Skip to main content

Posts

Showing posts from 2017

Testing impact on security

... or the impact when testing is lacking? Security breaches , hacks , exploits , major ransomware attacks - their frequency seem to increase recently. These can result in financial, credibility and data loss, and increasingly the endangerment of human lives. I don't want to propose that testing will always prevent these situations. There were probably testers present (and I'm sure often also security testers) when such systems were created. I think that there was simply a general lack of risk-awareness on these projects. There are many tools and techniques from  a pure technical point of view to harden the software in security context. Some of them have automated scans which crawl through your website and might discover the low hanging fruits of security weaknesses ( ZAP , Burpsuite ...), without much technical knowledge from the person operating it. The more important aspect is however the mindset with which you approach the product. The tester is often the f...

Kali Linux 101

Linux was always a bit too 'geeky' thing for me. My recent time on bench provided me however with time and motivation to go into this "terra incognita". The intention was originally to learn some foundations of security testing. After a while I discovered that Kali Linux could provide also benefits for the everyday testing routine. Following is a simple set of tools that will support and enhance your testing. whatweb Whatweb is a web scanner which provides information about the technologies used on the website, mail addresses found and many more Example (type into terminal in Kali Linux): whatweb 0-v https://www.houseoftest.rocks/ whois  Provides domain and legal information about the target website (where is it registered, owner, address, etc.) Example:  whois houseoftest.rocks cewl Outputs all the words contained in the target website. You never know when such feature comes handy. You can output also into a file of course. Examp...

Don't blindly follow requirements

Each rule/requirement has a reason to exist and I firmly believe the written form of the rule is rarely 100% mirroring the intention. A really nice example of this is the following situation: Rule/Requirement -> Person on ID photo shouldn't have glasses on My rejected photo If you look closely you can see my glasses which is a clear breach of the rule. PS: To you my fellow clerk in the Swiss Strassenverkehrsamt: I'm not angry at you, but when the AI kicks in, you will the first to be replaced by  computer;)

Testers toolkit

As every craftsman needs his tools, testers are no exceptions. I was this weekend at  SOCRATES SWITZERLAND  (SOftware CRAftsmanship and TESting) where we talked also about useful everyday tools. This list tries to be as general as possible to provide tools which can be useful to most part of everyday work, more specialised test-useful tools are very context dependent. I use most of the tools mentioned here and believe they can provide value also to you. Documenting Screenshot  - good picture is worth thousand words, this applies especially for testing, the following are some screenshotting tools and editors I used and can recommend Lightscreen  - simple tool for capturing pictures, free, cannot edit the pictures FastStone  - screen capturing tool and editor, cheap & gets the job done Snagit  - very powerful screen capturing tool and graphic editor, many functions which you never knew you can do, but wont be able to live without afterwards...