Monthly Archives: June 2012

Performance testing in the cloud

As cloud computing continues to mature, one is hard pressed to identify a class of enterprise software that is not delivered and consumed as a service. Performance and load-based application testing, important parts of ALM, can be counted among these cloud offerings. Moving these functions to the cloud offers typical cloud benefits, most notably lowered capital and operational costs, and support for distributed development teams. But cloud-based testing also changes the way the tests themselves are performed. These changes come at a time when more and more organizations are looking at software as their competitive differentiator.

“Every enterprise is a software company, regardless of what they’re vertical is. Many of them are building more lines of code than major software companies per year. Software is the competitive difference in what everyone is doing now,” says Theresa Lanowitz, founder and analyst, voke.

One of the biggest challenges in application lifecycle management (ALM), according to Lanowitz, is performance. “Performance will make or break whether or not someone is going to use your app. If you think about the type of apps you use – enterprise or personal apps – performance is the determining factor, so make sure that performance is there and that you’re able to test appropriately for performance.”

This is especially true of Web and mobile applications. Fortunately, cloud-based performance and load testing tools make it easier than ever before to ensure that internal enterprise apps as well as external customer-facing applications can handle user demand. There are three characteristics of cloud-based testing services that change the way http and https applications are tested:

Testing at scale

Cloud-based testing providers offer a cost-effective means of testing applications at scale – as opposed to a lab environment that simulates a small subset of the production environment. This means that instead of testing an application against a portion of users and extrapolating that data to scale with a production environment, the cloud-testing provider can test your application against the actual number of expected users. SOASTA, for example, offers CloudTest, a functional and performance testing service for Web and mobile applications. In the case of performance testing, SOASTA uses cloud servers to simulate traffic that would come from users visiting a website.

Testing globally

Similarly, cloud-based testing tools enable testing on a global scale, thereby reflecting the regions from which users are accessing the application. This is often done through partnerships with other cloud providers, such as Amazon and Rackspace. For example, Blitz by Mu Dynamics allows customers to run load tests constituting millions of concurrent users coming from multiple continents.

Testing production apps

In addition to testing test and stage applications, cloud-based testing tools can be used to test production applications. This is, according to Sven Hammar, founder and CEO of Apica, “where you have all the complexity, all the right servers, the right number of users, and you get more feedback on the problem.” When testing in production, you’re testing at maximum capacity, and different problems arise than those that are encountered at medium capacity. As a result, you get a more realistic picture of what can go wrong and the ability to make adjustments before problems occur with users.

Advice for using Software Testing as a Service

When it comes to using tools like SOASTA, Blitz and Apica, Lanowitz offers several recommendations. First off, she says, “When using a test tool in the cloud, make sure you understand how licensing is working. How are you going to pay that vendor for using that tool in the cloud? Understand what you’re paying that tool vendor for and how your costs are going to be affected as you attempt to test for more users. Be aware of the hidden costs and be able to identify what your total cost is going to be.”

Secondly, Lanowitz advises organizations to understand the software vendor’s roadmap, including how they plan to put out different communications for the development lifecycle and how tests are reported. “Understand how to interpret, read and act on the advice from the tool,” she says.

Finally, “Do a proof of concept when adopting a new tool,” says Lanowitz. Determine the two or three tools that you think you might want to adopt and do a proof of concept on each one, looking at integration with other tools in use, how the tool works with your different platforms and, again, understanding the costs and how you’ll be paying for them, she says.

Source:http://searchsoftwarequality.techtarget.com/feature/Performance-testing-in-the-cloud

Did you like this? Share it:

How to Do Automation Testing of iPhone Applications

Why automation? It saves precious time spent in running manually one and the same tests over and over again with each new build of the application. And secondly, it improves the stability of the application and decreases regression bugs by making it easy to run tests after each non-trivial code change or even at the end of each development day.

How about automation testing of mobile applications? Well, this area has always been foggy.

There are lot of tools for web application testing and some of them could fit automation testing of mobile applications either independently, or with an extension. For example, you could use M-eux Test as an extension on top of HP’s Quick Test Professional (QTP). M-eux Test recognizes and activates the GUI objects on the screen of the mobile device while utilizing best automation testing practices already incorporated into QTP. The restriction of M-eux Test comes from the lack of supported OSs – in fact, it supports only Windows Mobile apps (6.x and 5.0 Mobile PC).

What happens if you want to test an iPhone app? Recently Gorilla Logic, an enterprise IT consulting services company has launched free functional testing tool for iPhone apps named FoneMonkey. It provides the ability to capture, edit, and replay user interface tests on iPhone, thus covering the functionality of an iPhone app with automation tests.

Further, FoneMonkey provides options for integrated script editing while playing a recorded scenario, and modifiable assertion checks. Sounds familiar?

I think FoneMonkey will quickly become a standard for iPhone test automation. Besides, the people from Gorilla Logic are handling issues and change requests in no time, there is an extensive and easy-to-follow documentation, and a dedicated forum hosted by the company. If you are into the mobile application development business, I could highly recommend you the tool!

Source:http://www.bianor.com/blog/how-to-do-automation-testing-of-iphone-applications/

Did you like this? Share it:

IT security problems shift to the cloud

The internet "cloud" has created a new range of security issues, experts say.

The internet "cloud" is the hottest topic in computing but the trend has created a new range of security issues.

The cloud is associated with things like personal emails and music which can be accessed on computers and a range of mobile devices.

But US military and government agencies from the CIA to the Federal Aviation Administration also use cloud systems to allow data to be accessed anywhere in the world and save money – and, ostensibly, to enhance security.

Microsoft, Google, Amazon and others are major players in the cloud, which seeks to transfer some of the data storage issues to more sophisticated data centres.

Firms like Oracle, SAP and Salesforce.com offer cloud services for business.

Strategy Analytics forecasts US spending on cloud services to grow from $US31 billion in 2011 to $US82 billion by 2016.

But some experts say the security implications of the cloud have not been fully analysed and the cloud may open new vulnerabilities and problems.

"I don’t think any system is absolutely secure," said Stelios Sidiroglou-Douskos, a research scientist at the Massachusetts Institute of Technology’s Computer Science and Artificial Intelligence Laboratory.

"The analogy most people give is having a lock on your door.

"It’s not a guarantee no one will break in but it’s a question of how much time it will take, and if your lock is better than your neighbour’s."

In a cloud environment, "this makes the job of the attacker so much harder, which means the amateur hacker might be obsolete," said the scientist, who is working on a US government-funded research project to develop "self-healing" clouds.

But if a system is breached, analysts say, the amount of information lost could be far greater than what is in a single computer or cluster.

"You can have better defences" in the cloud, "but if an attack happens, it’s highly amplified," says Sidiroglou-Douskos.

The four-year MIT project funded by the US Defense Advanced Research Projects Agency seeks to develop systems that automatically fix data breaches in a manner similar to "human immunology," says the researcher.

A number of cloud security breaches have raised concerns, including attacks on the Sony PlayStation Network, LinkedIn and Google’s Gmail service.

One hacker recently claimed to have stolen credit card numbers from 79 major banks.

"Crimes target sources of value. Large company networks offer more targets to hackers," says Nir Kshetri, a professor of economics who studies cybercrime at the University of North Carolina at Greensboro.

"Information stored in clouds is a potential gold mine for cybercriminals."

Kshetri said in a paper submitted to the journal Telecommunications Policy that when questions come up, "the cloud industry’s response has been: Clouds are more secure than whatever you’re using now. But many users do not agree."

Marcus Sachs, former director of the Sans Technology Institute’s Internet Storm Center, said the cloud may be more secure but it also creates new questions.

"In the cloud, you don’t necessarily know where your data sits," Sachs told AFP.

"That doesn’t make it less vulnerable to attack, but there are questions when it comes to (an) audit, or if you want to take the data back or destroy it, how do you know you’ve erased it?"

Sachs said that analysts have also discovered "fake clouds" which are offered as low-cost alternatives but are in fact operated by "criminal groups which monitor and steal the data."

"We have seen instances of this not in the US, but in the former Soviet Union and in China," he said.

Still, the cloud market is growing rapidly, with companies and government agencies moving to either "public" clouds that are easily accessed or so-called "private clouds" that are segregated from the internet.

Some analysts say other issues need to be resolved about cloud computing, such as who is liable if data is lost, and how data can be accessed for government investigations.

Outages have recently affected Apple’s and Amazon’s cloud services, causing some websites to be affected.

"Privacy, security and ownership issues in the cloud fall into legally grey areas," Kshetri says.

Sidiroglou-Douskos says there is no single answer for people or companies choosing between cloud systems and holding the data themselves.

"If you are trying to protect yourself from the government, then having it in the public cloud makes it easier for them to get it," he said.

"If your main worry is a hacker in Russia, maybe (cloud) infrastructure is better for your own security."

Source:

http://www.sbs.com.au/news/article/1662840/IT-security-problems-shift-to-the-cloud

Did you like this? Share it:

Avoiding consumer testing: Why mobile performance testing is critical

Mixing mobile device users’ high expectations for application performance with widespread enterprise adoption of mobile networks increases the risks of high-profile failures. In addition, today’s growing demand for rapid, precise mobile application distribution across many devices, operating systems and networks raises the stakes for mobile application development and quality assurance managers. This high-risk scenario requires mastering new and time-tested approaches to pre-deployment performance testing now more than ever.

“You don’t want your end users to be your testers. This is a terrible idea. Before mobile and social media, this might have been okay because the negative feedback would be more muted and not be ‘viral’ in the sense of infecting your brand before you had a chance to administer the cure,” says Dave Berg, senior director of product management for Shunra.

Theresa Lanowitz, founder of voke, inc., agrees that software performance directly links to a company’s overall reputation and it is best to avoid consumer testing. “The software that runs your company is now inextricably linked to your brand. So your brand is reflected through the software you are putting out there; your brand is reflected through the software that your customers are using,” she explains.

Recent research findings

Even smaller issues can negatively impact the brand. For example, according to research cited by Aberdeen Senior Research Analyst Jim Rapoza, 7% of users abandon applications after just one second of delay in performance. 11% abandon at two seconds, 18% at three, 25% at four and 50% at five seconds.

New voke research explores the factors that are affecting the testing market, such as cloud and mobility.  Lanowitz says, “The testing of software at every stage of the lifecycle with all aspects of the supply chain is a standard and required practice, and continues to grow in importance.”

The growing urgency of application performance testing is reflected in recent Aberdeen research as well, which shows that 18% of businesses are currently performing application testing, while 54% plan to in the next year, according to Rapoza.

Testers now must act “in the strategic role of customer advocate and help deliver higher quality software throughout the enterprise by placing a laser focus on assessing the risk associated with every piece of software,” says Lanowitz. After all, it’s not just about producing quality applications, but also satisfying the expectations of end users and preserving the integrity of the company.

Cost benefit of doing pre-deployment testing

Conducting pre-deployment performance testing is critical, and it’s also much less costly. “It is easier, more cost-effective, and protects your brand to performance test before deployment,” says Berg.

Shunra surveys have pointed to the fact that “60% of the total cost in an application’s lifecycle come from remediating performance related issues after the app has been deployed,” according to Shunra CEO Gary Jackson. “If you cut that number down just a few points, you will see astronomical savings and ROI on the pre-deployment testing you preformed. It is close to 100-to-1 in cost savings.”

The costs can really add up, “because it’s not just a matter of having to bring an app down, or bring a newer version down in order to rebuild it and retest it, it’s also the lost user opportunity; one bad experience will often drive your users away,” adds Rapoza.

Available tools

Fortunately, the market is responding with various tool and service offerings that address each layer of software performance.

Lanowitz discusses the proliferation of mobile test vendors and their willingness to partner with each other. “You have a whole host of mobile testing companies coming out. What they’re doing a really great job of is, they’re building this incredibly complex matrix that will allow you to test your mobile application from anywhere in the world into any geography. So you can do your testing from Bangalore, and say, ‘Okay, I have to make sure this will run perfectly in Chicago, in the United States, on these carriers.’”

Did you like this? Share it:

Facebook takes on mobile ads based on user locale

With mobile advertising becoming increasingly more important, Facebook appears to be amping it up. According to Bloomberg, the social network is developing a mobile ad product that uses real-time data based on users’ locations.

"Phones can be location-specific so you can start to imagine what the product evolution might look like over time, particularly for retailers," Facebook’s vice president of global marketing solutions Carolyn Everson told Bloomberg. "We’ve had offers being tested over the last couple of months."

When the company went public in May, people speculated that in order to keep share prices from falling, the social network had to figure out how to monetize its growing number of mobile users. The Securities and Exchange Commission also made it clear that the social network had to focus more on mobile. The company’s shares have fallen 17 percent since it went public.

According to Bloomberg, U.S. mobile ad spending is projected to grow 80 percent over 2011 and is said to reach $2.61 billion.

"The holy grail of advertising is finding people when they are at their closest point to making a purchase," stock analyst Colin Sebestian, told Bloomberg. "Having some location-based element to advertising can be very powerful, and if you combine that with all the personal data Facebook has, the potential is enormous."

Facebook’s ads for both Web and mobile are currently labeled "featured" and are included in users’ news feeds or are "sponsored" stories on the right side of the Facebook home page. However, according to Bloomberg, Everson said that there has been "really significant interest" in mobile-only news-feed ads, which the social network started selling earlier this month.

Source:http://news.cnet.com/8301-1023_3-57455726-93/facebook-takes-on-mobile-ads-based-on-user-locale/?tag=mncol;9n

Did you like this? Share it:

Data breach? Virtual bounty hunters will hunt it down

Security expert Dan Clements is building a virtual "lost and found" box for data, a concept he hopes companies suffering from data breaches will embrace to find out just how bad the damage is.

Clements launched his startup, called CloudeyeZ, last September. He has since been nurturing an idea he says could save companies money by getting a better handle on how much data they’ve lost.

"There aren’t a lot of solutions for companies that are hacked," Clements said.

CloudeyeZ in California has a few different services. It works with freelance computer security consultants around the world who specialize in infiltrating forums, for example, that trade in stolen credit card and bank account details.

"We are virtual bounty hunters," Clements said.

If a bank suspects it has been hacked, it could give CloudeyeZ a sample of the data believed to have been stolen, such as a Bank Identification Number (BIN) which identifies a bank associated with a credit or debit card. CloudeyeZ investigators report back where it was found, and leaves the next action to the bank, Clements said.

Contacting law enforcement is sometimes "a last resort" when companies are trying to assess what was hacked, Clements said. The stolen data often isn’t identified, and the perpetrators — many who are likely to live outside the U.S. — are unlikely to be prosecuted.

He envisions CloudeyeZ as a step before contacting law enforcement, where companies can get a grasp on what is lost and figure out the least expensive way of handling it.

CloudeyeZ is building a database called the Blind DB to store small bits of text and numbers, which could be matched with lost data. Only vetted parties would have access. CloudeyeZ hopes law enforcement agencies will eventually contribute stolen data so it can be matched with organizations hit with a data breach, Clements said. CloudeyeZ doesn’t hold all of the data it finds, as it would rather direct people to where the data is actually hosted.

CloudeyeZ is also experimenting with posting bits of information to Twitter: one of the latest cryptic clues revealed is "52082XXX24,5013,110,33617, wesley, IT guy."

The company also has an escrow arrangement where it acts as a middle-man between a finder of information and its seeker, collecting 20 percent of the reward money. CloudeyeZ provides a sample of the suspected stolen data to its bounty hunters, who then search the underground, contacting their own informants for more information.

In one case, a bank paid a reward for finding some of its intellectual property, Clements said. How does an organization ensure it isn’t buying its own property back from the thief? It doesn’t, Clements said.

"It’s up to them how they want to handle that batch of property," Clements said. "We don’t make a judgement call on how the property got out into the cloud. It could be stolen, but we are not going to make that judgment. We are hired by the owner to retrieve it, no questions asked."

Clement said CloudeyeZ is still an edgy concept, but one ready for a post-hack realm. There are so many young males using keyboards as the equivalent of an AK-47 firearm, he said.

"They can get into almost anything," Clements said.

Source:http://www.infoworld.com/d/security/data-breach-virtual-bounty-hunters-will-hunt-it-down-195882

Did you like this? Share it:

Attack code published for two actively exploited flaws in Microsoft software

Attack code for two actively exploited vulnerabilities in Microsoft software, one of which has not yet been patched, was integrated into the open-source Metasploit penetration testing framework.

One of the vulnerabilities is identified as CVE-2012-1875 and is located in Internet Explorer. Attackers can exploit it to execute malicious code by tricking users into visiting a specially crafted Web page or opening a Microsoft Office document that has a malicious ActiveX control embedded into it.

Microsoft addressed the security flaw on Tuesday as part of its MS12-037 security bulletin, but according to security researchers from antivirus vendor McAfee, the vulnerability had been actively exploited in attacks since at least June 1.

The flaw was recently used by hackers to infect the computers of people who visited Amnesty International’s Hong Kong website with malware, security researchers from Symantec said in a blog post on Monday.

"Microsoft is aware of limited attacks attempting to exploit the vulnerability," Microsoft said on Tuesday. "However, when the security bulletin was released, Microsoft had not seen any examples of proof of concept code published."

That has now changed. The attack code for CVE-2012-1875 integrated into Metasploit targets Internet Explorer 8 on Windows XP with Service Pack 3.

The second actively exploited vulnerability for which an exploit module was added to Metasploit is identified as CVE-2012-1889 and is located in Microsoft XML Core Services.

According to researchers from security vendor Trend Micro, attacks targeting this particular flaw prompted Google to display warnings about state-sponsored attacks to Gmail users earlier this month.

Microsoft has yet to release a security patch for this vulnerability. However, a Microsoft "Fix it" tool that blocks the attack vector is available for download.

Even though the vulnerability affects versions 3, 4, 5 and 6 of Microsoft XML Core Services and can be exploited through both Internet Explorer and Microsoft Office, the exploit integrated into Metasploit only targets Microsoft XML Core Services 3.0 via IE6 and IE7 on Windows XP SP3.

The public availability of exploit code for both of these vulnerabilities increases the chances that they will be exploited in new attacks. Users are advised to install the security patch for CVE-2012-1875 and the Microsoft Fix it tool for CVE-2012-1889 as soon as possible in order to protect themselves.

Source: http://www.computerworld.com/s/article/9228203/Attack_

code_published_for_two_actively_exploited_flaws_in_

Microsoft_software?taxonomyId=145

Did you like this? Share it:

Automation Anywhere Launches Testing Anywhere for Cloud Applications and HTML5

"Automation Anywhere and our Testing Anywhere product line have grown rapidly because we make it easy for people in the application lifecycle including QA testers, software developers and people in non-technical roles to automate tests intelligently," said Mihir Shukla, founder and CEO of Automation Anywhere. "80% of our customers are already building cloud or web applications and asked us to expand into the cloud. So in this release we set the goal to make it easier to test cloud, web and HTML5 applications, which are increasingly important in mobile and online. Our mission is to build products that provide our customers intelligent, powerful and easy to use automation."

–  Automatic Language Identification for Objects: Testing Anywhere’s
intelligent technology was developed for the cloud. It detects an
object’s programming language and then automatically chooses the best test automation technology for that language. This increases the
efficiency of the testing process, especially when there are multiple
types of objects and languages. Testing Anywhere works with languages including .Net, Java, WPF, HTML,Silverlight, Flash, Flex and more.

–  Application Testing in the Cloud: Automation Anywhere customer
feedback says more than 80% of recorded test cases initially fail in
the cloud using other testing tools. Testing Anywhere aims to
significantly improve that percentage and also extends support for
nested inline frames and framesets.

–  HTML5 support: With the growth of HTML5 in both web and mobile
environments, Testing Anywhere now supports automated HTML5 testing.

–  Power User Functionality: Although Testing Anywhere was initially
designed to be used by a wide range of users, many advanced users have requested more control over their testing environments. As a result, Testing Anywhere has added some power user functionality such as a free-flow editor for testers to quickly type and create test cases, a multi-tab editor, advanced debugging support, and support for regular expressions in many actions.

–  PDF testing support: Testing Anywhere now automatically tests PDF
capabilities for applications that export or work with PDF documents.

–  Email testing support: More advanced email integration allows testers to easily connect to an email server from within Testing Anywhere and test email functionality of any software or web application.

–  Enhanced Testing for Mainframes: Testing Anywhere has always used terminal emulator technologies to test new and legacy applications. Testing Anywhere 7.5 offers more advanced mainframe testing and now supports SSH1 and SSH2 protocols

–  Testing Anywhere first launched in December 2009 and is being adopted by large system integrators and other software development teams looking for significantly better efficiencies and quality around
automated software testing. Testing Anywhere tests any application on any Windows platform; tests web applications on Explorer, Firefox,
Opera, Safari and Chrome; and tests custom applications written in
more than 20 languages including Python, Perl, C++ and C#. People
interested in Testing Anywhere can download the free trial version

Read More:http://www.marketwatch.com/story/automation-anywhere-launches-testing-anywhere-for-cloud-applications-and-html5-2012-05-23

Did you like this? Share it:

HP brings performance testing to the cloud

With more applications being built for the Web, performance testing is critical to determining the proper approach to scaling both applications and infrastructure. But for many years performance testing was largely a rich-man’s game, primarily because of the expense of setting and maintaining a large server infrastructure that can simulate real-world traffic.

Hosted testing solutions make a lot of sense from both the user and provider perspective. Considering the vast computing power available at your fingertips there are few reasons why you would want to own the infrastructure, or not take advantage of the latest offerings from providers both large and small.

To that end, Hewlett-Packard is slated on Wednesday to announce LoadRunner in the Cloud, a new application performance testing suite running on Amazon Elastic Compute Cloud (EC2).

Ironically, HP is extremely late to the game despite having long held the lead in performance testing via its acquisition of Mercury Interactive in November 2006.

A number of companies, including Sauce Labs and BrowserMob have seen a great deal of success with their cloud-based offerings. And each player brings a unique angle to the offerings. Sauce Labs is based on the open-source Selenium project and gives users the option to run the code themselves or consume it as a service, whereas BrowserMob has expanded into offering monitoring in addition to testing.

Overall, performance and other testing via cloud-based services remains one of the more logical, accessible use cases to prove out the cloud as a necessary part of one’s infrastructure.

To it’s credit, HP has been making some moves into the cloud ecosystem, but there is still a long way to go for any tech vendor trying to usurp Amazon’s domination as a provider of cloud infrastructure services.

Source:http://news.cnet.com/8301-13846_3-20005276-62.html

Did you like this? Share it:

Static analysis technology for web application security

Coverity has extended static analysis to deeply understand both source code and modern web application architecture, providing greater accuracy and remediation guidance to help developers find and fix security defects that can lead to the most commonly exploited vulnerabilities including SQL injection and cross-site scripting.

Designed from the ground up to analyze web applications from the developer’s point of view, Coverity’s new technology addresses the complexity of modern web applications and enables developer adoption of static application security testing in a way that the shallow, incomplete analysis of first-generation tools failed to achieve.

Coverity’s innovations in static analysis technology are the first to:

  • Augment static source code analysis with a framework analyzer that minimizes inaccuracies when data passes through application frameworks, thereby minimizing false positives.
  • Incorporate a white box fuzzer inside static analysis to automatically validate that data sanitization routines perform sufficient sanitization of untrusted data and are used in the right context.
  • Provide precise, defect-specific remediation guidance to ensure developers understand how to fix security defects correctly and efficiently.

“Getting developers to fix security defects requires much more than just integrating static analysis into an IDE. Developers need evidence that the defects identified are real, and they need to understand how to fix those defects in their code,” said Andy Chou, Coverity co-founder and CTO.

“First-generation static analysis tools are not effective in helping developers because they don’t credibly provide them with this information. We are making it easy for developers by taking the guesswork out of finding and fixing security defects,” Chou added.

Source:http://www.net-security.org/secworld.php?id=13083

Did you like this? Share it: