SQL Injection for Dummies

Being a Security Tester, I have one of the most teasing and innovative jobs in my profession. We, testers, are asked to identify as many major security vulnerabilities in the application, given limited time and resources. We have the constraint to explore the application in lesser time than the developers who build the application. We have to discover all the vulnerabilities present in the application, while the hacker conveniently has all the time and resources to do that. Well, that’s what makes this job interesting and challenging.

As SQL injection continues to be the dominant technique for data fraud, I would like to dedicate this blog to the topic in an effort to eliminate this problem. Let’s get started on the basics of how to identify an injection. Continue reading »

Tags: Testing

What’s the Mantra for detecting your security threats?

Many new applications are emerging out in the market on one-side and new security threats emerging on the other side. Earlier, product owners were not serious about their application security and they did not give much importance to security testing, since hackers were few in existence. However, now-a-days a large number of people have started hacking for fun, money and popularity. They either gain access to confidential information or inject malicious code to crash the system. Now, product owners have begun to understand the importance and criticality of application security and they want their products to be secure.

Testing the application’s security manually is possible but becomes a mammoth task. Well, the right tools should help a tester progress with detecting the security threats in the application. That leads us to the question: “What’s the mantra/right tool for detecting your security threats?” Well, the answer lies in the question itself. It’s the ‘MANTRA” browser. Mantra is an excellent browser-based framework for security testing. Continue reading »

Tags: Testing

Estimation for Software Testing

Do you estimate Testing effort as X% of Coding effort?

Scene 1:

The customer has provided adequate documentation on the requirements for the software to be developed and now requests for a quote. Pre-sales consultants, with a developer background, spend just enough time in analyzing the requirements and have discussions with the developers/architects/project managers on how much effort it would take for the development (analysis, design, coding, project management) in the specific architecture/technology. They would go through a series of refinements with various stakeholders before it is being projected to the customer. However, when it comes to the point of estimating the testing effort, the oft-heard response is: “Oh! Don’t you worry; it is just x% of the coding effort. That has worked for us…..”

Well, that’s a scene I have witnessed many a times.

Now, let’s cut to Scene 2: Continue reading »

Tags: Testing

Near Field Communication (NFC)

When they were first introduced, Mobile Phones were meant to be just another means of communicating with people while on-the-go. However, with technological innovations and developments, these are now used for a variety of other purposes, than just keeping in touch with people. Mobile devices have now become an inseparable part of our daily lives and these would make life that much more easier if they could be further used for a host of other activities like making payments at store counters, opening parking barriers, purchasing tickets at public transport counters, etc..

Near Field Communication (NFC) is a technology that makes this possible. NFC belongs to a large family of technologies that enables two devices to communicate over a short distance through radio waves. NFC, in itself, is not a new technology, but its integration with mobile devices opens up a horde of hitherto unseen possibilities. The architecture of most mobile devices, which is inherently secure, makes it possible to develop extremely innovative NFC based services. NFC technology makes life easier and more convenient for consumers around the world by making it simpler to make transactions, exchange digital content, and connect electronic devices at the touch of button. Continue reading »

Tags: Mobile

Effective Visual Communication tool – qTrace

In our organization, some of our QA team members often participate in various contests conducted by 99test and have also won several times. Few weeks ago, 99test announced a contest to test the “qTrace” tool. While participating in this contest, we got to learn more about this tool, “qTrace” – an innovative defect documentation tool by QASymphony. The participants of this contest were provided with a full year license. Though the contest was to test the tool and identify the bugs in it, we were able to explore the various features of qTrace, and it is indeed a very good bug-documentation tool.

Many a times, there have been situations where we have had to work on projects which did not have upfront documented requirements for testing and also had to be completed in a short timeframe. In such cases, we do exploratory testing – where we are learning about the application while we are testing it. Here, we create test cases which are more like checklists rather than the usual detailed test cases. So while testing the application using these checklists if we need to report a bug, we need to write each action performed, system information, include screenshots and other information so that the developer will be able to reproduce the bug and work on fixing them. This used to be quite a tedious and time-consuming task. Continue reading »

Tags: Testing