3 Sessions of Security Testing

1 Comment

One way to collaborate in a team is to achieve shared knowledge together. An example of this is the online activity of “30 days of testing” that The Ministry Of Testing has been putting out to the online community to participate it. My test team has a “Work Group / Special Interest Group” with regards to security testing, so when a 30 day challenge for security testing came up, we scheduled sessions to learn from the topics provided (see below).

As we are testing consultants doing work for our customers, we scheduled 3 sessions – initially for an hour. At the start of the hour we picked 4-5 topics from the list, and worked our way through them in a prioritized order – within the time box of the hour. Come to think of it we might as well have used the Lean Coffee format. As we have team members two places in DK and one place in PH, it was a skype call using screen sharing. After the call I  summarized sending out a “link mail” to all in the testing group (DK and PH). Evaluating the sessions we extend our ordinary scheduled WG meetings to make room for collaboratively investigate additional security testing topics.

12 From the list: ZAP, Google Gruyere, threat models, HTTP proxies, posture assessments, tiger boxes, recent hacks (elaborated by Troy Hunt), OWASP top 10, OWASP SQL injections, adding data integrity testing into a test plan, share ideas for security testing internally and externally, discuss security testing with regards to EU GDPR compliance.

7 Not on the listNaughty Strings form GitHub, Bug Magnet plugin, How real persons names trick IT systems, how to be careful with custom license plates, DDoS attacks, IoT privacy failures, Chaos monkeys/Siamese army and little Bobby Tables:

exploits_of_a_mom

XKCD: Exploits of a mom

To sum up, we have learned about: what tools that can make testing easier, where to read about vulnerabilities and and simple exploits, understand how personal data and logins are used and stored, how to pitch security testing based on fear of breaches and safety concerns, testing the requirements for “by design” security.

30 Days of Security Testing

30 Days of Security Testing

Align conference selection and business strategy

4 Comments

In most companies there is a budget to attend conferences, so we can work on how to apply the conference budget. But really if the company is true to the value of developing the company competences in software development and testing – you have to send people to the game changers (Lets Test, OreDev) and trend setters (Agile Testing Days, GOTO Aarhus).

EuroStar have some excellent templates for getting approval but for this exercise, let’s dig a little into the hard numbers. First up: align the conference attendance to the business goals and visions. I’ll pick some here as an example, and let me use them to compare  OreDev and GOTO. These are not as such testing conferences, but very useful as cases anyhow for these topics: 

  • Better solutions faster
  • Going mobile, Going Cloud
  • Build in Business Value

A simple little trick when browsing the conference session titles: try searching for words “value”, “business”, “agile”. As I expected Scott Barber is the only Oredev speaker with both “value” and “business” in his bio. And a search for “value” in Goto turned up nil, until I reread “ǝnןɐʌ: Why we have it backwards” :-).

But there may be other criteria – people for instance, cost and timing.

 OreDev 2013  GOTO aarhus 2013
“Better solutions faster”Testing, Agile, Process, Delivery
  • Tracking and Improving Software Quality with Sonar
  • Curiosity killed the cat, but what kills curiosity?

  • The Beauty of Minimizing Effort
  • Adopting Continuous Delivery

  • Balancing ATDD, GUI Automation and Exploratory Testing
  • Refactor your specs!

  • Symbiotic relationships between testing and analytics
  •  
 Track: When the Agile Manifesto isn’t enough (5)Track: Lean IT Enterprise (2)

  • Why Agile doesn’t scale, and what you can do about it
  • Do’s and don’ts for Distributed Scrum
  • ǝnןɐʌ: Why we have it backwards
  • JS Unit Testing Good Practices and Horrible Mistakes
 Going mobile, Going Cloudmobile, cloud
  • Track: Mobile (16)
  • Track: Cloud (10)
  •  Track modern OS: 5
  • OpenShift Primer – Cloud development has never been easier
  • Continuous Deployment and Automation on Distributed Cloud Environments
  • Windows Azure Mobile Services
  • What’s next for Mobile?
  • Developing Java Applications for the Cloud, present and future
  • Run your Java code on Cloud Foundry
 Build in business valuebusiness, value
  •  Value driven development
  • Are Agile values universal?
  • ǝnןɐʌ: Why we have it backwards


35 19

Disclaimer: GOTO Aarhus 2013 is sponsoring my attendance as a blogger.

Best Toys for Boys, Ever

Leave a comment

The 5 Best Toys of All Time| January 31, 2011 | , Wired ]

1. Stick

2. Box

3. String

4. Cardboard Tube

5. Dirt

“Most exciting things ever” photo by Flickr user pfly. Used under Creative Commons License.

See also The most well-known person from Denmark is

Work Smarter, not Harder

4 Comments

[ If In Doubt – Learn! | 7th September 2010 | Therese Hansen ]

Last year, when the world was in crisis mode, I could understand why people, when asked if they want to go …, said, that their boss wouldn’t let them and that the conference budget for the whole year was cancelled.

The business is always busy when there is no economic crisis. Some IT-companies was even busy when the crisis was peaking. Such is IT.

The diffence between now and then is that now the workers that did not get to go to the conference last year and probably wont get to go this year are outdated. They haven’t taken the time to get their qualifications updated the last few years and the tech world is moving terrible fast. Some don’t know what the whole NoSQL-thing is about, some haven’t heard much about HTML5 and some haven’t heard anything about the mobile phone development department.

Now the crisis is over and companies are getting business deals that demands skills in that department and their current workforce can’t deliver. They should have been working smarter, not harder!

It is better to train people and risk they leave – than do nothing and they stay.

See also Cutting costs will not get you value

The weekend formula

1 Comment

The more people that are in their pajamas after noon, the more weekend.
The more laundry to sort, the more weekend.
The more the boys play with LEGO trains peacefully in the morning – double the more weekend

But Where is Perry?

See also [DK] Om at kunne udsætte sine egne behov

Lidt autist har man nemlig lov at være

2 Comments

ing.dk | august 2006 ]

Ingeniører har oftere aspergers syndrom, som er en mild form for autisme, end folk fra andre faggrupper, vurderer eksperter. Det giver dem særlige evner for mange af de specialistopgaver, men samtidig problemer med at fungere socialt.

Karen Brøndum-Nielsen, professor, dr.med. i genetik og direktør ved sektorforskningsinstitutionen Kennedy Instituttet, understreger, at der ikke findes undersøgelser, som direkte viser andelen af ingeniører med aspergers syndrom.

»Men der er ikke mærkeligt, hvis der er en vis overrepræsentation af asperger blandt ingeniører og teknikere, fordi de jo bruger de samme matematiske hjernemæssige funktioner, som personer med asperger er stærke i,« siger hun.

[ PHLOGGEN | maj 2011 | http://ing.dk/artikel/118859-syg-i-hovedet-og-stolt-af-det ]0

Autistiske symptomer dækker et meget bredt spektrum, fra folk der er lidt rigeligt pernittengrynede med tegnsætning, til personer der simpelthen ikke kan fungere, overhovedet.  

Heldigvis er fordelingen meget tynd i den slemme ende, langt de fleste af dem der har autistiske træk har modtaget behandling. Ofte på DTU, eller AAU.

DTU og AAU bør naturligvis herefter overvejes som et relevant behandlingstilbud i distriktspsykiatrien.

Resten af os kunne passende starte en kampagne for at slippe for storrumskontorer, følelsesporno-HR og rundkredspædagogik og i stedet at få lov til at lukke døren til vores kontor bag os og koncentrere os ordentligt.

Lidt autist har man nemlig lov at være.

Unge med Asperger kan godt få en uddannelse

Leave a comment

Dr.dk skriver http://www.dr.dk/Nyheder/Indland/2012/02/09/163051.htm “Succes: Autister består studentereksamen“. Det er der i sig selv ikke noget nyt i. Studentereksamen har været der i mange mange år og mennesker med Asperger problematikker – endnu længere. Ja, også før 1994, hvor det blev en godkendt diagnose i Danmark. Se bare på DTU: http://ing.dk/artikel/72758-psykologer-asperger-er-et-ingenioersyndrom

Det der er nyt er at (lad mig kalde det) “Special gymnasieklasser” giver studenter med samme gennemsnit og delvis højere beståelsegrad som landsgennemsnittet. At det giver disse mennesker muligheder for udvikling.

På Paderup Gymnasium i Randers, fortæller pædagogisk leder, Helle Boelskifte, at undervisningen har krævet, at der maksimalt var 10 elever i klassen, og at eleverne har fået ekstra støtte. Men rent fagligt har de modtaget nøjagtig samme undervisning som de andre elever, og til eksamen er de gået op på nøjagtig samme vilkår som de andre elever, siger hun.  Men foreløbige meldinger viser, at de klarer sig bedre i små studiemiljøer end i store, og at de trives bedst med individuelle studier frem for gruppearbejde.

Se også Who has excellent memory and strong attention to detail

Older Entries