3 Sessions of Security Testing

One way to collaborate in a team is to achieve shared knowledge together. An example of this is the online activity of “30 days of testing” that The Ministry Of Testing has been putting out to the online community to participate it. My test team has a “Work Group / Special Interest Group” with regards to security testing, so when a 30 day challenge for security testing came up, we scheduled sessions to learn from the topics provided (see below).

As we are testing consultants doing work for our customers, we scheduled 3 sessions – initially for an hour. At the start of the hour we picked 4-5 topics from the list, and worked our way through them in a prioritized order – within the time box of the hour. Come to think of it we might as well have used the Lean Coffee format. As we have team members two places in DK and one place in PH, it was a skype call using screen sharing. After the call I  summarized sending out a “link mail” to all in the testing group (DK and PH). Evaluating the sessions we extend our ordinary scheduled WG meetings to make room for collaboratively investigate additional security testing topics.

12 From the list: ZAP, Google Gruyere, threat models, HTTP proxies, posture assessments, tiger boxes, recent hacks (elaborated by Troy Hunt), OWASP top 10, OWASP SQL injections, adding data integrity testing into a test plan, share ideas for security testing internally and externally, discuss security testing with regards to EU GDPR compliance.

7 Not on the list: Naughty Strings form GitHub, Bug Magnet plugin, How real persons names trick IT systems, how to be careful with custom license plates, DDoS attacks, IoT privacy failures, Chaos monkeys/Siamese army and little Bobby Tables:

XKCD: Exploits of a mom

To sum up, we have learned about: what tools that can make testing easier, where to read about vulnerabilities and and simple exploits, understand how personal data and logins are used and stored, how to pitch security testing based on fear of breaches and safety concerns, testing the requirements for “by design” security.

30 Days of Security Testing

Align conference selection and business strategy

In most companies there is a budget to attend conferences, so we can work on how to apply the conference budget. But really if the company is true to the value of developing the company competences in software development and testing – you have to send people to the game changers (Lets Test, OreDev) and trend setters (Agile Testing Days, GOTO Aarhus).

EuroStar have some excellent templates for getting approval but for this exercise, let’s dig a little into the hard numbers. First up: align the conference attendance to the business goals and visions. I’ll pick some here as an example, and let me use them to compare  OreDev and GOTO. These are not as such testing conferences, but very useful as cases anyhow for these topics: 

• Better solutions faster
• Going mobile, Going Cloud
• Build in Business Value

A simple little trick when browsing the conference session titles: try searching for words “value”, “business”, “agile”. And a search for “value” in Goto turned up nil, until I reread “ǝnןɐʌ: Why we have it backwards” :-).

But there may be other criteria – people for instance, cost and timing.

	OreDev 2013	GOTO aarhus 2013
“Better solutions faster”Testing, Agile, Process, Delivery	Tracking and Improving Software Quality with Sonar Curiosity killed the cat, but what kills curiosity? The Beauty of Minimizing Effort Adopting Continuous Delivery Balancing ATDD, GUI Automation and Exploratory Testing Refactor your specs! Symbiotic relationships between testing and analytics	Track: When the Agile Manifesto isn’t enough (5)Track: Lean IT Enterprise (2) Why Agile doesn’t scale, and what you can do about it Do’s and don’ts for Distributed Scrum ǝnןɐʌ: Why we have it backwards JS Unit Testing Good Practices and Horrible Mistakes
Going mobile, Going Cloudmobile, cloud	Track: Mobile (16) Track: Cloud (10)	Track modern OS: 5 OpenShift Primer – Cloud development has never been easier Continuous Deployment and Automation on Distributed Cloud Environments Windows Azure Mobile Services What’s next for Mobile? Developing Java Applications for the Cloud, present and future Run your Java code on Cloud Foundry
Build in business valuebusiness, value	Value driven development Are Agile values universal?	ǝnןɐʌ: Why we have it backwards
	35	19

Disclaimer: GOTO Aarhus 2013 is sponsoring my attendance as a blogger.

Best Toys, Ever

[ The 5 Best Toys of All Time| January 31, 2011 | Jonathan H. Liu, Wired ]

1. Stick

2. Box

3. String

4. Cardboard Tube

5. Dirt

“Most exciting things ever” photo by Flickr user pfly. Used under Creative Commons License.

See also The most well-known person from Denmark is

Work Smarter, not Harder

[ If In Doubt – Learn! | 7th September 2010 | Therese Hansen ]

Last year, when the world was in crisis mode, I could understand why people, when asked if they want to go …, said, that their boss wouldn’t let them and that the conference budget for the whole year was cancelled.

…

The business is always busy when there is no economic crisis. Some IT-companies was even busy when the crisis was peaking. Such is IT.

…

The diffence between now and then is that now the workers that did not get to go to the conference last year and probably wont get to go this year are outdated. They haven’t taken the time to get their qualifications updated the last few years and the tech world is moving terrible fast. Some don’t know what the whole NoSQL-thing is about, some haven’t heard much about HTML5 and some haven’t heard anything about the mobile phone development department.

Now the crisis is over and companies are getting business deals that demands skills in that department and their current workforce can’t deliver. They should have been working smarter, not harder!

It is better to train people and risk they leave – than do nothing and they stay.

See also Cutting costs will not get you value

The weekend formula

The more people that are in their pajamas after noon, the more weekend.
The more laundry to sort, the more weekend.
The more the boys play with LEGO trains peacefully in the morning – double the more weekend

But Where is Perry?

See also [DK] Om at kunne udsætte sine egne behov

Lidt autist har man nemlig lov at være

[ ing.dk | august 2006 ]

Ingeniører har oftere aspergers syndrom, som er en mild form for autisme, end folk fra andre faggrupper, vurderer eksperter. Det giver dem særlige evner for mange af de specialistopgaver, men samtidig problemer med at fungere socialt.

Karen Brøndum-Nielsen, professor, dr.med. i genetik og direktør ved sektorforskningsinstitutionen Kennedy Instituttet, understreger, at der ikke findes undersøgelser, som direkte viser andelen af ingeniører med aspergers syndrom.

»Men der er ikke mærkeligt, hvis der er en vis overrepræsentation af asperger blandt ingeniører og teknikere, fordi de jo bruger de samme matematiske hjernemæssige funktioner, som personer med asperger er stærke i,« siger hun.

[ PHLOGGEN | maj 2011 | http://ing.dk/artikel/118859-syg-i-hovedet-og-stolt-af-det ]0

Autistiske symptomer dækker et meget bredt spektrum, fra folk der er lidt rigeligt pernittengrynede med tegnsætning, til personer der simpelthen ikke kan fungere, overhovedet.  

Heldigvis er fordelingen meget tynd i den slemme ende, langt de fleste af dem der har autistiske træk har modtaget behandling. Ofte på DTU, eller AAU.

DTU og AAU bør naturligvis herefter overvejes som et relevant behandlingstilbud i distriktspsykiatrien.

Resten af os kunne passende starte en kampagne for at slippe for storrumskontorer, følelsesporno-HR og rundkredspædagogik og i stedet at få lov til at lukke døren til vores kontor bag os og koncentrere os ordentligt.

Lidt autist har man nemlig lov at være.

From http://adsoftheworld.com

Styrke social inklusion på skolerne

[ adhd.dk | 26.01.2012 | Anders Dinsen ]

…med mine lidt for bitre forældererfaringer tør altså godt tro på at man med inklusion kan gøre højere til loftet i den danske folkeskole og gøre bedre plads til børn, der på forskellig måde er anderledes end de fleste.

Men jeg kan være i tvivl om om politikerne og de øvrige interessenter omkring skolen tør stille skarpt på problemet og gøre det der skal tilFor der skal handles på problemerne: Vi skal gøre det man ved virker for børn med trivselsproblemer: Styrke social inklusion på skolerne. 

Det betyder at den enkelte skole skal arbejde med sin kultur: Hvordan vi støtter hinanden, ser på hinanden, anerkender hinanden. Det er ikke svært, det har bare ikke været i fokus, og det vil hjælpe både på børn med medfødte sårbarheder, og alle de børn, der er sårbare af sociale årsager.

Så også med mine lidt for bitre forældererfaringer tør altså godt tro på at man med inklusion kan gøre højere til loftet i den danske folkeskole og gøre bedre plads til børn, der på forskellig måde er anderledes end de fleste. 

Men jeg kan være i tvivl om om politikerne og de øvrige interessenter omkring skolen tør stille skarpt på problemet og gøre det der skal til.

Se også Kommunerne kender ikke børnenes behov

Kommunen har ikke kendskab til børnenes behov

[ ABAforeningen | Høringssvar | 4. januar 2012 ]

“Forslagene til lovændring bygger på en falsk forudsætning om, at kommunale afgørelser er baseret på saglige og faglige hensyn til barnets udviklings- og trivselsbehov. I kommentarerne til lovforslaget er dette formuleret som, at det er kommunen med sit kendskab til barnet og de lokale forhold, der har de bedste muligheder for at vurdere, om kommunens specialundervisningstilbud er det rette til barnet. Denne fremstilling af den kommunale praksis er i bedste fald naiv, i værste fald kynisk – ikke mindst i disse år, hvor de kommunale økonomier er under pres, og hvor risikoen for at der tages usaglige økonomiske hensyn i kommunerne er overhængende.”

Se også: det er jo økonomi, der er i fokus