Thursday, December 3, 2009

Explain the methods and techniques used for Security Testing

Security testing can be performed in many ways like,
• Black Box Level
• White Box Level
• Database Level

Black Box Level
Session Hijacking
Session Hijacking commonly called as “IP Spoofing” where a user session will be attacked on a protected network.
• Session Prediction
Session Prediction is a method of obtaining data or a session ID of an authorized user and gets access to the application. In a web application the session ID can be retrieved from cookies or URL.
The Session Prediction happening can be predicted when a website is not responding normally or stops responding for an unknown reason.
• Email Spoofing
Email Spoofing is duplicating the email header (“From” address) to look like originated from actual source and if the email is replied it will land in the spammers inbox. By inserting commands in the header the message information can be altered. It is possible to send a spoofed email with information you didn’t write.
• Content Spoofing
Content spoofing is a technique to develop a fake website and make the user believe that the information and website is genuine. When the user enters his Credit Card Number, Password, SSN and other important details the hacker can get the data and use if for fraud purposes.
• Phishing
Phishing is similar to Email Spoofing where the hacker sends a genuine look like mail attempting to get the personal and financial information of the user. The emails will appear to have come from well known websites.
• Password Cracking
Password Cracking is used to identify an unknown password or to identify a forgotten password
Password cracking can be done through two ways,
1. Brute Force – The hacker tries with a combination of characters within a length and tries until it is getting accepted.
2. Password Dictionary – The hacker uses the Password dictionary where it is available on various topics.

White Box Level
• Malicious Code Injection
SQL Injection is most popular in Code Injection Attack, the hacker attach the malicious code into the good code by inserting the field in the application. The motive behind the injection is to steal the secured information which was intended to be used by a set of users.
Apart from SQL Injection, the other types of Malicious code injection are XPath Injection, LDAP Injection, and Command Execution Injection. Similar to SQL Injection the XPath Injection deals with XML document.
• Penetration Testing
Penetration Testing is used to check the security of a computer or a network. The test process explores all the security aspects of the system and tries to penetrate the system.
• Input Validation
Input validation is used to defend the applications from hackers. If the input is not validated mostly in web applications it could lead to system crashes, database manipulation and corruption.
• Variable Manipulation
Variable manipulation is used as a method for specifying or editing the variables in a program. It is mostly used to alter the data sent to web server.

Database Level
SQL Injection
SQL Injection is used to hack the websites by changing the backend SQL statements, using this technique the hacker can steal the data from database and also delete and modify it.

Read more...

Explain Alpha, Beta, Gamma Testing

Alpha Testing
Alpha Testing is mostly like performing usability testing which is done by the in-house developers who developed the software or testers. Sometimes this Alpha Testing is done by the client or an outsider with the presence of developer and tester. The version release after alpha testing is called Alpha Release.

Beta Testing
Beta Testing is done by limited number of end users before delivery, the change request would be fixed if the user gives feedback or reports defect. The version release after beta testing is called beta Release.

Gamma Testing
Gamma Testing is done when the software is ready for release with specified requirements, this testing is done directly by skipping all the in-house testing activities.

Read more...


The terms Priority and Severity are used in Bug Tracking to share the importance of a bug among the team and to fix it.

Severity

1. The Severity status is used to explain how badly the deviation is affecting the build.

2. The severity type is defined by the tester based on the written test cases and functionality.
Ex : If an application or a web page crashes when a remote link is clicked, in this case clicking the remote link by an user is rare but the impact of application crashing is severe, so the severity is high and priority is low.

Priority

1. The Priority status is set by the tester to the developer mentioning the time frame to fix a defect. If High priority is mentioned then the developer has to fix it at the earliest.

2. The priority status is set based on the customer requirements.
Ex : If the company name is misspelled in the home page of a website, then the priority is high and the severity is low to fix it.

Read more...

What is the difference between Two Tier Architecture and Three Tier Architecture?

In Two Tier Architecture or Client/Server Architecture two layers like Client and Server is involved. The Client sends request to Server and the Server responds to the request by fetching the data from it. The problem with the Two Tier Architecture is the server cannot respond to multiple requests at the same time which causes data integrity issues.
The Client/Server Testing involves testing the Two Tier Architecture of user interface in the front end and database as backend with dependencies on Client, Hardware and Servers.
In Three Tier Architecture or Multi Tier Architecture three layers like Client, Server and Database are involved. In this the Client sends a request to Server, where the Server sends the request to Database for data, based on that request the Database sends back the data to Server and from Server the data is forwarded to Client.
The Web Application Testing involves testing the Three Tier Architecture including the User interface, Functionality, Performance, Compatibility, Security and Database testing.

Read more...

Explain Localization Testing with examples.

Localization is the process of changing or modifying an application to a particular culture or locale. This includes change in user interface, graphical designs or even the initial settings according to their culture and requirements.
In terms of Localization Testing it verifies how correctly the application is changed or modified into that target culture and language.
In case of translation required of the application on that local language, testing should be done on each field to check the correct translation. Other formats like date conversion, hardware and software usage like operating system should also be considered in localization testing.
Examples for Localization Testing are,· In Islamic Banking all the transactions and product features are based on Shariah Law, some important points to be noted in Islamic Banking are,1.In Islamic Banking, the bank shares the profit and loss with the customer.2.In Islamic Banking, the bank cannot charge interest on the customer; instead they charge a nominal fee which is termed as “Profit”.3.In Islamic Banking, the bank will not deal or invest in business like Gambling, Alcohol, Pork, etc.In this case, we need to test whether these Islamic banking conditions were modified and applied in the application or product.
· In Islamic Lending, they follow both the Gregorian Calendar and Hijiri Calendar for calculating the loan repayment schedule. The Hijiri Calendar is commonly called as Islamic Calendar followed in all the Muslim countries according to the lunar cycle. The Hijiri Calendar has 12 months and 354 days which is 11 days shorter than Gregorian Calendar. In this case, we need to test the repayment schedule by comparing both the Gregorian Calendar and Hijiri Calendar.

Read more...