We had an interesting discussion (even dispute) about estimation in and internal workshop on that topic. I have been thinking about it since and want to share my conclusions.
Test estimation: the disagreement
The accuracy of an estimate increases and effort required to do that estimate reduced through the project, as I learn more about the business, customer expectation, technology, process, even developers and the mistakes they are usually making. It is wrong…Continue
OK, this is indeed just another blog about terms test versus check, but with some reflections from security testing field. So only read if you are not sick already with the test VS check type of conversation.
Last time I described how i do security testing in my organization it got labeled "internal audit" by a person from audience (who as you may guess is doing external audits (audit as 3rd party service).
I also see that people in functional…Continue
I have an impression that penetration testing is mostly associated with things like port scanning, missing security patch seeking, breaking weak encryption and optionally social engineering. Web Application Penetration Testing is different, isn’t it? Having a lot of experienced, competent and certified pentesters/hackers/IS security professionals with little to no experience with web application security testing, what is going to happen in the industry moving to cloud and adding web access…Continue
Added by Ainars Galvans on April 27, 2015 at 10:30 — No Comments
Last year I’ve been on the only conference in my life that really changed something for me. Sorry to say – it is not a testing conference, it’s a business one. So last year’s theme was about being indispensable. One of the notes I made on that conference was “be weird if you want to be remarkable”. I’ve just realized – it’s a way to say “follow the worst practices, not the best practices”, unless of course you want to be just another brick in…Continue
Added by Ainars Galvans on March 27, 2015 at 12:00 — No Comments
Yes, I know – yet another blog on the best practices, when we all know there is no best practices, even though please don’t give up using this term. I know at least one good reason why they use this term – it’s just the best term they have found to give short name to the their bigger issue. Or let me quote James Bach talking an a bit different subject:
A term can serve as a label indicating the presence of a bigger story under the surface.
I agree on that. Actually…Continue
In this story I'll share how I missed an advanced Insecure direct object reference vulnerability due to missing test data.
As described before for confidentiality reasons have made up a context, but the technical part of story is true.
So let’s assume I…Continue
Added by Ainars Galvans on November 21, 2014 at 9:00 — No Comments
In this story I'll share how I missed an advanced XSS vulnerability and only discovered it after conversation with developers and doing extra tests based on that conversation. More over I had to analyze the defense control of an app to come up with custom test to break through.
As described …Continue
Added by Ainars Galvans on October 31, 2014 at 11:30 — No Comments
In this story I'll tell you how an XXS tests discovered a significant repudiation issue which I was not really testing for. I've added some extra thoughts about XSS protection itself being the reason of a security issue.
I’ve decided to share same security bugs I’ve found in different web apps, but due to confidentiality reasons I will not tell you details of the web app. We actually I’ve decided to make up a context, where this experience would be relevant.
Added by Ainars Galvans on October 30, 2014 at 9:00 — No Comments
For last few years I’ve been doing security testing and am finally ready to start blogging about it. So this is my first blog. Reason I write it is realization that in security testing just like in functional testing with experience your stack of test ideas grow so huge that you have to decide: either follow so called best practices or adjust them for your project context and do a lot of micro decisions of what tests will bring less value to the stakeholders..
My first impression…Continue
Perhaps I won’t say anything new, but I’ve read a blog where people are equated to tools and it reminded me of managers who believe that every person in a team is just a resource. No they don’t think everyone are the same. They know each individual person has their own skills, so you have to choose tasks you give them, best of…Continue
Comments to my previous blog bugs I wouldn't report helped me to realize I’ve failed to describe reasons for not reporting some bugs. I’ll try again. So, first of all there are:
Bugs I would always report
I’ve been avoiding reference to Michael Bolton’s …Continue
This is an illustration to my previous blog post. I realized I need to provide some examples.
My favorite example is a bug which is quite common in many applications. For example Facebook and skype has his problem in their registration forms. You have to enter a date and if you first enter date i.e. 31st and only then want to enter month and occasionally enter February, or – as in attached case you press down pace to scroll through the months – your once enter date is all…Continue
The other day I’ve been asked on a conference if it is ethical that I’m sometimes not reporting bugs. I compared this to ethics of a doctor who does not tell all the truth to a patient when there is nothing they cure, but only tell to the patients’ relatives. I want to expand this topic a bit.
What are the bugs I’m not reporting
So first of – it’s not a habit of mine to hide bugs. But neither it’s a tabu. However there should be a reason for me to do that. Have you ever…Continue
Bugs for me - a software tester – are the means to describe and impact quality of the software I tests. Most of the bugs just tell you what I did, what I get and what I expected instead. Some bugs are stronger, some weaker (not everyone expect what I do). But everyone could repeat my experience and understand what I mean.
Quality is not as simple. Quality is “how good they think it is”, not just how good it is. Depending on your context (mood, hunger,…) you could make different…Continue
I’m testing web service and all my tests are automated, each have it’s setup (crate data), testing (do actions with data) and clean-up (delete data)…Continue
Added by Ainars Galvans on April 18, 2012 at 15:00 — No Comments
This comes from Wikipedia:
Regression testing is to determine whether a change in one part of the software affects other parts of the software
This is not wrong, but it’s incomplete. Discovering that “a change in one part of the software affects other parts of the software”…Continue
I have and follow my code of ethics in software testing, do you? My code is simple – I ever do only things that would let me be proud of what I’ve done. Perhaps everyone does so. So I decided to go into a little bit more details here because for me the ethics means that I am ready to (and I did a few times) say NO to my boss or my customer if I don’t believe I could be proud about the results.
So reasons why I refuse to my boss, or my customer doing some tasks or even participating…Continue
I’m confused when I see people from other industries taking banking industry as example of high quality software caused by high stake/risk. Banking software is far from perfect. Perfect software cost a lot and is illusion anyway. If internet banking sites are more or less user friendly, then back-office and teller software is not much better than green screens form 80ties. There are a lot of back office people doing workarounds, manual fixes, etc. Why so? I think the reason is high…Continue