CITCON 2014 Zagreb report

Reading Time: 2 minutes
Ready, steady, go CITCON Zagreb 2014!
my first iOS 7 photo panorama picture

I am pleased that last weekend  Zagreb hosted CITCON (it is pronounced kit-kon). CITCON is open conference about continuos integration and testing.
I was afraid that conference would be only about test automation, but I was proved wrong.
We gathered on Friday afternoon at 6 pm. Jeffrey and Paul gave an introduction about CITCON, open information foundation and the structure of open conference. Very useful information for the one that were first attenders.

Intro has been done.

On Friday, we needed to define unconference topics. Anybody with a topic had 2 minutes to present that topic, write it on post it and stick it on white board. If the had enough number of votes by other participants, it made it to final schedule (four rooms by five sessions).

White board: work in progress

Friday evening was finished with Zeljko’s sponsored event: beer testing.

But, participants were proactive, on Saturday they added one more room and five more sessions!

I already said that I was afraid that this would be heavy automation conference. But session from Jeffrey (I prove you that you are wrong) and Squirrel (Normal accidents and root cause analysis, I want to be awesome), talked about topics that did not involve any programming language. They were about topics that are proof that testing will never be dead!

On Saturday we had our sessions. In the end, every attendant had to share its a-ha moment.
My aha moment was from topic about  polytesting. How to run regression test suite form bottom up. I was not sure that this idea was meant to be transferred by the author, but this is one of the goals of open conference.
Instead of closing ceremony, there was draw of our satisfactory questionaries. Four books from Pragmatic Bookshelf were given.
Catering was great and event location was sponsored by HGK Informatika.

On Saturday evening, I showed to some of the participants Zagreb Downtown area. And second aha moment emerged. Tester should always ask questions for clarification. Why? Participants from Helsinki were interested in hosting next Euro CITCON event. As I was one of volunteers for CITCON Zagreb, they asked me how much money did it cost? I clarified to them that Open Foundations covers all the costs. And I think that that information helped a little bit that next CITCON Europe will be held in Helsinki.

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

When system does what is not suppose to do

Reading Time: 1 minute

When I started my company, I automatically become “power user” of my Bank Internet services.
My bank provides three types of Internet services:

New SBnet token generator

  • SBnet retil
  • SBnet business clients
  • SmartOffice business clients 

I am currently using both SBnet (private account) and SmartOffice (company account) applications.
For clients it is important that SBnet uses different token generator than SmartOffice application. New SBnet token generator user experience is much lower than SmartOffice token generator because pressing those buttons is really hard.

Point of this story is that this summer I was requested to switch old token generator, but email did not stated for which service, SBNet or SmartOffice. I was hoping that bank employee will have that information. He took my both token generators, and gave me two new one (from the SBnet picture). He also mentioned how that new token generator is much better than the old one 馃檪

I tried to check them by logging in my SBnet and SmartOffice, but I was not able to log in to SmartOffice. After call to help desk, I realized that only SBnet old token card should be changed. The bank clerk employee did what it was not supposed to do.

SmartOffice token generator
Old TAN card. www.splitskabanka.hr

Risk was that I was not able to do any transactions on my company account (using SmartOffice, and that was paycheck day, and you do not want to late for one day with your paycheck in Croatia).
Point of this story:

  • my bank definitely has complicated business processes
  • nobody informed bank employees about scenario for changing old TAN cards.
  • issue did not involve software, but people and processes
Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

FFAX VS MERRI – testing oracle mnemonic

Reading Time: 2 minutes
Credit to www.owasp.org

Inspired by FEW HICCUPPS oracle testing mnemonic, created by James Bach and extended by Michael Bolton, I decided to give my contribution to oracle testing mnemonic set.

Oracles are fallible heuristics that helps us to identify problems in product. Mnemonic helps us to remember data. This is very helpful aid for testers, because by memorizing set of testing mnemonics, tester has a powerful set of testing ideas (more important, if not equal to programming skill).

I have been always interested in security testing. Starting point to learn about security testing is Open Web Application Security Project (OWASP) home page.  OWASP Top 10 nicely summarizes top 10 security risks for every product. They are actually starting points for security testing ideas. In order to easily remember them, I created following mnemonic:

FFAX VS MERRI 

Forward. Unvalidated application forwards. User is forwarded to different context. Have you checked if this is safe operation for the user?
Forgery. Cross Site Request Forgery. Application thinks that this request is from valid user but it is not.
Access. Missing function level access control. Junior tester has same application access rights as CEO.
XCross (this one is special because X as sign, not a letter, represents cross).  Cross site scripting. It is possible to execute Javascript code in the context of the application.

Vulnerabilities. Does product is using components with known vulnerabilities?
Session. Broken authentication and session management. Session token is a proof that user entered its application username and password.

Misconfiguration. Product is misconfigured and does what we do not want it to do.
Exposure. Sensitive data exposure. Data is publicly available but it should not be.
Redirect. Unvalidated application redirect.
Reference. Insecure direct object reference. Object is file, database key or directory.
Injection. Application data is interpreted as command and it is automatically executed by the application.

And you thought that you would never use fax ever again!

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Oauth2 antipattern

Reading Time: 1 minute
Credit: http://ocpsoft.org/

Oauth is open standard for authorizations. It enables third party content provider to authorize users to use their services, using user credentials stored in Oauth provider database.

Lets take as example Stackoverflow. You can log in to stack overflow using your Facebook account. Now try next scenario. In incognito mode log in to Stackoverflow using your Facebook account. Go to Facebook.com. You are already logged in to your Facebook account. Did you expect that?

Go to stackoverflow log out page. Wait a minute, what is this rambling on log out page!?

If you’re on a shared computer, remember to log out of your Open ID provider (Facebook, Google, Stack Exchange, etc.) as well.

Click on logout and go to Facebook.com You are still logged in to your Facebook account!

This is security issue, not only if you are using public computer. This is security issue because by logging to Stack overflow, you are also logged to oauth service provider.

Now log out from Facebook account and do the refresh in stackoverflow home page. You are still logged in to stackoverflow.

Dear oauth providers, separate authentication token for third party providers from authentication token for your service, because if you do that, web would be much safer place.

Dear third party oauth service user, please also do automatic logout from oauth service provider application, because you can do that. Notification message in small print will not do the trick.

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather