Category Archives: Uncategorized

Learning risk management by example

Reading Time: 2 minutes


After taking state of the art software learning courses, I concluded that best way to comprehend knowledge is to learn by using examples of presented  materials.

How to measure quality of a course or workshop? For me, one metric are examples used in course or workshop. Of course, not THE NUMBER of examples, but my subjective measure how examples helped me to understand theory. And what is more important, how those examples help me to remember what I learned.

My examples of such courses are Rapid Software Testing  by Satisfice or BBST courses by AST foundation.

Today is SATURDAY and it was RAINY morning, and I drove to my hometown Zabok in EARLY morning. Security of my trip was jepordised on third stop light. Traffic lights were off. This was intersection with one direction road and intersection had road signs.

Should I wait for traffic lights be repaired? In that case, I will be late.

Since it was SATURDAY, EARLY RAINY morning, the traffic on the intersection was very light and it was intersection with one direction road, I crossed the intersection SAFER than on working day.

Ok, that was example, but what is the topic?

Your project is using a lot of 3rd party software components. Those components could have important security fixes. Deployment of new version for 3rd party component requires testing.

You are at YOUR crossroad with jeopardised security, this time of your product.

Should you upgrade? Will your sprint be late because of it? Do we need to deploy? Can project be secure enough without the patch?

This is security risk analysis for your product in the context of 3rd party component security fix. You need to create questions and answers in the context of your product and related to software security domain.

Can you give us any example?


Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Ruby on Rails bottom up security – sql injection check

Reading Time: 2 minutes


This post will explain how to check your Ruby on Rails code base against sql injections [Wikipedia].

After you have read Wikipedia source link about sql injections, you are ready to proceed. It is important to state that Ruby on Rails offers one of the best (if not the best framework) out of the box sql injection protection.

But sometimes, developer needs to be able to override this protection for some “Twin Peaks” feature requests. In that case, even experienced Rails developer could make sql injection attack possible. On the other spectrum, if your company can only afford junior Rails developers, this check is a must.

Here is how you should hunt such protection overrides. First, head to Rails SQL Injection site. This page lists many query methods and options in ActiveRecord which do not sanitize raw SQL arguments and are not intended to be called with unsafe user input. You will use this site as a reference.

Open your terminal, go to root folder of Rails project repository, and use this cmd:

grep -H -r 'search for activerecord method' * | less

You need to replace search term with active record method name. Here you need to be creative in order to filter out results that do not represent active record method.

Here is the punch line:

Never, ever, trust the user input!

Which means that user input must not be directly used in active record methods. Again, refer to Rails SQL injection site in order to learn how to recognize code that is prone to sql injection.

Wait, but I am using Windows that do not have grep! Well, Google is your friend, there is a number of open source tools that will help you.

We also need to check all custom SQL queries using command:

grep -H -r 'execute' * | less

grep -H -r 'params\[' * | less

Same as for the active record methods, user input must not be directly used in custom SQL queries.

p.s. Twin Peaks feature request makes developer to have experience  very similar to experience of watching Twin Peaks: “The Return” [source].

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Week 15 reading list

Reading Time: 0 minute Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

What I learned doing open mic stand up comedy in Brighton

Reading Time: 1 minute


On Friday morning while I was having breakfast, I googled for open mic stand up comedy Brighton. There it was, Junkyard Dogs was the place at 7pm. I shoot organizer and email and excitement started to grow in my belly.

I have been doing stand up comedy in Croatian for six years, but only last two should be counted for. I have never done it in English. During conference breaks, I prepared my three bits and isolated punchlines that I need CORRECTLY to translate in English.Person on the right was Irish so I asked person on my left for help because he was an English.  He was happy to verify my translation. I was set to go.

I arrived at 6.30 PM. Another thing that I was interested in was to meet Brighton stand up comedians (amateurs like me). What are they thoughts and drives about stand up comedy. 21 people applied (in Zagreb we usually have up to 8 people and Brighton is three times smaller than Zagreb), and they were most of the audience (some brought relatives or friends). Also, I was interested how was open mic conceived.

EVERYBODY was extremely friendly to me. This was very important for my confidence.

Act had 5 minutes time limit. My first English act went very well. Most of my punchlines got laugh, one that were not related to English “known things” did not. That was expected, by I also wanted to execute negative test case.

I had trouble to understand all the jokes because of local accent, English facts and talking speed.

In order to do stand up comedy internationally you either have to do universal material or to do local facts material. And for local facts material, the best way is to experience those local facts.

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Report on Testival #26 meetup

Reading Time: 1 minute


This post is about why we moved from Software Testing Club to Testival meetup group. Main theme of meetup was browser automation.

First of all, I would like to thank Rosie Sherry that have let us to use Software Testing Club meetup group  for Zagreb meetups for six years.

Software Testing Club changed in a good way in this six years. Zeljko and I also did not know the real purpose of meetup, and that is building of local community. Testival meetup group will definitely change that, because now we have free meetup local visibility. As proof of concept, this time we had 20+ attendants, which was much more than usual.

Our host and sponsor was Repsly in HUB385 startup coworking place. Great venue. On meetup, we had two talks.

Kresimir Linke from Replsy had talk: Test Automation of Push notifications using Ranorex.


He also demonstrated one complex end to end scenario that involved several users, web browser and two mobile devices. All automated using Ranorex tool.

Second talk was from Ana Prpic: Introduction to WebDriver IO.


It is another Javascript implementation of selenium webdriver. Most importantly, Ana presented whole ecosystem of Javascripts tool that enables you to but webdriverIO test in continuos integration pipe.

Meetup was visited by NSoft software testers. They are from Mostar and we discussed with the how to start software tester community in their town.


My meetup takeaways:

  • cast device software for presenting mobile device screen
  • how to test email gui
  • html id attribute and security compliance
  • webdrivercss library for visual comparing
  • circleci can run selenium tests in headless mode

After that, Zeljko presented 5 minutes talk format, with his talk:

Why you should not attend testing conferences?

Another talk was about software testing pyramid and I talked about open session conferences (Testival as example.)


Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Search in project for method usage using only bash script

Reading Time: 1 minute


This post is about simple bash shell scripts that finds all files that use particular method.

In my previous post: Product moving parts as source for test strategy, I described how I use github pull request in order to discover which part of application changed in order to create regression test strategy.

Code that changed could be some helper method or .css and .jpg assets that are used in various places in code base. And those places are not part of pull request. So I need an automated way to find all places where is that helper method used.

For that purpose I use simple bash script. You need to know loop programming concept and a unix utility commands cat and grep.

Here is bash script:

for i in `cat pull_request_items.txt`
  echo $i
  grep -H -r "$i" * | grep -v cache | grep -v manifest

And content of pull_request_items.txt


Script reads items from txt file, and each row value is searched in project codebase using grep utility. Search is recursive in all subfolders.

Output contains files that contain searched items.

Manual part was to copy/paste from pull request to pull_request_items.txt file and do some editing in order to clean not important pull request information.

Why not use some fancy editor like sublime? Because presented utilities are installed on almost every linux machine in the world and i can use this script out of the box.

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Zagreb STC #25 – The art of taking notes

Reading Time: 1 minute


It’s time for Zagreb STC #25 and this time we will have dedicated workshop about taking notes.

Where: Tentamen. d.o.o., Hruševečka 3, 10110 Zagreb, ground floor.

When: Tuesday, June 7th, 2016, from 18.00 – 22.00

We often hear that the most valuable craft of software tester is test automation. In order to prove them wrong, we will make a workshop on taking notes. We will watch 45 minutes of popular detective series and we will make our notes in order to find out who is the killer before show reveals it. We will stop on every 5 minutes for 2 minutes to reconcile our notes.

Material: please bring a notebook and pens in three different colours by your choice.

Reading material: How to take better notes.

After official part, we will continue our discussion over pizza and selection of craft beers.  Sponsor of workshop is Tentamen.



Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

How to prepare cucumber with tables in Ruby

Reading Time: 1 minute


In this post I will explain how to handle cucumber tables in the “Do not repeat yourself [source]” principle.

Data Tables are handy for passing a list of values to a step definition:

Given the following users exist:
 | name | email | twitter |
 | Aslak | | @aslak_hellesoy |
 | Julien | | @jbpros |
 | Matt | | @mattwynne |

Here is my first take how to index that data that was not DRY:

class UserListPage
 include PageObject
  data_map = {'name => 1, 'email' => 2, 'twitter' => 3}
  div(:name, :id => 'name')
  div(:email, :id => 'email')
  div(:twitter, :id => 'twitter')

And using that data_map in step definition:

Given /^the following users exist:$/ do |table|
data = table.raw[1]
on UserListPage do |page|
  data.each {|row|
    expect( eq row[page.data_map['name']]
    expect( eq row[page.data_map['email']]
    expect(page.twitter).to eq row[page.data_map['twitter']]

There is no need for data_map attribute, because table object already has this data. Dry version:

Given /^the following users exist:$/ do |table|
data = table.raw[1]
header = table.raw[0]
on UserListPage do |page|
  data.each {|row|
    expect( eq row[header.index('name')]
    expect( eq row[header.index('email')]
    expect(page.twitter).to eq row[header.index('twitter')]

And do not forget to remove data_map attribute from page object class.

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

How to smart test minor version Ruby on Rails upgrade?

Reading Time: 1 minute


In this post I will explain what should be checked after Ruby on Rails minor version upgrade. Minor version upgrades are usually connected with security releases.

As I am subscribed to Ruby on Rails security Google group, when I receive information about latest security issue, I need to act very fast. Update must be pushed to production almost immediately, so there is no time for extensive regression testing.

How can we do quick test and be sure that everything still works as before upgrade?

Heuristic 1. Rails upgrade was extensively regression tested.

That heuristic proved itself to be always true.

Heuristic 2. Inspect Gemfile.lock to be sure that only Rails gem is upgraded.

How do we actually upgrade Ruby on Rails?

Edit gemfile:gem 'rails', ''
bundle update rails

Investigate Gemfile.lock changes using git diff to see what else was updated beside Rails. If some other gem (not part of Rails) was also updated, check, using Google search, possible issues for that gem that are connected with Rails upgrade.

Heuristic 3. Search Google for Ruby on rails upgrade to n.n.n.n version issues (bugs, problems)


For minor Ruby on Rails upgrades, using those three heuristics, you can do regression test in smart and quick way.

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

How to set regression test scope for HTTPS only access?

Reading Time: 2 minutes


In this post I will provide an example how to set the scope of system regression test in order to achieve coverage of features that need to be tested.


The trigger for regression system test was HTTPS only access to client Ruby on Rails application. Prior to that feature, it was possible to use both HTTP and HTTPS protocols. Developers use TDD concept, and prior to my test, all developer tests passed on CircleCI environment.

There was also set of selenium-webdriver tests, but those tests do not cover all application features.

My strategy was to include them in the regression test. All test passed. But I had not finished regression test yet.

I did not know all application features at that time. So I started risk analysis, which features could fail if HTTPS only protocol was introduced to web application. Let’s call OWASP for help.

There is transport layer cheat sheet. Reading through the rules, I pinpointed rules that were potential risk for application functionality:

  • Do Not Mix TLS and Non-TLS Content – because browser (modern browsers) will AUTOMATICALLY prohibit access to non HTTPS urls.
  • Use a Certificate That Supports Required Domain Names – if this is not the case for your application, browser will present to user a security error

First risk could be mitigated by using the application in Chrome and observing javascript console for mixed content errors. Could I automate that task? First thought would be: write selenium-webdriver test suite that covers all the features! But I do not have that time. Was there a simpler way?

My heuristic was to search all the code base for keywords HTTP and IFRAME.

grep -H -r ‘iframe’ * | grep http:// | grep -v elements.txt | grep -v ‘’ | less

That piped command searched through the all code base in terminal and returned code that uses mixing content.

And we discovered additional issue, it was not possible to immediately set all HTTP urls to HTTPS protocol. Those urls were referencing external applications, like blog. For example, in order to set this blog to HTTPS protocol, I need to buy another plan that costs more money. And I need to have a certificate for domain. Which brings us to second risk.

Use a certificate that supports required domain names. And this is environment dependant test. This risk was mitigated on my testing environment, but I should also check it on production environment (production is hosted on different domain).

Doing risk analysis is fun. You will learn something new and the most importantly, you will properly set scope for your regression test.

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather