25 August 2015

How to practice software testing

During open season after Erica Walker's presentation at CAST, I mentioned a few useful tools for practicing software testing or software testing related skills (rather than passively watch/read/listen). With this blog post I want to expand that a bit and share some of the applications/sources I've found useful when actually practicing to become a better software tester.

General

Bitnami provides simple installers (local install) for several well-known web applications such as Wordpress, Moodle and ExoPlatform. The installer automatically sets up a web server, database server and the application itself. This is a great sandboxed environment for you to play with and you have access to the application's code and database content allowing you to do pretty nifty stuff.

Since the applications available on Bitnami are fairly large systems you'll find opportunities to focus your testing on basically any quality characteristic or test technique no matter which one you choose. Why not try a full equivalence partitioning, value selection and variable combination testing table for the post thread as moderator form in phpBB or a usability analysis of PrestoShop?

The drawback with these big applications may be that they are a bit intimidating/take time to learn. In that case try the many software download sites like SoftPedia but be aware that some software you find this way might come with various malware.

Joining open source projects can also be a good way of practicing testing while also giving something back. Popular open source code management sites like GitHub and SourceForge are great places to look for applications in need of testers.

Database

Install XAMPP (fully preconfigured web server) and start running queries against the MySQL server. This also gives you the ability to practice writing (and running) simple scripts in e.g. PHP to manipulate/display the database content. Getting familiar with phpMyAdmin (preinstalled) is also a good idea for any web application tester.

If you want to practice online I recommend Head First Labs. You might need a MySQL reference (available online) though to solve all their exercises since they reference to pages in an O'Reilly book.

REST API

A great place to take your first few steps in API testing is predic8. They have an online REST-API available that you're free to play around with. I recommend fetching Postman and just start making simple GET requests. Use predic8's tutorial to help you progress.

Security

Tons of applications exist for the sole purpose of practicing security testing. These applications have dozens of vulnerabilities built in so that you can practice triggering and exploiting these vulnerabilities without risking to break anything. Also, many of these applications have active communities built around them where you can get help or documentation, explaining the various vulnerabilities.

WebGoat (web testing, local installation)
Have only briefly used this but from what I've understood this might be the best choice available. If you search for WebGoat on YouTube you'll find dozens of tutorials, demonstration and installation videos.

Google Gruyere (web testing, online)
I've played around in Google Gruyere quite a bit. It's a good place to start and convenient since no installation is required. Also, due to it's fame, several videos exist demonstrating vulnerabilities in Google Gruyere and explaining the thinking behind discovering them. One example is Alan Richardson's video.

bWAPP (web testing, local installation)
Only briefly used bWAPP but seemed like it had potential. bWAPP is more helpful than Google Gruyere in the sense that you're informed about what vulnerability each page has.

BodgeIt Store (web testing, local installation)
A web security practice application aimed towards beginners (if I interpreted the description correctly). Haven't tried this one myself.

Mutillidae (web testing, local installation)
One more I haven't tried myself. What I liked in the description though was it did claim to give hints which likely make it a good starting challenge to a new penetration tester.

GameOver (web testing, VirtualBox image)
I discovered GameOver as I was writing this blog post. Haven't tried it yet but it's a VirtualBox image with several penetration testing tools and web security practice applications preinstalled (such as WebGoat). Convinient!

There are also pages dedicated to learning web security by giving the visitor progressively harder challenges (puzzles) to solve. My personal favorite is HackThisSite as I think the challenges are progressing in a good pace and you can always get help if you're stuck. For a quite extensive list of practice pages, take at look at the top answer to this Stack Overflow question.

If you want to practice system level penetration testing I recommend the Metasploit Unleashed free course. Also look into Kali Linux, a Linux distribution centered around penetration testing.

Information gathering

Information gathering is a critical skill for testers. A course I've just started that seems to have great potential is the Google's Power Searching course. The course comes with challenges making it interactive enough to fit this blog post.

Improve your skills in other common tools

You can improve your skills in many common tools by using training videos released by vendors or users and either mimic what's done in the videos or perform the challenges given. One example of a training video collection I've found useful is Microsoft's Office course.

Operating systems

I learned a lot about operating systems in general when I started playing around with Linux. It's a fun way to start and the amount of help you can get when stuck is mind-boggling. If you have some previous experience; give Arch Linux a chance. If you're new something like Sabayon might be at the right level. Popular desktop releases such as Ubuntu may be a bit hard to get "under the hood" in but for a first timer just seeing a different operating system might be enough. In that case, go with OpenSuse or any of the Ubuntu derivatives (e.g. Ubuntu itself, Linux Mint or Elementary OS).

If you don't want to tinker with partitioning; use VirtualBox.

Networks and servers

Plenty of material is available online and practicing it is generally just about tinkering with your own home network, e.g. figuring out what various router configuration options do. You don't need an expensive lab to practice network administration and server setup; two devices (e.g. a computer and smartphone) and a basic network connecting them (e.g. a router with a built in wireless switch) is enough. If you feel like you don't know where to start, use for instance the course page linked to in this chapter and try the concepts described (like port forwarding, dhcp and file servers). I personally find network monitoring to be a particularly useful topic for testers.

Conclusion

The two most important messages I want you to remember:
  1. Do practice, it's important
  2. ... and not that hard
Good luck and if you have additional suggestions, just share them in the comment section below!

07 August 2015

CAST 2015 - A quick summary

Every conference creates some kind of special memory for me; Let's Test 2013 was meeting Helena Jeret-Mäe for the first time (the most important event so far for me as a tester) but also Richard Robinson and his Miagi Do challenge. CAST 2013 was my first talk which was special but also Dawn Haynes' magical keynote. Let's Test 2014 was barefoot introduction and NTD 2015 was the Pekka Marjamäki show. Also, as an important bonus both Let's Test 2014 and NTD this year, I had Helena; meeting her in person is always very special for me.

So what about CAST 2015? Well there were three people that stood out to me (in no particular order):

1) Ioana Serban caught my attention at Let's Test 2014 and at CAST she spoke for the first time... and she nailed it! The talk had high value content, the most awesome slide deck I've ever seen and she packaged all this as an entertaining and compelling story! I feel fortunate to be one of the people in the room that got to experience it live! On top of that she’s a smart, wonderful person I just enjoy being around!

2) Diana Wendruff has this lovely, sparkling personality that makes me happy just by being around. Her humble curiosity, charming humor and clever insights on top of a very empathic core is nothing but awesome. I so look forward to meeting her again! Oh, and she has the coolest business cards, ask for one when you meet her!

3) David Leach (referred to as Kiwi-David in my tweets) was one of those who just made the whole conference better for everyone. He was a first timer but gave a great lightning talk (the guy can present!) and even more importantly: He's incredibly skilled at asking good questions during open season, that created massive amounts of extra value for both speakers and attendees (probably the most active participant during open season throughout the whole conference). On top of that he's smart and curious. Thank you Dee Ann for help bringing him there and thank you David for making a great conference even greater!

Oh, one more... I want to highlight the Speak Easy initiative. I happened to go to three of the Speak Easy presenters and I sincerely think that was the three best talks I attended, which is absolutely crazy considering the little experience these speakers have. I've already talked about Ioana, the other two were Kate Falanga (talking about understanding the brand you create for yourself) and Jessica Ingrassellino (taking about the art of asking questions). I also heard great reviews about Carol Brands’ talk (which I missed). I was amazed!

I could keep name dropping forever (Perze, Taylor, Pete, Liz, Mark, Jessica, Roxanne, Dawn of course...) but instead I'll stop and just say: THANK YOU everyone who made this conference amazing! And an extra thank you to the people who not only attended my talk, but made it better by adding to it during open season and after. Oh, and to all the organizers (including facilitators and the staff in the reception), I’m so impressed by the effort you put in, thank you!

To finish off with something more useful; here are my top three takeaways from CAST 2015:

1) You can turn a "boring" (but important/valuable) topic into an entertaining story! Probably my number one takeaway and something I'll definitely use, thank you Ioana!

2) Nicholas Bolton (please correct my spelling Niclas, Nicolas...) shared this wonderful analogy with me: When trying to decide what solution to go for you sometimes have to look at it as being in a maze; if you run around like a headless chicken you'll (likely) not find your way out in time and die. On the other hand; if you stand still and only debate where to go, you’ll starve to death having accomplished nothing. At some point you have to stop arguing about which solution to go with and actually try one.

3) Helena introduced me to an interesting problem prior to CAST: She, and I, are both getting to a level where we can sort of look down at everything in an organization and actually have the authority to deal with problems we see at various levels. However, we can easily identify problems that would occupy 5000% of our time for the rest of our lives as well as impact people in extremely complex ways. So how do we choose where to put our effort?
...
Roxanne (congratulations to becoming a board member!) commented that maybe that problem partly comes from the fact that we're new to this position/perspective; we probably felt the same way once upon a time, with the "lower level stuff" (but experience have thought us how to navigate that). My take on her comment is; maybe we should worry less about "figuring out what is right" cause we don't have the necessary experience and understanding yet, instead we should head out and explore with learning being the main objective. Aiming to solve "the right thing" currently just makes us stall and feel inadequate (ties back to takeaway two) which isn't helpful.

So, once again, THANK YOU! I hope to see all of you soon again! CAST 2015 was awesome!