Mini Test On Production

Yesterday I changed my Twitter handle, today I want to test, what happens if I do not update the change on WordPress and publish a blog post.

I expect to happen one of these:

  1. cannot publish blog post
  2. cannot publish blog post, error message that there is no such handle
  3. can publish blog post, but no tweet on Twitter
  4. can publish blog post, there is tweet on Twitter for ghost account with old handle
  5. can publish blog post, tweet on Twitter with new handle
  6. something else

UPDATE after the test

Test was successful. Blog was published with right Twitter handle.

What I like a lot, that WP updated automatically to the new handle. If I choose to write another blog post than it is already filled with the new handle. No human interaction necessary! 

 

Update: I found one thing that broke – Twitter widget in the sidebar.

#30DaysOfTesting – ECommerce Task II & IV

Previous in this series: Task I & III

Task 2: Read and share an interesting blog about ecommerce testing

Task 4: Find and share a useful video on youtube about ecommerce testing

One testing website I like and read since I started to test software is Software Testing Help. Vijay has done amazing job by collecting all kind of testing ideas and helping so many rookie testers. 8 Important Segments Of Testing eCommerce Websites is very good place where to start if you are starting to test retail software.

For advanced testing or as Daniel says at the end – to put a smile on your face – do some penetration testing.

#30DaysOfTesting – eCommerce Task I & III

Task 1: Look up some definitions for ‘ecommerce’, from these create and share your own definition

Task 3: Join the #ecommerce channel on https://testers.chat and introduce yourself!

e-commerce

For me e-commerce is a system where you can exchange all kind of goods and services. I used word “system” because there is more what the eye meets. In those digital transformation projects where I worked and e-commerce was a part of the project, companies were unprepared how big their e-commerce system can be.

#ecommerce channel

For those who use Slack : you will find Testers.chat under testersio.

I like that this time MinistryOfTesting involve other testing communities into challenge and created channel on testers.chat.

Each of us have some good tools in their toolbox. If we put those together we could help the domain to get better and lighten up entry for rookies.

Explaining Software Testing

Michael Bolton is good in summarising fundaments of software testing in a tweet. In my eyes this piece of information deserves a little blog post.

The last sentence is something what I teach my ISTQB Foundation Level students – you cannot assure that there are no bugs, but you can collect information about bugs you have found. You can analyse them e.g. with aim to create set of actions how to secure your software developing process from reappearance of that type of bugs.

Most of developers want to know if a feature does work or not, but we as testers can only say that Version A did work on Machine B under Circumstances C.  Project managers and customers want to know if it will work on production. We as testers cannot assure it, because we did not (and we should not) test on production environment with production data. Based on tests on similar environments and under similar circumstances we can suppose that it can work.

Sounds very logical, but it can escalate very quickly, because DEVs, PMs and customers think that testers are there to save the word and to give certificates that the software they are working on, works perfectly as described.

What to do if you still get asked:

– “What do you do whole day long if you cannot tell me will it work or not?!” 

In heated situation like this it is too late to explain semantics, fundaments of testings or why software development process is complex. You should done it as soon as possible, when you started to work on a new feature, on new project, in new team or new company.  Remember – one of most important skill of a tester is communication skills. We need those not to be able to talk about the weather, but for explaining what is testing and how testing can help to DEVs, PMs, customers and all others. Daily.

Michael suggests 4 step plan how to learn fundaments of software testing:

  1. Learn how to test: How can a trainee improve his/her skill sets in testing?; To The New Tester
  2. Declare your commitments: A Tester’s Commitments
  3. Recognise that all testing is heuristic: Heuristics for Understanding Heuristics
  4. Learn to tell the testing story: How is the testing going?

Looks simple, but as you start to read the linked resources you will understand that studies can take years. Take deep breath. To be able to explain testing to others, you have to learn it first for yourself. Do not panic if it does not work on a first try. Make experiments, try new approaches, improve your skills. One day you will master it!

#30daysofsecuritytesting – February

February is over, but my 30 days of security testing challenge is not done yet. I have done only 11 of 30 so far: I, II, IV, V, VII, IX, X, XII, XVIII, XX, XXX, and I am not thinking to give up. This has been amazing learning journey! I always wanted to learn more about web security but never had real reason or time to do it. Challenge helped me to realise it is not so difficult as I thought it would be. Those 30 tasks are like a map with turning points and there is so much information if you know what you are looking for.

One of my information sources is YouTube – you will be very surprised to find out how many conferences upload the talks on YouTube. Like this talk from Troy Hunt.

In his talk Troy shows several examples with insecure passwords. It is something what I could definitely use for testing.

Thank you: Melissa Eaden, Claire Reckless and Dan Billing for putting this challenge together. I am very intrigued how it will go on.

#30daysofsecuritytesting – Task XX

All previous posts in this series: I, II, IV, V, VII, IX, X, XII, XVIII, XXX

Task 20: Read about DOS/DDOS attacks. Share examples/stories via social media.

screen-shot-2017-02-28-at-17-19-30

I started the task by looking the definition of DOS/DDOS attacks, to be sure that we are on the same page, one of the first results in DuckDuckGo was this interesting website. Emergency readiness team, cool! DOS/DDOS attack they classify as security tip.
Security header check: D

If there is US CERT team, there should be EU CERT team, right?
screen-shot-2017-02-28-at-17-57-10
Yes! only Europeans call it Computer Emergency Response Team. The website is a collection of articles and I definitely weekly will check top stories, hall of fame or latest info from security vendors.
Security header check: F

Continue my research in German websites. Again very interesting first DuckDuckGo result. Cyber-Sicherheitsrat Deutschland in English “Cyber-Security Council Germany”. Cool name, but there is something strange. Founded by a “group of reputable individuals” and “the cost of an annual subscription is 2,500 Euros. There is also a one-off admission fee of 1,000 Euros”. What kind of security group is it? And is it only me or that home photo I have seen somewhere else?
Security header check: F.

The real institution in Germany is Bundesministerium des Innern (BMI)

screen-shot-2017-02-28-at-21-11-22
Security header check: D

And Bundesamt für Sicherheit in der Informationstechnik, which has listed “common sense” as one of the suggestions for internet security.

screen-shot-2017-02-28-at-21-53-06
Security header check: C

OK. It is very interesting but what was the subject? DOS/DDOS attacks.

You will find information about latest DOS attacks on EU page above, but I liked the story about possiblly first DOS attack. Especially interesting are the comments.

Security and Wordpress

keytrust2

Week ago I learned about security headers  and found weaknesses of this blog. In my previous post I did not write, that beside mine I checked other websites, which I know are run by WordPress. All of them have the same problems. No matter where the WordPress page is hosted or stored. I contacted Happiness Engineers and got feedback that my question will be forwarded to Network Engineers. Still waiting for an answer from them.

One thing what made me especially concerned was the blog post “stopmullware-on-the-security-of-27-of-the-websites-on-the-internet” written by Scott Arciszewski, which got deleted shortly after I read it – the post was about priorities of Automattic, hint – security is not one of them. Here are some tweets which should explain why it was deleted:

Use Google and read yourself who is Scott and what he does. And make your own picture of the situation.

But Scott is not the only one who is alarmed. Here is another article about WordPress vulnerability. In fact I have a feeling that suddenly everyone writes about how insecure is WordPress. German media people seem to be little slow – they are informing about update bug just now.

Long story short – I spent whole week reading and understanding how it works all together – touched certificates and domains as well. My aim was to find out, what can I do to improve the security of my website. My current answer – as long as I use WordPress, I cannot fix security header issues. But optimist inside me is really looking forward to WordPress Network Engineer answer. May be there is a way.

#30daysofsecuritytesting – Task XII

screen-shot-2017-02-19-at-22-43-17

All previous posts in this series: I, II, IV, V, VII, IX, X, XVIII, XXX

Task 12: Read about security testing and discuss where it best fits in an SDLC

Here are some of sources who supported my learning about security testing.

Very good introduction in first 3min:

I have met Simon in TestBash Manchester and had nice chat. Unfortunally I could not attend his ZAP introdoction course, but definatly software development needs more people like Simon.

If you still are not convinced by this 30 days of security challenge and think it is too complicated, then read this article. Especially I liked arguments should you or should you not start security testing in your company and the link to The Big List of Naughty Strings.

#30daysofsecuritytesting – Task XVIII

screen-shot-2017-02-13-at-23-46-14

All previous posts in this series: I, II, IV, V, VII, IX, X, XXX

Task 15: Write and share ideas for security testing via twitter or a blog
Task 18: Learn about Security Headers

Oh, people, this challenge is a real challenge! I use to write one two blog posts a week, my wish to document my learnings is making me difficulties. I had the most beautiful weekend with my family on the hill and now I am missing several tasks. It is what it is. I move on and tick off two tasks.

So. Security Headers. The first thing I wanted to do was to scan my own website. I thought it will be short check and then I move on, but instead of that I happened this>

I started with scan on security headers – free website, which analyses headers, build and run by Scott Helme. The scan showed some problems with headers and I started to research – should I panic or not.

With help of developer tools, I checked network/headers on Safari, Chrome and FireFox. Every browser shows the header information differently. Chrome at the beginning appeared as the less valuable, but then I discovered tabs “security” and “audits” and it changed my top3.

With help of Chrome I learned tonight about also about Wildcard or Multi-Domain (SAN) Certificates and websites with whom I share it. Chrome audit showed that I have 2237 unused CSS rules. Will need to decide what to do with that…

All together this task was very useful. I learned a lot and got long to do list what to improve to my website.

At the end – Automattic has good humour:
screen-shot-2017-02-14-at-00-48-59

From the other side – my header has ad for Automattic and I am not OK with that.

#30daysofsecuritytesting – Task IX

Task: Discover the process and procedures around Security Auditing

This is hard one. I do my research already second day, but still did not managed to create my own picture of “what is Security Auditing?”

Confusion starts with Wikipedia, because there are two articles about the topic, both marked as no complete.

https://en.wikipedia.org/wiki/Information_security_audit

https://en.wikipedia.org/wiki/Information_technology_security_audit

Maybe someone wants to fix it?

Piece, what I found helpful and useful is this 10 step guide “if a security auditor isn’t in the budget”: http://www.itsecurity.com/features/it-security-audit-010407/