Security

Conference Presentations

Controlling Performance Testing in an Uncontrolled World

Think about it ... You are responsible for performance testing a system containing over 5 billion searchable documents to an active user base of 2.6 million users, and you are expected to deliver notification of sub-second changes in release response and certification of extremely high reliability and availability. Your n-tier architecture consists of numerous mainframes and large-scale UNIX
servers as well as Intel processor-based servers. The test environment architecture is distributed across large numbers of servers performing shared functions for a variety of products competing for test time and resources during aggressive release cycles. Because it is impractical and too costly to totally isolate systems at this scale, capacity and performance test engineers produce high quality

Jim Robinson, LexisNexis
TPI Test Process Improvement Model Facts and Figures

Since the publication of the test process improvement (TPI®) model in the 1990s, many organizations have used it to help establish and improve their test processes. By doing so, they have tested the hypothesis that improving test processes results in better insight into system
quality and a more repeatable and efficient test process. Over the past five years, Ruud Teunissen and his consultant colleagues have gathered many facts and figures about the results of test process improvement initiatives. Learn the details of what other companies have achieved from test process improvement using the model, including examples of a 50 percent reduction of live incidents caused by inaccurate testing and a 40 percent reduction of long-term testing costs. Build a case for process improvement, discover what the TPI® model can do for you, and find out how to manage expectations should you embrace the model.

Ruud Teunissen, POLTEQ IT Services BV
Making Test Data More Agile

Flexible, reusable, and restorable test data for both the unit and system level is an absolute necessity for testers working on Agile development projects. For teams following a more traditional development process, Agile approaches for handling test data can enhance testing efforts as well. Discussing Agile testing approaches, such the ObjectMother pattern, Peter Schuh explains how testers design tests and test frameworks to survive the ever-changing data structures found in Agile projects. Learn how an Agile process allows testers to get much more mileage out of test data sets during and after the initial development project. Leave with a set of practices and techniques to apply directly to Agile development projects or modify for their current development environment.

  • The many dimensions of application test data
  • Produce and maintain better tests and test data with Agile approaches
Peter Schuh, Peter Schuh
Web Testing Circus: An Expert-Led Search for Security Defects

Step right up! Come see the sights! Join in the fun! The circus is in town and admission is free with your STAREAST badge. Right before your very eyes, our security testing ringmaster Mike Andrews demonstrates for you the wonders of Web security testing. Behold death-defying feats of SQL injection. Stare open-mouthed as he hacks a site using the cross-site scripting attack. Watch him hijack a Web session before your very eyes. Find out how and why Web servers are the most attacked resource on the Internet and what you can do to protect yours. Learn the history of some successful and insidious Web hacks and the freak-show of hackers that perpetrate them.

Bring your laptop with wireless access, and join in the attack! We will set up a wireless network and Web site with known vulnerabilities on an intranet in the session room so you can have a go at finding security bugs.

Michael Andrews, Foundstone Professional Services
The QA/Testing Perspective on Software Security

Most everyone now realizes that we cannot solve security vulnerabilities with firewalls, virus scanners, and other tactics that build an electronic “moat” around systems. According to Julian Harty, security is not an operational issue, not a developer issue, and not a testing issue. It is a systems issue that you must focus on throughout the software’s life. From a QA/testing perspective, we need to look early in the development process for adequate security requirements. Then, we should assess the designs for vulnerabilities and participate in security code reviews. When specialized, security tests find bugs that get past our early prevention efforts, causal analysis helps prevent the recurring security defects. Dig into system security issues with Julian and learn about manual techniques, commercial software, and home-brew automation tools to help you find security vulnerabilities-before the bad guys do.

Julian Harty, Commercetest Limited
Quality Assurance as a Service Organization

"QA is the bottleneck” ... "Why does QA take so long?" ... "You need to test faster." Often, key project stakeholders either do not understand QA or have difficulty quantifying the effects that increasing or decreasing test time will have on the project. First American CREDCO found the solution was to turn QA into a full service organization, complete with a "Quality Rainbow" menu of options to be purchased. Want it quicker and willing to accept a higher risk? Then select from Column 1. Want low risk and willing to take the time to ensure the product is pristine? Then select from Column 5. Whether your test team is small or large, you can learn to "in-source" QA services, set time and efforts expectations up front, and measure the value of QA activities so that QA does not become a roadblock to project success.

  • A method to specify and quantify the services provided by a QA group
Sandi Oswalt, First American Credco
Better Testing with a Hacker's Mentality

Security issues are becoming more and more relevant as testers are called on to find security problems before others exploit them. So, where do you start, and how do you bridge the gap between honest tester and bad-guy hacker? Julian Harty suggests we do so by adopting the mindset and practices of a hacker. In this presentation, gain a unique insight into the ways of hackers and specific technical techniques and tips on how to find security flaws before the hackers do. Progress from a novice to a journeyman security tester as you learn how to use “anti-goals” and your internal knowledge of the software to find and fix security vulnerabilities before the hackers find them and hurt your organization.

  • How a tester can adopt the mindset of a hacker
  • Proven techniques for finding security flaws
  • A safe environment to get started in security testing
Julian Harty, Commercetest Limited
Who is Stealing a Living off Your Web Site?

So, your company makes money from its Web site. Who else might also be doing the same? While the Web is a profitable venture for many companies, it is often equally profitable for hackers and thieves. Due to unknown vulnerabilities of your Web application, hackers may end up with more profit from your Web site than you do. See examples of hacker techniques-SQL injection, format string attacks, session-based attacks-and a host of others. Find out why the current crop of Web testing tools is not sufficient to thwart hackers and will leave you with a false and dangerous sense of security. Learn the skills and techniques you must know to stay ahead of hackers and find security holes in your Web applications.

  • Hidden Web application security vulnerabilities
  • Testing skills and techniques to find security holes and prevent breaches
  • Tools to help you with security testing Web sites
Florence Mottay, Security Innovation LLC
Gotcha!...Security Testing for Mission Critical Applications

A local television station provides a Web service that allows schools and businesses in the area to easily enter information on closures due to bad weather. The information then is displayed as a crawl along the bottom of the television screen. Some kids hack into the site and declare their school closed for the day, and it's immediately shown on everyone's television! It's a cute story. Now let's imagine that these same kids hack the prices on your eCommerce site or obtain access to sensitive customer records on your company Web site. This time the story is not so laughable. Mike Andrews shares his favorite top ten holes in Web site security including "SQL injection" and "cross-site scripting," shows examples of each, and discusses the effects these security breaches can have on your site. Fortunately, the number of attacks is rather small and easy to repair-if you know where to look.

Michael Andrews, Florida Institute of Technology
A Strategic Approach - "Beta the Business"

Beta testing is an industry standard practice to obtain user feedback prior to general availability of software. Have you ever considered that the Beta release can be used to validate the software's value to customers and application users? Extending the Beta concept will result in higher customer satisfaction (and higher revenue for commercial products). Also, you can employ Beta testing to evaluate not only the software product, but the distribution (and sales) process, training, customer support, and usage within your customers' environments. Far beyond just finding defects in the product, you can focus Beta testing on how well the software is meeting your customers' needs. What does that mean to the Development team and the organization as a whole? What are the risks and challenges that we face? What are the rewards?

Pete Conway, EMC Corporation

Pages

StickyMinds is a TechWell community.

Through conferences, training, consulting, and online resources, TechWell helps you develop and deliver great software every day.