My TakeAways from Day 1 #TestingUy
I choose to take the workshop “Verifying security during functional testing” . First of all time was no enough!. Also an important thing to mention is that security testing should never replace pen-testing.
The workshop had the objective to point us what things we as tester should be aware are raise flags on security matters regarding to the SUT (Software Under Test).
One of the first “tips” mentioned was to have a honey pot server. This “dummy” server will serve as a sensors, it it gets hits “we” are interesting for attackers, since this server has no apps no logic whatsoever, is just within out network.
As testers we know all about business logic and this is what we need to abuse! Meaning, that we should use this knowledge to try to break the logic implemented: perform unexpected flow of actions, skipping logical steps, look for caching or syncing problems.
Main thing about security testing is to check everything gets checked on the server-side, don´t trust anything the client send….anything.
During the afternoon round tables took place having Michael Bolton as the main expert.
RT1: Testing Industry
I loved how Michael Bolton opened his participation with “Is there really a testing industry?”. So, is there really?
My biggest takeaways from this round table are:
- We have to think of Testing as a craft or practice, which we should nurture and cultive.
- We learn about ¨the thing¨ as we observe, all the documentation in the world won´t helps us to fully understand what we are testing if we do not observe/experiment
- Always ask “Why are we performing testing in this context?”
- Bear in mind that testing is not showing everything is ok. If you client wants you to test so you can say everything is ok….run from it!
- We should be able to tell 3 stories with our testing:
- How is the product, the state of it and the risks of it
- How was our testing
- How good did we test. What was harder or what did slow us down.
- You’re assuring quality if you have control over time and budget, choose who to hired and/or fire, features to include/exclude. Don´t fool yourself
- Tester shine light on the products. We don´t prevent bugs we help people not to deliver them.
- Measurement or metrics thingies should have a qualitative sense rather than quantitive manner otherwise people can change their behavior just to make the numbers look good.
- Testing is not a phase
You wouldn’t take a 5 hour drive and say: “let’s drive for 4.5h and in the last 30 mins get our head out the window and see where we are”
- You don´t need a whole system or app to start testing. You can test the idea, a prototype, question the process, a module, an API, whatever works and has to do with the team main objective.
There is no automated Testing, there is only Automated Check
- Testing is a human “operation” because it depends on the judgement of an observation in contrast of a machine answer which will answer True or False, since it only can check for things.
RT3: Testing Education
- What can we learn? From detective movies, from maths books, from investigation journalism, from anywhere where a problem is solved.
- What things as topics can be teach? Represent reality (modeling), critical thinking, Components Breakdown, Systems Thinking, Designing experiments (instead of test cases), Scientific Method and How to learn from failure.
