#30DaysOfTesting – ECommerce Task II & IV

Previous in this series: Task I & III

Task 2: Read and share an interesting blog about ecommerce testing

Task 4: Find and share a useful video on youtube about ecommerce testing

One testing website I like and read since I started to test software is Software Testing Help. Vijay has done amazing job by collecting all kind of testing ideas and helping so many rookie testers. 8 Important Segments Of Testing eCommerce Websites is very good place where to start if you are starting to test retail software.

For advanced testing or as Daniel says at the end – to put a smile on your face – do some penetration testing.

#30DaysOfTesting – eCommerce Task I & III

Task 1: Look up some definitions for ‘ecommerce’, from these create and share your own definition

Task 3: Join the #ecommerce channel on https://testers.chat and introduce yourself!

e-commerce

For me e-commerce is a system where you can exchange all kind of goods and services. I used word “system” because there is more what the eye meets. In those digital transformation projects where I worked and e-commerce was a part of the project, companies were unprepared how big their e-commerce system can be.

#ecommerce channel

For those who use Slack : you will find Testers.chat under testersio.

I like that this time MinistryOfTesting involve other testing communities into challenge and created channel on testers.chat.

Each of us have some good tools in their toolbox. If we put those together we could help the domain to get better and lighten up entry for rookies.

#30daysofsecuritytesting – February

February is over, but my 30 days of security testing challenge is not done yet. I have done only 11 of 30 so far: I, II, IV, V, VII, IX, X, XII, XVIII, XX, XXX, and I am not thinking to give up. This has been amazing learning journey! I always wanted to learn more about web security but never had real reason or time to do it. Challenge helped me to realise it is not so difficult as I thought it would be. Those 30 tasks are like a map with turning points and there is so much information if you know what you are looking for.

One of my information sources is YouTube – you will be very surprised to find out how many conferences upload the talks on YouTube. Like this talk from Troy Hunt.

In his talk Troy shows several examples with insecure passwords. It is something what I could definitely use for testing.

Thank you: Melissa Eaden, Claire Reckless and Dan Billing for putting this challenge together. I am very intrigued how it will go on.

#30daysofsecuritytesting – Task XX

All previous posts in this series: I, II, IV, V, VII, IX, X, XII, XVIII, XXX

Task 20: Read about DOS/DDOS attacks. Share examples/stories via social media.

screen-shot-2017-02-28-at-17-19-30

I started the task by looking the definition of DOS/DDOS attacks, to be sure that we are on the same page, one of the first results in DuckDuckGo was this interesting website. Emergency readiness team, cool! DOS/DDOS attack they classify as security tip.
Security header check: D

If there is US CERT team, there should be EU CERT team, right?
screen-shot-2017-02-28-at-17-57-10
Yes! only Europeans call it Computer Emergency Response Team. The website is a collection of articles and I definitely weekly will check top stories, hall of fame or latest info from security vendors.
Security header check: F

Continue my research in German websites. Again very interesting first DuckDuckGo result. Cyber-Sicherheitsrat Deutschland in English “Cyber-Security Council Germany”. Cool name, but there is something strange. Founded by a “group of reputable individuals” and “the cost of an annual subscription is 2,500 Euros. There is also a one-off admission fee of 1,000 Euros”. What kind of security group is it? And is it only me or that home photo I have seen somewhere else?
Security header check: F.

The real institution in Germany is Bundesministerium des Innern (BMI)

screen-shot-2017-02-28-at-21-11-22
Security header check: D

And Bundesamt für Sicherheit in der Informationstechnik, which has listed “common sense” as one of the suggestions for internet security.

screen-shot-2017-02-28-at-21-53-06
Security header check: C

OK. It is very interesting but what was the subject? DOS/DDOS attacks.

You will find information about latest DOS attacks on EU page above, but I liked the story about possiblly first DOS attack. Especially interesting are the comments.

#30daysofsecuritytesting – Task XII

screen-shot-2017-02-19-at-22-43-17

All previous posts in this series: I, II, IV, V, VII, IX, X, XVIII, XXX

Task 12: Read about security testing and discuss where it best fits in an SDLC

Here are some of sources who supported my learning about security testing.

Very good introduction in first 3min:

I have met Simon in TestBash Manchester and had nice chat. Unfortunally I could not attend his ZAP introdoction course, but definatly software development needs more people like Simon.

If you still are not convinced by this 30 days of security challenge and think it is too complicated, then read this article. Especially I liked arguments should you or should you not start security testing in your company and the link to The Big List of Naughty Strings.

#30daysofsecuritytesting – Task XVIII

screen-shot-2017-02-13-at-23-46-14

All previous posts in this series: I, II, IV, V, VII, IX, X, XXX

Task 15: Write and share ideas for security testing via twitter or a blog
Task 18: Learn about Security Headers

Oh, people, this challenge is a real challenge! I use to write one two blog posts a week, my wish to document my learnings is making me difficulties. I had the most beautiful weekend with my family on the hill and now I am missing several tasks. It is what it is. I move on and tick off two tasks.

So. Security Headers. The first thing I wanted to do was to scan my own website. I thought it will be short check and then I move on, but instead of that I happened this>

I started with scan on security headers – free website, which analyses headers, build and run by Scott Helme. The scan showed some problems with headers and I started to research – should I panic or not.

With help of developer tools, I checked network/headers on Safari, Chrome and FireFox. Every browser shows the header information differently. Chrome at the beginning appeared as the less valuable, but then I discovered tabs “security” and “audits” and it changed my top3.

With help of Chrome I learned tonight about also about Wildcard or Multi-Domain (SAN) Certificates and websites with whom I share it. Chrome audit showed that I have 2237 unused CSS rules. Will need to decide what to do with that…

All together this task was very useful. I learned a lot and got long to do list what to improve to my website.

At the end – Automattic has good humour:
screen-shot-2017-02-14-at-00-48-59

From the other side – my header has ad for Automattic and I am not OK with that.

#30daysofsecuritytesting – Task IX

Task: Discover the process and procedures around Security Auditing

This is hard one. I do my research already second day, but still did not managed to create my own picture of “what is Security Auditing?”

Confusion starts with Wikipedia, because there are two articles about the topic, both marked as no complete.

https://en.wikipedia.org/wiki/Information_security_audit

https://en.wikipedia.org/wiki/Information_technology_security_audit

Maybe someone wants to fix it?

Piece, what I found helpful and useful is this 10 step guide “if a security auditor isn’t in the budget”: http://www.itsecurity.com/features/it-security-audit-010407/

#30DaysOfSecurityTesting – Task VII

screen-shot-2017-02-09-at-01-55-17

All previous posts in this series: I, II, IV, V, X, XXX

Task: Learn one or more things about Penetration testing.

First thing what I learned today about the topic is the difference according to vulnerability scanning. During scanning you identify and prioritise possible vulnerabilities, but during penetration testing you actively explore those vulnerabilities with the aim to break in.

Second, very important thing what I learned: in Germany all penetration testing without permission of an owner is illegal. So if you will scan somebodies system in the Germany, try to use the vulnerability and report it to the owner with hope to get a reward, you may land in the jail.

#30DaysOfSecurityTesting – Task IV

vulnerability

All previous posts in this series: I, II, X, XXX

Task: Learn anything about Vulnerability Scanning

I looked for the answer in “How To Break Web Software” – book, which I chose in task II. In the index, the only page selected for “vulnerabilities, searching for” is page 107. You can see it in the image above.

It was not enough for me. So I checked the source, which, as I learned from my son, has many answers:

Than I found the list of vulnerability scanners. The experts will LOL about my comparison of Nessus and Nmap, but that is what works for me:

  • Nmap is free, the website from 90’s and tool is difficult to configure.
  • Price of Nessus single user licence is “$2,190 USD/year” (funny that they use both: $ and USD for the price), modern website and the tool seems to be very user-friendly (according to demonstration above).

I consider to download Nessus and scan my home network. Curious what it will say about my internet radio. Download starts with filling out the form, even if you want try-out for single user licence you have to select your job position. In the list you will find all kind of people, except software testers.

screen-shot-2017-02-04-at-23-58-53

The more I think about web security, the more it reminds me birth control. Some of us blindly trust a protection of their choice, some think that nothing will happen anyway and use none and there are some of us, who choose to walk on the edge. Negative consequences of some of those decisions are AIDS, fertility treatments or teen mums.

I am quite a sceptic – if we cannot handle issues of our own bodies and health, then such abstract thing as web security has no chance to get our attention before something really bad happened.