Product Description
If your job is to design or implement IT security solutions or if youre studying for any security certification, this is the how-to guide youve been looking for. Heres how to assess your needs, gather the tools, and create a controlled environment in which you can experiment, test, and develop the solutions that work. With liberal examples from real-world scenarios, it tells you exactly how to implement a strategy to secure your systems now and in the future.
From the Back Cover
Many books tell you what to do. This one tells you how.
If your job is to design or implement IT security solutions, or if you’re studying for any security certification, this is the how-to guide you’ve been looking for. Here’s how to assess your needs, gather the tools, and create a controlled environment in which you can experiment, test, and develop the solutions that work. With liberal examples from real-world scenarios, it tells you exactly how to implement a strategy to secure your systems now and in the future.
Collect the necessary hardware and software and assemble your own network lab
Configure a bootable Linux CD
Explore various methods for gathering information about existing security
Identify automated attack and penetration tools
Understand cryptographic systems and encryption and authentication attacks
Learn to find, identify, and defeat malware
Address the special protection needs of wireless systems
Use Snort® to build an IDS that will help to detect and identify attacks in real time
Introduction
There are many books about software testing management. When they discuss software test automation, they introduce third-party testing tools. This book describes techniques for developing a fully automated software testing tool. You can use this tool to generate test scripts for continuous unit testing, integration testing, and regression testing.
Software defects are common and cause economic losses from time to time. Today, software organizations invest more time and resources in analyzing and testing software as a unit rather than as independent entities. Software engineers have observed that writing testing code is as expensive and time consuming as developing the product itself. To ensure software quality, organizations encourage software developers and testers to achieve objectives such as these:
Locating the source of defects faster and more precisely
Detecting bugs earlier in the software development life cycle
Removing more defects before the product is released
Improved testing tools can reduce the cost of software development and increase the quality of software. An automated testing tool must have the following characteristics:
Accurate functionality, reliability, interoperability, and compliance
An interface that is user friendly and easy to learn and operate
Enhanced fault tolerance and automatic error recoverability
Efficient algorithm for time and resource management
Stable and mature final products that can be maintained and upgraded
Easy portability with regard to installation, uninstallation, adaptability, and security
I have used many of the commercial software test tools. Their developers declare that they have the capability to conduct various types of software tests and meet the requirements of an organization. But they have limitations. For example, some of them require users to record a series of mouse clicks and keystrokes. Others require users to write test scripts in a specified script language or to generate a test script automatically to test only one function (member) of a software module. Furthermore, the test scripts produced by these tools and methods need to be edited and debugged before they can be executed to perform the desired tests. Automatic generation of the testing data is beyond the reach of these tools, and integration testing involves extensive manual stubbing and guesswork.
Software test engineers would like to see a fully automated software test tool on the market, one that is capable of completing testing tasks from generating test scripts and composing the testing cases to presenting the results and fixing the bugs. But the tool vendors are not able to keep up with the complexity and technology advancements in today’s software projects. In addition, software products can include features that incorporate a company’s trade secrets, which the commercial testing tools won’t have the capability of testing. Engineers are often in the position of having to develop their own tools to cover the gaps. This book presents a way to develop and enhance a testing tool development with full automation.
When I was trained to use commercial tools, the trainers from the manufacturers presented hundreds of testing features. Software test engineers do appreciate these features, and they are important in improving the quality of software. But the tedious and time-consuming processes of editing and debugging the generated test scripts sometimes prevent a thorough software test. Thus, software products are delivered to end users with costly errors. These costs are shared by virtually all businesses in the United States that depend on software for their development, production, distribution, and after-sales supports and services. To address these current inadequacies, this book will introduce an automated method to minimize the data editing steps, generate a test script to test the entire application, and free you from having to edit and debug the test script manually. The final product simply accepts an application under test and delivers the test results.
Who This Book Is For
Software engineers have long relied on the tools and infrastructures supplied by the current software testing tool vendors. Some engineers tell successful stories. But more engineers experience frustrations. The automation is not enough, the test is not efficient, and the test script generation and data composition methods need to be improved. One expert’s solution to software test automation is to develop testing tools instead of purchasing commercial tools developed with the current inadequate infrastructure. This book is written for people who are involved in software engineering and want to automate the software testing process for their organizations. With the methods introduced by this book, software engineers should gain a good understanding of the limited automation provided by the available testing tools and how to improve the current test infrastructure and conduct a fully automated software test.
This book is for software engineers who want more effective ways to perform software tests. The automated test tool introduced in this book can serve as an independent software test tool as well as an adjunct to the commercial tools.
I assume you are a moderately experienced software developer and a test engineer in the process of conducting software test for your organization. The explanations and examples in this book can be easily understood and followed by any intermediate- to advanced-level programmer interested in expanding their knowledge in both software development and software testing. Knowledge of the fundamentals of software testing is essential for software test engineers. Examining a combination of programming and testing issues leads to a solid solution to software test automation. This book’s content includes sound programming techniques with examples in C#. Then it gradually progresses to the development of a fully automated test tool. Although the sample code is in C# using the Microsoft Windows platform, the concept can be used with other languages and platforms.
As economists have reported, software failures result in a substantial economic loss to the United States each year. Approximately half of the losses occur within the software manufacturing industry. If you are a senior managerial administrator of a software organization, you are most likely interested in an improved software test method. The other half of the loss comes out of the pockets of the software end users. If your business or institution consists of software end users, you probably maintain teams to support the software purchased from the contract vendors. Being aware of testing methods will assist you with efficient software application in your organization.
Introduction
There are many books about software testing management. When they discuss software test automation, they introduce third-party testing tools. I have used many of the commercial software testing tools. Their developers declare that they have the capability to conduct various types of software tests and meet the requirements of an organization. But they have limitations.
For example, many of GUI testing tools require users to record a series of mouse clicks and keystrokes. Others require users to write test scripts in a specified script language. Furthermore, the test scripts produced by these tools and methods need to be edited and debugged before they can be executed to perform the desired tests.
This book presents ideas for automating graphical user interface (GUI) testing. The sample code in this book forms a foundation for a fully automated GUI testing tool. Using this tool, users don’t need to record, edit, and debug test scripts. Testers can spend their time creating testing cases and executing the testing.
Review
Aimed at the working test manager or test engineer, the second edition of William Perry’s Effective Methods for Software Testing is one of the most rigorous guides to software testing available. This book provides the latest in standards for measuring how good your organization’s commitment to software testing is and many ways to improve it. In all, with its numerous lists and practical step-by-step guide to testing, this book points the way toward more economical and effective software testing.
This book’s major strength is its meticulous 11-step guide to all aspects of today’s software testing process–from initial analysis and test planning to testing software installation and looking at ways to improve the testing cycle the next time around. The book is filled with to-do lists that enumerate the resources and tasks required for each step with helpful hints for what to do, how to work with management, and how to staff and execute a test plan from start to finish. (There is a chapter devoted to each of the 11 steps.) The text also incorporates the latest in testing standards from the Quality Assurance Institute (QAI), and the author does a good job of integrating testing with today’s iterative software methodologies. Another standout here is a look at software tools and how they can simplify the testing process.
Of course, few software shops will be as rigorous in real life with the testing process outlined in this book, but there’s little doubt that this exhaustive guide sets a high standard that test engineers can aim for. Written in a somewhat formal–yet clear–style, this book can certainly benefit any software testing engineer or manager. –Richard Dragan
Topics covered: Software testing process fundamentals, Quality Assurance Institute (QAI) test quality assessment, software defects, Kiviatt charts, testing economics, methodologies and costs, test plans, risk analysis, structural and functional testing, dynamic and static testing, manual and automated testing, testing tools, stress testing, compliance testing, security testing, requirements testing, regression testing, 11-step software testing process, testing client/server, and Web-based systems. –This text refers to an out of print or unavailable edition of this title.
Product Description
Written by the founder and executive director of the Quality Assurance Institute, which sponsors the most widely accepted certification program for software testing
Software testing is a weak spot for most developers, and many have no system in place to find and correct defects quickly and efficiently
This comprehensive resource provides step-by-step guidelines, checklists, and templates for each testing activity, as well as a self-assessment that helps readers identify the sections of the book that respond to their individual needs
Covers the latest regulatory developments affecting software testing, including Sarbanes-Oxley Section 404, and provides guidelines for agile testing and testing for security, internal controls, and data warehouses
CD-ROM with all checklists and templates saves testers countless hours of developing their own test documentation
Review
…a comprehensive, practical cookbook of software testing with a slight mix of quality spices. …the book is a step-by-step guide of how to perform testing. It is practically focused and, in many of the chapters, the reader can follow the tasks (as if they were recipes) when performing testing activities.
-Software Testing, Verification & Reliability, Vol. 15, No. 3, Sept. 2005
Product Description
Whether you are inheriting a test team or starting one up,Manage Software Testing is a must-have resource that covers all aspects of test management. It guides you through the business and organizational issues that you are confronted with on a daily basis, explaining what you need to focus on strategically, tactically, and operationally.
Using a risk-based approach, the author addresses a range of questions about software product development. The book covers unit, system, and non-functional tests and includes examples on how to estimate the number of bugs expected to be found, the time required for testing, and the date when a release is ready. It weighs the cost of finding bugs against the risks of missing release dates or letting bugs appear in the final released product.
It is imperative to determine if bugs do exist and then be able to metric how quickly they can be identified, the cost they incur, and how many remain in the product when it is released. With this book,test managers can effectively and accurately establish these parameters.
Product Description
Among the tests you perform on web applications, security testing is perhaps the most important, yet it’s often the most neglected. The recipes in the Web Security Testing Cookbook demonstrate how developers and testers can check for the most common web security issues, while conducting unit tests, regression tests, or exploratory tests. Unlike ad hoc security assessments, these recipes are repeatable, concise, and systematic-perfect for integrating into your regular test suite. Recipes cover the basics from observing messages between clients and servers to multi-phase tests that script the login and execution of web application features. By the end of the book, you’ll be able to build tests pinpointed at Ajax functions, as well as large multi-step tests for the usual suspects: cross-site scripting and injection attacks. This book helps you: Obtain, install, and configure useful-and free-security testing tools Understand how your application communicates with users, so you can better simulate attacks in your tests Choose from many different methods that simulate common attacks such as SQL injection, cross-site scripting, and manipulating hidden form fields Make your tests repeatable by using the scripts and examples in the recipes as starting points for automated testsDon’t live in dread of the midnight phone call telling you that your site has been hacked. With Web Security Testing Cookbook and the free tools used in the book’s examples, you can incorporate security coverage into your test suite, and sleep in peace.
About the Author
Paco Hope is a Technical Manager at Cigital, Inc. and co-author of Mastering FreeBSD and OpenBSD Security (April 2005, O’Reilly, ISBN 0596006268). Mr. Hope has also published articles on Misuse and Abuse Cases and PKI. He has been invited to conferences to speak on topics such as software security re-quirements, web application security, and embedded system security. At Cigi-tal, he has served as a subject matter expert to MasterCard International for security policies and has assisted a Fortune 500 hospitality company in writ-ing software security policy. He also trains software developers and testers in the fundamentals of software security. In the gaming and mobile communica-tions industries he has advised several companies on software security. Mr. Hope majored in Computer Science and English at The College of William and Mary and received an M.S. in Computer Science from the University of Virginia.
Ben Walther is a consultant at Cigital and contributor to the Edit Cookies tool. He has a hand in both normal Quality Assurance and Software Security. Day to day, he designs and executes tests – and so he understands the need for simple recipes, in the hectic QA world. Yet he has also given talks on web ap-plication testing tools to members of the Open Web Application Security Pro-ject (OWASP). Through Cigital, he tests systems ranging from financial data processing to slot machines. Mr. Walther has a B.S. in Information Science from Cornell University.
Greasemonkey Hacks is an invaluable compendium 100 ingenious hacks for power users who want to master Greasemonkey, the hot new Firefox extension that allows you to write scripts that alter the web pages you visit. With Greasemonkey, you can create scripts that make a web site more usable, fix rendering bugs that site owners can’t be bothered to fix themselves, or add items to a web site’s menu bar. You can alter pages so they work better with technologies that speak a web page out loud or convert it to Braille. Greasemonkey gurus can even import, combine, and alter data from different web sites to meet their own specific needs.
Greasemonkey has achieved a cult-like following in its short lifespan, but its uses are just beginning to be explored. Let’s say you’re shopping on an e-commerce site. You can create a script that will automatically display competitive prices for that particular product from other web sites. The possibilities are limited only by your imagination and your Greasemonkey expertise. Greasemonkey Hacks can’t help you with the imagination part, but it can provide the expert hacks-complete with the sample code-you need to turn your brainstorms into reality.
More than just an essential collection of made-to-order Greasemonkey solutions, Greasemonkey Hacks is crammed with sample code, a Greasemonkey API reference, and a comprehensive list of resources, to ensure that every resource you need is available between its covers.
Some people are content to receive information from websites passively; some people want to control it. If you are one of the latter, Greasemonkey Hacks provides all the clever customizations and cutting-edge tips and tools you need to take command of any web page you view.
Lock down next-generation Web services
“This book concisely identifies the types of attacks which are faced daily by Web 2.0 sites, and the authors give solid, practical advice on how to identify and mitigate these threats.” –Max Kelly, CISSP, CIPP, CFCE, Senior Director of Security, Facebook
Protect your Web 2.0 architecture against the latest wave of cybercrime using expert tactics from Internet security professionals. Hacking Exposed Web 2.0 shows how hackers perform reconnaissance, choose their entry point, and attack Web 2.0-based services, and reveals detailed countermeasures and defense techniques. You’ll learn how to avoid injection and buffer overflow attacks, fix browser and plug-in flaws, and secure AJAX, Flash, and XML-driven applications. Real-world case studies illustrate social networking site weaknesses, cross-site attack methods, migration vulnerabilities, and IE7 shortcomings.
Plug security holes in Web 2.0 implementations the proven Hacking Exposed way
Learn how hackers target and abuse vulnerable Web 2.0 applications, browsers, plug-ins, online databases, user inputs, and HTML forms
Prevent Web 2.0-based SQL, XPath, XQuery, LDAP, and command injection attacks
Circumvent XXE, directory traversal, and buffer overflow exploits
Learn XSS and Cross-Site Request Forgery methods attackers use to bypass browser security controls
Fix vulnerabilities in Outlook Express and Acrobat Reader add-ons
Use input validators and XML classes to reinforce ASP and .NET security
Eliminate unintentional exposures in ASP.NET AJAX (Atlas), Direct Web Remoting, Sajax, and GWT Web applications
Mitigate ActiveX security exposures using SiteLock, code signing, and secure controls
Find and fix Adobe Flash vulnerabilities and DNS rebinding attacks
About the Author
Rich Cannings is a senior information security engineer at Google.
Himanshu Dwivedi is a founding partner of iSEC Partners, an information security organization, and the author of several security books.
Zane Lackey is a senior security consultant with iSEC Partners.
