« November 2006 | Main | February 2007 »

January 26, 2007

Software testing Part 2

Classic Testing Misconceptions and Mistakes:

  1. Assumption that all defects in the software product have been detected
  2. The assumption that he or she is  capable of testing the program completely
  3. The opinion that testing team is responsible for assuring quality
  4. The opinion that the goal of testing is to find bugs only
  5. Careless approach to the detection of major bugs
  6. Negligence in reporting usability problems
  7. Starting the testing phase too late (bugs detection, not bugs reduction)
  8. Putting stress and load testing off to the last minute
  9. Incomplete evaluation of the related project’s documentation
  10. Ignore testing of installation procedures
  11. Failure in correctly identifying risk areas
  12. Paying more attention to running tests than to designing them.
  13. Not reviewing test designs.
  14. Checking that the product does what it’s supposed to do, but not that it doesn’t do what it isn’t supposed to do
  15. Poor bug reporting
  16. Attempting to automate all tests
  17. Expecting to re-run all manual tests

Typical Tester’s Mistakes:

  1. Assuming that the program works correctly.
  2. Unwillingness to document each and every error.
  3. Ignoring or even hiding the problem.
  4. Falling under influence of developers which pressurize the tester not to submit detected defects or to ignore existing intelligence about defects without adequate reasons.
  5. Attempting to have a “not escalate” attitude towards the developer.
  6. Insufficient attention to test planning.
  7. Writing defect reports about non existing problems.

An ideal tester should:

  1. Possess software engineering skills (understanding the rules of software engineering, knowing computer programming and having operating system level knowledge). Often a tester needs to be an expert in a number of areas.
  2. Possess a good knowledge of the application being tested.
  3. Possess a considerable intelligence.
  4. Possess a hyper-sensitivity to little things.
  5. Be steady to chaos and pressure of development, management, as well as pressure of different circumstances.
  6. Possess organizational skills.
  7. Be skeptical, but not take hostile attitude.
  8. Be capable of breaking the software without feeling any remorse.
  9. Be self-sufficient and tough.      
  10. Be a technology hungry.
  11. Be honest.
  12. Be capable to bring the bad news to developers and management.
  13. Be patient – be ready to perform monotonous work during a long time.
  14. Possess a flexible thinking.
  15. Be capable of viewing the project from a global point of view.
  16. Possess detective skills.
  17. Possess strong communication skills which include.
    • People skills
    • Tenacity
    • Capability to criticize and interpret the criticism correctly
     
    The Author Abdul Quddus is a Test Engineer at Binary Spectrum

Posted by Prakash at 10:59 AM | | Comments (2) | TrackBacks (0)

Software Testing Part 1

Software testing

The other day a friend asked me what a tester does. In other words what is software testing? What’s a bug? What are the key terms associated with testing? This is a humble attempt to address these questions and initiate the uninitiated to the world of testing.

Software Testing is a process of software analysis and defect detecting. It’s the art (pun intended) of identifying as many defects as possible in order that they can be fixed. A Defect (bug) is the nonconformance to requirements or functional specification. It is something that does not correspond to valid Customer’s expectations that are assumed but may be not described in product requirements.

The Test Manager in conjunction with the Project Manager develops a Test Plan which describes what, when, how and who will be involved in the testing process. This basic document also describes a list of tested components, quality criteria and risks of testing, resources and graphs of testing, testing strategy and testing types test budget etc.

The test lead/ senior test Engineer develops Test cases which is basically a set of test inputs, execution conditions, and expected results developed for a particular objective, such as to exercise a particular program path or to verify compliance with a specific requirement.

Classification of Testing Types:

Static Testing is a process, which is used for verifying any work product in terms of code, requirements, functional specification, architecture and design documents, etc. Static testing is one of the most effective ways of defects detecting in the early stages of a product process.

Dynamic Testing Dynamic testing consists of launching the program, running all functional modules and comparing the product’s behavior with expected one using user interface.

Black box testing. Testing software based on functional and business requirements at launching and operating it without knowledge of the internal structure or program source code. A tester tests a product so as an end-user would work with it at the time of its launch and operation. This method checks the proper working of all functions and whether they conform to functional requirements.

White box testing (glass box testing). The Tester uses his or her understanding of source code and accesses the code to develop and execute test cases. This method tests the architecture of the system. It tests the design and programming that goes into building system. White box testing is usually applied when application is not entirely assembled, but it’s necessary to check each of the components, modules, procedures and sub-functions.

Unit Testing. This level of testing is usually carried out by the software developer to perform the testing of a separate module of the system. It may be a testing even of any particular part of the code (class).

Integration Testing. Is the testing of various components of an application (in their integrated form) to determine if they function well together. Also, interactions between applications of big system can be checked with this type of testing. In this case this testing is known as Cross-product testing. Usually it is performed after unit and functional testing has been carried out.

System Testing refers to that type of testing which checks the operation of the system as a whole. It is usually associated with the testing of the functional as well as non-functional requirements of the system. 

Functional testing is the process of attempting to find discrepancies between the program and its functional requirements or specifications. Its goals are

  1. Defining defects in software product and its documenting
  2. Determine if software meets its requirements as defined in the Software requirements Specification (SRS) and other relevant documents.
  3. Take an objective decision about possibility of software product delivery to customer; the decision should be documented in test result report.
Smoke Test It is the first and the shortest test, which checks the basic functionality of software product. This test takes approximately 1-4 hours depending on program complexity, A smoke test helps the Test lead to take a decision as to whether to continue further testing or not.
 

The Author Abdul Quddus is a Test Engineer at Binary Spectrum

 

Posted by Prakash at 10:16 AM | | Comments (0) | TrackBacks (0)

January 25, 2007

Bluesnarfing

Introduction

Bluetooth a short range wireless communication technology developed for use at home, office and Personal Area Networks. Over the years Bluetooth integration has been achieved in mobile phones, Personal Digital Assistants (PDAs) and other consumer devices. When blue tooth was conceived, an essential element of the technology was its requirement for a low expectation of end user technical ability and minimum levels of user setup and configuration for ease of use. This was adopted to ensure that widespread adoption and utilization of Bluetooth technology by the general public could be achieved

A direct consequence of this requirement some users are not aware of the functionality Bluetooth offers and its potential for exploitation and in many cases leave the default settings on their devices unchanged. Bluetooth enabled devices are vulnerable to exploitation using a range of methods including Bluesnarf, Backdoor and Bluebug.

Bluetooth vulnerabilities

The use of Bluetooth technology to access restricted areas of a users’ device without their knowledge or approval for the purpose of capturing data e.g. contacts, images, lists of called missed, received or dialed, calendars, business cards and the device’s International Mobile Equipment Identity (IMEI) is known as Bluesnarf. Bluesnarfing works by using the push profile of the Object Exchange protocol (OBEX) which is a built-in Bluetooth functionality for exchanging electronic business cards.

Instead of pushing a business card the Bluesnarf attack pulls using a “get” request looking for files with known names e.g. phonebook file (telecom/pb.vcf) or calendar file (telecom/cal.vcs). This vulnerability exists due to the manner in which the OBEX push profile was implemented in some of the early Bluetooth enabled phones, which did not require authentication from other Bluetooth devices attempting to communicate with it. Accessing information by Bluesnarfing was thought to only be possible if the users device is in "discoverable" or "visible" mode, but Bluesnarf attacks have being carried out on devices set to “non-discoverable” mode.

To achieve this the Bluesnarfing software needs to address the device by its unique 48-bit Bluetooth device name. For example, uncovering the device name is possible using software applications such as RedFang. This application uses a brute-force approach to discover device addresses by systematically generating every possible combination of characters and recording those combinations which get a response. Fortunately this approach is time consuming, potentially taking hours of computation.

Current scenario

The subsequent release of the Bluetooth specification 1.2 has addressed this problem by adding an anonymity mode that masks a device’s Bluetooth physical address. In addition a major privacy concern related to this type of attack is the possibility of obtaining the IMEI of a device which can then be utilized to uniquely identify a phone on a mobile network and could also be used in illegal phone cloning. This could give someone the ability to use a cloned subscriber identity module (SIM) card to track a mobile device and by inference the user carrier without their knowledge. Recent firmware upgrades have corrected this problem but many phone owners have not installed them

Nokia the World leading Mobile phone manufacturer recently made this announcement “Nokia is aware of claims that there are security issues relating to malicious attempts by hackers to access another user’s mobile device featuring Bluetooth technology, an act currently referred to as “Bluesnarfing”. Affected models include the Nokia 6310, 6310i, 8910, 8910i mobile phones. “

Nokia recommends the following in order to prevent “Bluesnarfing”. In public places, where phones with Bluetooth technology might theoretically be targets of malicious attacks, reliable ways to foil potential hackers are:

 

  • To set the device to "hidden" mode using the Bluetooth menu. Personal devices like headsets can still connect to the phone, but intrusion is much more difficult since the hacker will have to know or guess the Bluetooth address before establishing a connection.

 

  • If a user wants absolute security, they can simply “switch off” the Bluetooth functionality of their mobile phone. This will not affect other functionalities of the phone.

 

Vivek GD is Software developer with the Bluetooth software development team at Binary spectrum.

 

 

 

 

 

Posted by Prakash at 07:39 AM | | Comments (2) | TrackBacks (0)