Reading Time: 2 minutes
|Ready, steady, go CITCON Zagreb 2014!
my first iOS 7 photo panorama picture
I am pleased that last weekend Zagreb hosted CITCON (it is pronounced kit-kon). CITCON is open conference about continuos integration and testing.
I was afraid that conference would be only about test automation, but I was proved wrong.
We gathered on Friday afternoon at 6 pm. Jeffrey and Paul gave an introduction about CITCON, open information foundation and the structure of open conference. Very useful information for the one that were first attenders.
|Intro has been done.
On Friday, we needed to define unconference topics. Anybody with a topic had 2 minutes to present that topic, write it on post it and stick it on white board. If the had enough number of votes by other participants, it made it to final schedule (four rooms by five sessions).
|White board: work in progress
Friday evening was finished with Zeljko’s sponsored event: beer testing.
But, participants were proactive, on Saturday they added one more room and five more sessions!
I already said that I was afraid that this would be heavy automation conference. But session from Jeffrey (I prove you that you are wrong) and Squirrel (Normal accidents and root cause analysis, I want to be awesome), talked about topics that did not involve any programming language. They were about topics that are proof that testing will never be dead!
On Saturday we had our sessions. In the end, every attendant had to share its a-ha moment.
My aha moment was from topic about polytesting. How to run regression test suite form bottom up. I was not sure that this idea was meant to be transferred by the author, but this is one of the goals of open conference.
Instead of closing ceremony, there was draw of our satisfactory questionaries. Four books from Pragmatic Bookshelf were given.
Catering was great and event location was sponsored by HGK Informatika.
On Saturday evening, I showed to some of the participants Zagreb Downtown area. And second aha moment emerged. Tester should always ask questions for clarification. Why? Participants from Helsinki were interested in hosting next Euro CITCON event. As I was one of volunteers for CITCON Zagreb, they asked me how much money did it cost? I clarified to them that Open Foundations covers all the costs. And I think that that information helped a little bit that next CITCON Europe will be held in Helsinki.
Reading Time: 2 minutes
|Credit to www.owasp.org
Inspired by FEW HICCUPPS oracle testing mnemonic, created by James Bach and extended by Michael Bolton, I decided to give my contribution to oracle testing mnemonic set.
Oracles are fallible heuristics that helps us to identify problems in product. Mnemonic helps us to remember data. This is very helpful aid for testers, because by memorizing set of testing mnemonics, tester has a powerful set of testing ideas (more important, if not equal to programming skill).
I have been always interested in security testing. Starting point to learn about security testing is Open Web Application Security Project (OWASP) home page. OWASP Top 10 nicely summarizes top 10 security risks for every product. They are actually starting points for security testing ideas. In order to easily remember them, I created following mnemonic:
FFAX VS MERRI
Forward. Unvalidated application forwards. User is forwarded to different context. Have you checked if this is safe operation for the user?
Forgery. Cross Site Request Forgery. Application thinks that this request is from valid user but it is not.
Access. Missing function level access control. Junior tester has same application access rights as CEO.
Vulnerabilities. Does product is using components with known vulnerabilities?
Session. Broken authentication and session management. Session token is a proof that user entered its application username and password.
Misconfiguration. Product is misconfigured and does what we do not want it to do.
Exposure. Sensitive data exposure. Data is publicly available but it should not be.
Redirect. Unvalidated application redirect.
Reference. Insecure direct object reference. Object is file, database key or directory.
Injection. Application data is interpreted as command and it is automatically executed by the application.
And you thought that you would never use fax ever again!
Reading Time: 1 minute
Oauth is open standard for authorizations. It enables third party content provider to authorize users to use their services, using user credentials stored in Oauth provider database.
Lets take as example Stackoverflow. You can log in to stack overflow using your Facebook account. Now try next scenario. In incognito mode log in to Stackoverflow using your Facebook account. Go to Facebook.com. You are already logged in to your Facebook account. Did you expect that?
Go to stackoverflow log out page. Wait a minute, what is this rambling on log out page!?
If you’re on a shared computer, remember to log out of your Open ID provider (Facebook, Google, Stack Exchange, etc.) as well.
Click on logout and go to Facebook.com You are still logged in to your Facebook account!
This is security issue, not only if you are using public computer. This is security issue because by logging to Stack overflow, you are also logged to oauth service provider.
Now log out from Facebook account and do the refresh in stackoverflow home page. You are still logged in to stackoverflow.
Dear oauth providers, separate authentication token for third party providers from authentication token for your service, because if you do that, web would be much safer place.
Dear third party oauth service user, please also do automatic logout from oauth service provider application, because you can do that. Notification message in small print will not do the trick.