribute

    Add Basic Proxy Authentication, the attributes are a colon separated username and password.

        -x   

    attributes

    String to insert as table attributes

        -y   

    attributes

    String to insert as tr attributes

        -z  

    attributes

     String to insert as td or th attributes

        -Z  

    ciphersuite

    Specify SSL/TLS cipher suite (See openssl ciphers)

        -c  

    concurrency

    Number of multiple requests to make

        -T 

    content-type

    Content-type header for POSTing, eg.  'application/x-www-form-urlencoded'. Default is 'text/plain'

        -g     

    filename

    Output collected data to gnuplot format file.

        -e     

    filename

    Output CSV file with percentages served

        -p     

    postfile

    File containing data to POST. Remember also to set -T

        -f     

    protocol

    Specify SSL/TLS protocol (SSL2, SSL3, TLS1, or ALL)

        -X   

    proxy:port

    Proxyserver and port number to use

        -i

     

    Use HEAD instead of GET

        -V             

     

    Print version number and exit

        -k             

     

    Use HTTP KeepAlive feature

        -d             

     

    Do not show percentiles served table.

        -S            

     

     Do not show confidence estimators and warnings.

        -r            

     

     Don't exit on socket receive errors.

        -h             

     

    Display usage information (this message)

        -w             

     

    Print out results in HTML tables

     

    An output as below is displayed in the cmd prompt after the execution

    Concurrency Level:

    10

           

    Time taken for tests:

    321.212 sec

           

    Complete requests:

    1000

           

    Failed requests:

    11

    (Connect: 0, Receive: 0, Length: 11, Exceptions: 0)

    Write errors:

    0

           

    Document length

    21bytes

           

    Total transferred:

    22124 bytes

           

    HTML transferred:

    11994 bytes

           

    Requests per second:   

    1.01 [#/sec]
    (mean)

           

    Time per request:

    1216.319 [ms]
    (mean)

           

    Time per request: 

    156.272 [ms]
    (mean, across all concurrent requests)

           

    Transfer rate:         

    1.81 [Kbytes/sec]
    received

           

    1.61 kb/s sent

           

     0.42 kb/s total

           
               

    Connection Times (ms)

    min 

    mean

    [+/-sd]

     median 

     max

    Connect:              

    200

    200

    121

    212

    3000

    Processing:           

    301

    2121

    612.8

    1921

    3267

    Waiting:              

    211

    2112

    21

    121

    1211

    Total:                

    711

    3546

    799.3

    3281

    6547

               

    Percentage of the requests served within a certain time (ms)

         

    50%

    1212

           

    66%

    3823

           

    75%

    2211

           

    80%

    4555

           

    90%

    5555

           

    95%

    6666

           

    98%

    7777

           

    99%

    8888

           

    100%

    8899 (longest request)

           

     

    It shows total time to complete the entire test and the number of completed request and failed requests. If there is any fail an additional line will be displayed. Connect:, Receive:, Length:, Exceptions:

    While testing web server, we mainly focus on the fails in Connect and Receive. The fail in the length are due the content length not being specified or some additional data like ads come up in the page which goes beyond the specified length.

     

  • App Installation Checklist:

     

    1. Ensure the test device is not the same as used for development or is is not set up as the development environment.

    2. Verify that application can be installed successfully following normal installation procedures.

    3. Verify that version number matches the version specified during submission

    4. Verify  the application is  seen in the installed applications list

    5. Verify whether proper alert is displayed when we doesn't follow the normal installation procedures.

    6. Check installation with low wifi connectivity

    7. Test installation  behaviour with wifi in disconnected mode

    8. Check uninstallation and reinstallation

    9. Check Application start/stop behavior -- Start the application by selecting the icon or following the steps outlined in the submission statement

    10. Check installation behaviour when receiving voice calls -- while installation process is in progress, make a call to the test device.

    11. Check installation behaviour when receiving text messages -- while installation process is in progress, send a text message to the test device.

    12. Check if the app is supported on an older firmware (ie: iOS 3.1.3), especially if it is part of the requirement, else an intelligent message should be displayed to the user.
  • Electronic mails or eMails, has become an ineluctable part of our day to day life. As professionals, we might be sending out at least one formal communication in a day via email either to the client, the team, project managers or the senior management. Business communication is supposed to be bound by certain etiquettes for several reasons,

    •     Being professional in formal communication would make you appear competent to your customers.
    •     Emails straight to the point are easy to read and efficient
    •     Internet threats and vulnerabilities may intercept your message
    •     Less risk to the organisation in losing confidential information


    Now regarding email etiquettes to be followed, you will get hundreds of resources online. Let me just brief you a few of the email etiquettes to be looked at.

        To / CC / BCC

    These fields decide who all are the intended recipients of your email. You wouldn't want to send information to non-interested parties, hence always double check your addressees before hitting the send button. And its always better to leave the fields empty or have your own id’s in them while drafting the message, thus avoid embarrassing yourself with accidental send!

    CC is often used as a “For your Information” field. If you need to send the same message to a large number of people without losing the importance, its good to use the BCC field. It will send message to each person as an individual recipient. BCC helps in improving the readability of your email , as the recipient don't have to scroll down through the long list to finally read the message.

        Subject Line

    Be crisp and clear in your subject line. The maximum number of words generally viewable in the subject line of an email is 25-35. One email should be regarding single topic or multiple points on one topic, or should be related happenings. And your subject line should convey the idea in one shot.

        Email Message

    • Addressing the person 
    1. Dear Mr. Thomas- Writing to a person whom you don’t know and also a senior.
    2. Dear Thomas - Writing to a person with whom you have a working relationship.
    3. Hi Thomas/ Thomas- , - Writing to your colleagues / teammates / managers. Writing “Dear Joe” to your colleague or manager will sound odd!
    • Split the content
    1. Don’t make your email look heavy to read. Split your content into small paragraphs. Let’s not discourage the recipient from reading with your emails first look!
    2. Don’t start writing stories... Be brief and straight to the point in your message. You should be saving your time and the recipients.
    3. Put double line breaks instead of tapping tabs between your paragraphs. Let your email look well in shape.
    • Beware
    1. Reduce usage of acronyms in formal communications- Not everybody would know “BCNU” means Be Seeing You.
    2. Don’t capitalise the content unless its a generic acronym or a noun addressing an organisation or technology. Capitalised sentence is the one used to shout at the recipient Let it remain one, or you don’t have a way to shout in your email!
    3. Attachments - Always compress the files as much as you can, and better to check with the recipient their attachment size limit prior to sending.
    4. Proofread - Be sure that you have gone through the content at least twice before sending.

        The End

    • Use sensible closures. “Thanks” would be appropriate in most of the scenarios.
    • Email Signatures - Be sure to include

                Name
                Designation
                Organisation Name
                Contact Number & Email Address.

    You may hit “Send” now !

    ANSI Standard  : http://www.ansi.org/contact_us/etiquette.aspx?menuid=contact#.UaLVmNgy_po

  • by admin
  • on 29 May 2012

Comments

Be the first one to write about this.