With increasing use of agile methodology, reducing budgets and ever chaning requirements I personally reckon ET (exploratory testing) is now more often required.
We all do ET. Sometimes the deadlines are so tight that we have to go to the extent that we do all the testing but have no documentation available to prove what or how much was tested. SBTM helps to fix that problem.
In my earlier post I mentioned that we are trying to integrate SBTM (Session Based Test Management) with our existing infrastructure.
Well finally we’ve done it and also managed to get a sign-off from our PM (project manager) and other team leads on fully implementing on a high-profile 9 month project.
To give an idea here is how we have done it:
- Tester creates his/her session reports on enterprise wiki – so that it is viewable by any and everyone.
- We have a linux web server where we ported all the SBTM scripts provided by James Bach – made some mods to it to read wiki pages
- Call the main script which creates all the reports and voila they’re ready to view and analyse further
Screenshots for the above are also viewable here.
Thanks to James Bach for SBTM scripts and Brian Osman for further instigating the thought of implementing ET and SBTM.
Clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous Web pages. (Source: http://en.wikipedia.org/wiki/Clickjacking)
[Image Source]
Here is a simple example where clicking anywhere on the screen (except header and footer) takes the user to another website. http://www.collegehumor.com/video:1928558
Prevention
Currently it seems like there is only one way of protecting against such attacks and that is by using the ‘NoScript‘ add-on for Firefox.
Just a couple of quick notes:
- We are looking at integrating SBTM (Session Based Test Management) set of scripts to Confluence wiki. One of our experts in Enterprise Architecture team has already had some win with it. If you have done some work around it then it would be good to hear from you.
- ANZTB Test Conference 2010 is just six weeks away and registrations have started. Click here to register. Hope to see you there.
I’ve been reading The 360-degree Leader by John Maxwell.
The book is about “Developing Your Influence from Anywhere in the Organization”
In the first section the author presents 7 myths that every leader in the middle faces:
- The Position Myth: “I can’t lead if I am not at the top.”
- The Destination Myth: “When I get to the top, then I’ll learn to lead.”
- The Influence Myth: “If I were on top, then people would follow me.”
- The Inexperience Myth: “When I get to the top, I’ll be in control.”
- The Freedom Myth: “When I get to the top, I’ll no longer be limited.”
- The Potential Myth: “I can’t reach my potential if I’m not the top leeader.”
- The All-or-Nothing Myth: “If I can’t get to the top, then I won’t try to lead.”
One more quick example of a phishing email.
As per the tip in my previous post: checkout the domain name.
It is actually replaced by an IP address
OWASP (Open Web Application Security Project) recently released OWASP Top 10 – 2010 rc1, their new Top Ten List of website vulnerabilities.
At number eight (8) there is a new entry – A8 – UnvalidatedRedirects and Forwards (NEW). I thought I’ll briefly talk about it as it recently happened with me.
I received the following email from a friend on Facebook (FB). When a user on FB sends an email with a link, FB prefixes the link with its own URL: http://www.facebook.com/<sometext>/<original link>
As any normal user I clicked on the link thinking what it must be.
The link redirected me to the following page:
What this page was trying to do was: it displayed the message “Content requires Adobe Flash Player 10.37…”.
If the user clicked on ‘Install’ it downloaded a “setup.exe” file.
On double-clicking it, it would have tried to infect your PC.
If you look at the page closely there are number of issues in there to help the user identify that it is a phishing page.
- The title of the page (on top left) is spelt wrongly – YuoTube
- User has used Facebook’s icon as the website icon
- The link/URL is neither Facebook.com nor Youtube.com, in fact it is just an IP address
- Message “…Contect requires Flash Player…” is itself embeded inside a flash video. As in flash is already installed and running on the page.
Hacker has tried to make the page look as similar as possible to Youtube, but it fails big time. Above are some of the quick noticable items, but this page actually nowhere close to a real Youtube page.
TIP: The best way to identify if it is a phishing site or not is by noting the domain name of the website. If the domain name does not sound familiar to the site you were supposed to be at then there is something wrong.
Recent Comments