Sunday, 19 April 2015

DEV and Testing Deliverables

Many problems arise for testers and the testing team mainly due to the following reasons.
  •      Late delivery of the code for testing
  •      Test environment not being available / ready / setup aptly
  •      Lack of information regarding the product , project , process and
  •      Due to lack of clear communication at all these levels

These are also the reasons for delay in delivery of tested code and the product for User Acceptance Testing in instances where there is a UAT team involved.

Here is a mind map which sheds light on the requirements which the testing team requires prior to commencing testing and the teams involved in delivering this.

This is applicable in an agile context where the testing team awaits for the DEV team for test deliverable's.

Do add on to this mind map. Share and use in a context applicable to you.

Having a check list will not help, unless it is put to use rightly. 

To avoid blaming and miscommunication within and the involved teams, try to be aware of the
  • Risks
  • Educate and convey the risks involved to the concerned teams and 
  • Have a mitigation plan to tackle unforeseen problems
Above all, communicate honestly and bravely with decisiveness about the delay, risks clearly.

Saturday, 18 April 2015


WINJA - An all women’s Capture The Flag (CTF) event arranged at NULLCON 2015 by Sneha Rajguru, Apoorva Giri and Shruthi Kamath was a well organized and well run event.
The event attracted enthusiastic participants from across India, some of them were already regulars at the null chapters in their respective cities.

Wondering what or who a WINJA is?
It is an on-site hacking simulated competition at nullcon where individuals attempt to attack and defend computers and networks using certain software and network structures.
Women Ninja at NullCon
3 groups were distributed with vulnerable systems and asked to crack the challenges. Below are some of the challenges presented to the participants.
  1. Missing function level
  2. Command execution
  3. SQL Injection
  4. IDOR
  5. Spoofing Referer
  6. Reflective XSS
  7. Sensitive data exposure
  8. File upload
  9. Stored XSS
  10. CSRF

Participants were grouped into three teams consisting of 3 / 4 girls in each team.
  1. Group A participants
Kriti, Shobha, Rupali, Soni
  1. Group B participants
Sudeeksha, Elizabeth, Angeline
  1. Group C participants [WINJA Winners]
Vandana, Hema, Ananya

Cracked challenges and scores
Missing function level -10, SQL Injection - 10, Reflective XSS - 30

The participants tested their hacking skills and learnt different attack vectors for various vulnerabilities and had fun while doing it.

Feedback from some of the participants
Saumya - Excellent concept, glad to have bonded at the first and one of it’s kind women only event.
Kriti from Adobe - Liked the opportunity to volunteer and be a part of the event.
Sneha a participant from Attify - An exclusive women only event helped to network with the other participants and know each other.
Elizabeth - It was my 1st CTF event, tried and understood what I was doing and enjoyed it.
More such events should be organized.
Ananya Chatterjee - Having the event organized at NULLCON helped. Glad that it was an  inhouse event so that the participants could attend the conference plus the competition.

Overall the participants were in unison that the event was educative and helped them all know and network with each other.
Team 2 continued to crack the challenges after the event, with the winning team helping the runners up.
This did not stop here as Sneha Rajguru extended her help to continue to learn after the event by sharing their contacts to exchange ideas and share knowledge.
Some of the participants expressed their interest to contribute to Infosec girls and be a part of the null chapters at their respective cities.

Group C emerged as the winners and were awarded at the end of the event.

The event in pictures

About The Event organizers - The Infosec Girls
Apoorva Giri
Apoorva works as a Security Analyst with iViZ Security (a Cigital company).She has presented a workshop on "Cyber Security and Ethical Hacking for Women" at c0c0n 2014at Kochi, Kerala. Her interests lie in Web Application Security and Mobile Security. She's an active member of null/OWASP Bangalore Chapter. She has been listed on the Barracuda Hall of Fame for finding vulnerabilities on their application.
Shruthi Kamath
Shruthi works at Infosys Limited. She is a certified Ethical Hacker from EC Council .She has presented a workshop on "Cyber Security and Ethical Hacking for Women" at c0c0n 2014.She has conducted a one day workshop on "OWASP TOP 10" at Null Bangalore chapter. She has presented on "Secure SDLC" at c0c0n Conference 2013.She has participated at Jailbreak nullcon 2014. She presented a talk on "Cybercrimes in India and its Mitigation" at the National Conference for Women Police held at Trivandrum. She's an active member of null/OWASP Bangalore Chapter. Her area of interest is Web Application Security.
Sneha Rajguru
Sneha works at Payatu Technologies Pvt.Ltd. She is a Certified Ethical Hacker and a Licensed Penetration Tester from EC Council. She's an active member of null Pune Chapter and has presented talks on various information security related topics during the local null meets(Pune chapter). Her area of interest lies in Web application and mobile application security and fuzzing.
Follow the below web links to learn more about NULLCON conference, Infosec girls and null chapters.
Null - Infosec Girls - NULLCON -

Saturday, 4 April 2015

About automation and mismeasurements

Testing Newsletter - 1

  • 100/100 test cases automated - testing team awarded.
  • Management says 12.73 failure rate is a must for every testing cycle.
  • Testers denied from attending training's on analytical and critical thinking skills.
If such is the criteria for accolade and criticism we as professionals, leaders have failed ourselves.

Are these people who make such suggestions / decisions educated in software testing?
The testing team must seek answers and challenge such decisions made.

To people, who think automation is the solution to any testing problem. Read, read often and enough to know the origin, history and usage of automation. Then apply this knowledge to learn: if automation is the solution to the problem at hand. 

Read enough to know the pros and cons of test automation. Then use it wisely.

About automation and mis-measurements

Consider this example below to understand what we can do to educate ourselves and those around us.

Preparation of Doughnut (or Vada)
We can automate the process of doughnut preparation, but everyone who consumes the doughnut has a different need / taste / allergic to the ingredients used. The same doughnut prepared out of the same ingredients and using the same preparation process is not the only way to prepare a doughnut. Nor is test automation the only solution to all testing problems.

Extending this analogy to testing, we can learn that with the introduction of variations and complications we can begin to gather information about the product. With this information we can learn the context, in which a doughnut is prepared, served and to whom and under what conditions. These parameters define the CONTEXT. 

Are we as inheritors of this knowledge, understand and apply the knowledge of context before defining, suggesting automation? If yes, then good.

If no is the answer to the above question, then let's begin to read regularly and apply the knowledge. Every user is not in the same environment nor is in the same context when preparing, serving and consuming the doughnut. Then, why suggest and sell test automation as a solution without exhaustive research of the organization, product, team, technology, environment and the users.

Try not to suggest test automation by reading the profit sheet of organization X. Do your own study and put your power to influence to good use.

Measure under pressure
Measurement under pressure is a recipe for disaster. 
Though not immediately but eventually metrics / measurements made under pressure lead to corrupting the system and the process followed and used. 

Metrics must serve a purpose, have well defined parameters, state the environment of use and conditions in which it can be put to use aptly.
Record the data as clearly as possible. 
Metrics should not be merely used to achieve, over or under achieve an / any objective. 
Or used to meet the standards of an audit ready document.

"Whenever possiblebe clear" -  Confucius
When defining the requirements, test strategy, automation framework, test reports - be clear.