Monthly Archives: February 2012

Big Android Security Risk Revealed

The Mobile World Congress this year has a host of Google’s green robot powered smartphones to show off. They are all cool. But there are some concerns regarding the security of the Android platform, as per the warnings of the UK based security firm MWR InfoSecurity.

Manufacturers of Android mobile phones will once again be launching their latest models and as before, we will be warning users and manufacturers at the Mobile World Congress in Barcelona that not enough is being done to safeguard user information, Ian Shaw, MD at MWR InfoSecurity said.

The increasing lack of security controls on the phones is exposing users to fraud and other criminal activity.

According to Shaw, manufacturers are not doing enough to protect their users from a wide range of attacks. Android mobiles are being compromised daily exposing users to a real security risk, he said.

Manufacturers must spend more time looking to see how they can safeguard users. Many seem to forget that they have a duty of care.

The problem is that many users just don’t realize how vulnerable they actually are. Criminals can steal personal details like bank passwords and other personal information.

MWR InfoSecurity so far has found ten security vulnerabilities on Samsung’s smartphones and tablets in its hunt for Android security issues.

The company said it had warned the firm about these and had been assured that it was working on them.

Source: http://www.gizmocrave.com/11152-big-android-security-risk-revealed/

Did you like this? Share it:

Apple Expected to Unveil New, Faster iPad March 7

Apple Inc is hosting a media event next Wednesday, where it is expected to unveil a faster, better-equipped version of its popular iPad tablet to thwart increasing competition from deep-pocketed rivals such as Amazon.com Inc.

The invitation-only event will be held at 1 p.m. EST on March 7 at the Yerba Buena Center for the Arts in San Francisco, where it also introduced the last two generations of iPads.

Apple, which sent the invitation to reporters by email on Tuesday, did not divulge details of the event beyond saying: "We have something you really have to see. And touch."

The invitation featured a partial picture of the touchscreen of a device resembling an iPad.

Apple launches are some of the hottest events on the tech calendar, scrutinized by fans, investors, the media and industry insiders alike.

The iPad has dominated the nascent tablet computer market, but Amazon’s Kindle Fire, which sells at half the cost, has chipped away at the lower end of the market.

The third iteration of a device that has helped put pressure on demand for traditional laptops and computers is expected to boast a faster, quad-core processor, and a higher-definition screen.

Some analysts and industry experts expect 4G wireless capability, ensuring that the iPad remains current as cutting-edge broadband technology from Verizon Wireless and other carriers gains momentum. Verizon Wireless is a venture of Verizon Communications Inc and Vodafone Group Plc.

"The picture is zoomed in on an icon and I don’t see any pixels in that icon," Avi Greengart, analyst at Current Analysis, said, underscoring how industry experts pick apart even Apple’s communiques for hints of what to expect.

"You don’t need exceptional foresight to guess that Apple is likely looking at a higher resolution display."

Source: http://www.ibtimes.com/articles/306153/20120228/ipad-apple-aapl-steve-jobs-ipad3.htm

Did you like this? Share it:

What kind of automated testing does Facebook do?

We do several kinds of testing. Some specifics:

  • For our PHP code, we have a suite of a few thousand test classes using the PHPUnit framework. They range in complexity from simple true unit tests to large-scale integration tests that hit our production backend services. The PHPUnit tests are run both by developers as part of their workflow and continuously by an automated test runner on dedicated hardware. Our developer tools automatically use code coverage data to run tests that cover the outstanding edits in a developer sandbox, and a report of test results is automatically included in our code review tool when a patch is submitted for review.
  • For browser-based testing of our Web code, we use the Watir framework. We have Watir tests covering a range of the site’s functionality, particularly focused on privacy—there are tons of "user X posts item Y and it should/shouldn’t be visible to user Z" tests at the browser level. (Those privacy rules are, of course, also tested at a lower level, but the privacy implementation being rock-solid is a critical priority and warrants redundant test coverage.)
  • In addition to the fully automated Watir tests, we have semi-automated tests that use Watir so humans can avoid the drudgery of filling out form fields and pressing buttons to get through UI flows, but can still examine what’s going on and validate that things look reasonable.
  • We’re starting to use JSSpec for unit-testing JavaScript code, though that’s still in its early stages at this point.
  • For backend services, we use a variety of test frameworks depending on the specifics of the services. Projects that we release as open source use open-source frameworks like Boost’s test classes or JUnit. Projects that will never be released to the outside world can use those, or can use an internally-developed C++ test framework that integrates tightly with our build system. A few projects use project-specific test harnesses. Most of the backend services are tied into a continuous integration / build system that constantly runs the test suites against the latest source code and reports the results into the results database and the notification system.
  • HipHop has a similar continuous-integration system with the added twist that it not only runs its own unit tests, but also runs all the PHPUnit tests. These results are compared with the results from the same PHP code base run under the plain PHP interpreter to detect any differences in behavior.

Our test infrastructure records results in a database and sends out email notifications on failure with developer-tunable sensitivity (e.g., you can choose to not get a notification unless a test fails continuously for some amount of time, or to be notified the instant a single failure happens.) The user interface for our test result browser is integrated with our bug/task tracking system, making it really easy to associate test failures with open tasks.

Source: http://www.quora.com/What-kind-of-automated-testing-does-Facebook-do

Did you like this? Share it:

Application Testing – Into the Basics of Software Testing!

Application Testing is an activity that every software tester performs daily in his career. These two words are extremely broad in practical aspect. However, only the core and most important areas will be discussed here. The purpose of this article is to touch all the primary areas so that the readers will get all the basic briefing at a single place.

Categories of Applications

Whether it is small calculator software with only the basic arithmetic operations, or an online enterprise solution; there are two categories of applications.
a. Desktop
b. Web

For desktop applications, testing should take into account the UI, business logic, database, reports, roles and rights, integrity, usability and data flow. For web applications, along with all these major areas; testers should give sufficient importance to performance, load and security of the application. So AUT is either desktop software or a website.

Application Testing Tools

According to the best of my knowledge, there are at least 50 testing tools available in market today. These include both paid and open source tools. Moreover, some tools are purpose specific e.g. UI testing, Functional Testing, DB Testing, Load Testing, Performance, Security Testing and Link validation testing etc. However, some tools are strong and provide the facility of testing several major aspects of an application. The general concept of ‘Application Testing’ is its functional testing. So, our focus will be on functional testing tools.

Here is the list of some most important and fundamental features that are provided by almost all of the ‘Functional Testing’ tools.

a. Record and Play
b. Parametrize the Values
c. Script Editor
d. Run (the test or script, with debug and update modes)
c. Report of Run session

Source: http://www.softwaretestinghelp.com/application-testing-%E2%80%93-into-the-basics-of-software-testing/

Did you like this? Share it:

How to Achieve Level 5 Maturity for QA and Testing Process

For any process whether it is a QA process, development process or any non-technical process, there are levels of its maturity. By levels of maturity we mean that the level of formality and processes improvement, like ad-hoc processes – to formally defined steps – to managed result metrics – to optimization of the processes.

CMM (Capability Maturity Model) is process based model which is used to assess the maturity of an organization for different domains. Although this model is normally termed as the software development model but eventually it was used for other processes as well like QA and testing.

It has 5 different levels of maturity from 1 to 5. As we go towards level 5 from 1, variability and inconsistency reduces. Below are the details of 5 levels. Here we will go through the 5 CMM levels with respect to QA process and what all output/result is expected for each level to mature a QA/testing process and reach up to level 5.

CMM Levels

Level 1 – Ad-Hoc: Unplanned, unsystematic, and inconsistent

As the word ‘Ad-Hoc’ states: unplanned, unprepared, at this level significance is not given to planning, following processes, guidelines and standards. There is no standardized & consistent way of doing any task. The only thing which is important at this level is meeting the timelines, irrespective of the quality of the end product and deliverables.

As there are no pre-defined standards and processes, same task is done in different ways by different people.

And this becomes even more unsystematic and inconsistent if same task is done differently next time.

Level 2 – Control: initiate defining processes at high level:

Solution to the problem which we saw at Level 1 of unavailability of QA processes, methodology & standards would be to have all these in place. The standards and processes are not only finalized but also are well documented, so that those can be re-used by any one for similar task.

Level 3 – Core Competency: Come up with a generalized process for wider audience and domains:

At this level 3, people are motivated to follow the standards and processes defined at level 2. For this first of all the processes need to be conveyed to all people and need to identify what all skills are needed to use those effectively and efficiently and also if any training is required for that and then motivated and supported to follow those standards and processes. Here people having more experience share their knowledge with others.

Level 4 – Predictable: Measure the processes

At this level processes defined at level 3 are measured quantitatively. This is done to control the effort required on any task. Based on this quantitative analysis, processes can be adjusted if needed, and that to without degrading the quality of the end product. Analysis is done by dividing complete process into smaller sub-processes and then quantitative techniques are applied on these sub-processes and as per the result, sub-processes are adjusted if needed. This level is called predictable as based on prior experience; we can predict the process quantitatively and make use of that for the upcoming processes.

Level 5 – Innovative: Continuous Improvement

At this level, innovative ways are identified to further improve the pre-defined processes and standards. This is a continuous process. For this our own processes are watched and re-engineered continuously by adding new tools technologies, by continuous studies and by keeping ourselves updated with new information in the market. This can also be achieved by benchmarking other organizations and learn from them and try to improve our process by adding new innovations to it.

Source: http://www.softwaretestinghelp.com/achieve-level-5-maturity-for-qa-testing-process/

Did you like this? Share it:

Android Gets New Twitter Update

All you Tweeple out there, cheer up! Tweeting has now been made lot easier with your Android device. Twitter comes in an upgraded form on Android devices, and this time it has something exciting in it.

The Android devices become more popular as each day pass by. So the new upgrade seems very relevant. As you swipe through tweets, options to reply, re-tweet, favorite, or share instantly pop up, without carrying away any space from your time line. Now, this seems interesting, right?

The new upgrade is tailor-made for those who would spend a good share of time on Twitter. This is a custom oriented design, and actions such as reply could be made quicker than before. What more should one need to get lured into something like this?

Another fascinating addition in the new update is an amusing “find friends” update. It alerts users before importing your contacts details, email, phone number and address into the public domain. Earlier, there haven’t been any such confirmation messages showing up. And so, using Twitter is safer than before.

Twitter for Android is optimized to give maximum efficiency with Android 4.0 Ice Cream Sandwich, the Kindle Fire, and the Barnes & Noble Nook Color/ Tablet.

The update has released already, and could be obtained through Android market. Besides, the update packs some security improvements, new languages, and would fix many bugs. Hope you will enjoy the update.

Source: http://www.gizmocrave.com/11063-android-gets-new-twitter-update/

Did you like this? Share it:

An approach for Security Testing of Web Applications

Introduction

As more and more vital data is stored in web applications and the number of transactions on the web increases, proper security testing of web applications is becoming very important. Security testing is the process that determines that confidential data stays confidential (i.e. it is not exposed to individuals/ entities for which it is not meant) and users can perform only those tasks that they are authorized to perform (e.g. a user should not be able to deny the functionality of the web site to other users, a user should not be able to change the functionality of the web application in an unintended way etc.).

Some key terms used in security testing

Before we go further, it will be useful to be aware of a few terms that are frequently used in web application security testing:

What is “Vulnerability”?
This is a weakness in the web application. The cause of such a “weakness” can be bugs in the application, an injection (SQL/ script code) or the presence of viruses.
What is “URL manipulation”?
Some web applications communicate additional information between the client (browser) and the server in the URL. Changing some information in the URL may sometimes lead to unintended behavior by the server.

What is “SQL injection”?
This is the process of inserting SQL statements through the web application user interface into some query that is then executed by the server.

What is “XSS (Cross Site Scripting)”?
When a user inserts HTML/ client-side script in the user interface of a web application and this insertion is visible to other users, it is called XSS.

What is “Spoofing”?
The creation of hoax look-alike websites or emails is called spoofing.

Source: http://www.vietnamesetestingboard.org/zbxe/?mid=download&category=12657&document_srl=514129&listStyle=&cpage=

Did you like this? Share it:

SQl resource-DB testing

SQL resource

The purpose of this book is to quickly provide you with the skills you need to solve problems and perform tasks using the Transact-SQL language. I wrote this book in a problem/solution format in order to establish an immediate understanding of a task and its associated Transact-SQL solution. You can use this book to look up the task you want to perform, read how to do it, and then perform the task on your own system. While writing this book, I followed a few key tenets:

• Keep it brief, providing just enough information needed to get the job done.

• Allow recipes and chapters to stand alone—keeping cross-references and distractions to a tolerable minimum.

• Focus on features that are typically implemented entirely using Transact-SQL. For example, I cover the new Resource Governor feature because it will typically be deployed by DBAs using Transact-SQL—whereas I do not cover Policy-Based Management due to its underlying dependencies on SQL Server Agent, SQL Server Management Objects (SMO), and SQL Server Management Studio. Fortunately, most of the new SQL Server engine improvements are entirely Transact-SQL based, and therefore are included in this book.

• Write recipes that help a range of skill sets, from novice to professional. I begin each chapter with basic recipes and progressively work up to more advanced topics. Regarding new SQL Server 2008 features, I have interwoven them throughout the book in the chapters where they apply. If you are just looking for a refresh on new Transact-SQL features, I specifically call them out at the beginning of each chapter in which they exist.

Although a key tenet of this book is to keep things brief, you’ll notice that this book is still quite large. This is a consequence of the continually expanding SQL Server feature set; however, rest assured that the recipes contained within are still succinct and constructed in such a way as to quickly give you the answers you need to get the job done.

Source: http://www.vietnamesetestingboard.org/zbxe/?mid=download&category=17246&document_srl=586034&listStyle=&cpage=

Did you like this? Share it:

Practical Combinatorial Testing (NIST)

Software implementation errors are one of the most significant contributors to information system security vulnerabilities, making software testing an essential part of system assurance. In 2003 NIST published a widely cited report which estimated that inadequate software testing costs the US economy $59.5 billion per year, even though 50% to 80% of development budgets go toward testing. Exhaustive testing – testing all possible combinations of inputs and execution paths – is impossible for real-world software, so high assurance software is tested using methods that require extensive staff time and thus have enormous cost. For less critical software, budget constraints often limit the amount of testing that can be accomplished, increasing the risk of residual errors that lead to system failures and security weaknesses.

Combinatorial testing is a method that can reduce cost and increase the effectiveness of software testing for many applications. The key insight underlying this form of testing is that not every parameter contributes to every failure and most failures are caused by interactions between relatively few parameters. Empirical data gathered by NIST and others suggest that software failures are triggered by only a few variables interacting (6 or fewer). This finding has important implications for testing because it suggests that testing combinations of parameters can provide highly effective fault detection. Pairwise (2-way combinations) testing is sometimes used to obtain reasonably good results at low cost, but pairwise testing may miss 10% to 40% or more of system bugs, and is thus not sufficient for mission-critical software. Combinatorial testing beyond 2-way has been limited, primarily due to a lack of good algorithms for higher interaction levels such as 4-way to 6-way testing. New algorithms, however, have made combinatorial testing beyond pairwise practical for industrial use.

Source: http://www.vietnamesetestingboard.org/zbxe/?mid=download&category=12632&document_srl=568740&listStyle=&cpage=

Did you like this? Share it:

BACK END TEST GUIDE for SQL

1. INTRODUCTION

This document is to discuss general test specification issues for SQL server back end testing and to provide testers a test design guide that includes test methodology. Most systems, i.e. Forecast LRS, Delta, KENAI, KBATS and so on, that are developed by ITG have client-server architectures. However, only a few projects have their back end completely tested.

1.1 Why back end testing is so important

A back end is the engine of any client/server system. If the back end malfunctions, it may cause system deadlock, data corruption, data loss and bad performance. Many front ends log on to a single SQL server. A bug in a back end may put serious impact on the whole system. Too many bugs in a back end will cost tremendous resources to find and fix bugs and delay the system developments. It is very likely that many tests in a front end only hit a small portion of a back end. Many bugs in a back end cannot be easily discovered without direct testing. Back end testing has several advantages: The back end is no longer a "black box" to testers. We have full control of test coverage and depth. Many bugs can be effectively found and fixed in the early development stage. Take Forecast LRS as an example; the number of bugs in a back end was more than 30% of total number of bugs in the project. When back end bugs are fixed, the system quality is dramatically increased.

1.2 Differences between back end testing and front end testing

It is not easier to understand and verify a back end than a front end because a front end usually has friendly and intuitive user interfaces. A back end has its own objects, such as, tables, stored procedures and triggers. Data integrity and protection is critical. Performance and multi-user support are big issues. Slowness in operation can be vital to the project’s future. There are no sufficient tools for back end testing. SQL language is mainly a testing tool. MS Access and MS Excel can be used to verify data but they are not perfect for testing. However, there are a large number of test tools available for front end testing. To be able to do back end testing, a tester must have strong background in SQL server and SQL language. It is relatively difficult to find testers who understand both SQL server and SQL testing. This causes a shortage of back end testers.

Source: http://www.vietnamesetestingboard.org/zbxe/?mid=download&category=17246&document_srl=590218&listStyle=&cpage=

Did you like this? Share it: