Tips

Tips

• Defining good performance requirements a joint effort

  When dealing with performance requirements you need to look at a bigger picture -- one that includes business, operations and development organizations -- as well as consider changes to the system over time. Doing so helps you produce systems that ...  Continue Reading

• The essentials of Web application threat modeling

  A critical part of Web application security is mapping out what's at risk -- or threat modeling. Kevin Beaver outlines the essential steps to get you started and help you identify where your application vulnerabilities may be.  Continue Reading

• The effectiveness of code coverage tools in software testing

  Coverage tools when run with the application under test will tell you how much code is covered by the executed test cases.  Continue Reading

• The six hats of project management

  Software project managers face many different kinds of challenges and should have different perspectives for handling them. PM expert Bas de Baar explains how to switch mindsets to tackle a problem.  Continue Reading

• Testing for performance, part 2: Build out the test assets

  In this second article of our three-part series on testing for performance Michael Kelly looks at how to build test assets and the work required to support that effort.  Continue Reading

• How to prevent XPath injection

  Parameterization and input validation are invaluable to application security. Which method is best for preventing XPath injection attacks? Chris Eng explains.  Continue Reading

• Test software with a user perspective

  When testing software you need to think beyond how users are intended to use software. Think also about how they could misuse it.  Continue Reading

• How to estimate for testing on a new software project

  What do you do if you have a new project and no historical data for reference, and you need to estimate for software testing? Test experts Karen N. Johnson and Mike Kelly explain.  Continue Reading

• Testers' involvement in requirements gathering important

  In this increasingly complex software development era, it is important to include testing as early in the project as possible. And that means starting with requirements gathering.  Continue Reading

• Web application hacking: Inside the mind of an attacker

  Want to prevent your Web application from being hacked? Then you need to think like an attacker. Kevin Beaver helps you change your mindset so you start to think about how people can misuse your application.  Continue Reading

• Software testers need to understand architecture, business domain

  If a software tester is to be successful, he must have expertise in the business domain and in the architecture on which the software is built.  Continue Reading

• How to define the scope of functional security testing

  With a many internal threats originating from applications, functional security testing is one of the most reliable ways to identify internal security vulnerabilities.  Continue Reading

• Cracking passwords the Web application way

  Don't make the mistake of thinking your Web site is secure just because it uses SSL. If you don't have proper login controls in place, attackers can crack passwords and get into the application.  Continue Reading

• Project management calls on a new set of skills

  Project management, Bas de Baar claims, is changing, and PMs will need a new set of skills. This new environment, he says, demands abilities traditionally associated with women.  Continue Reading

• Documenting your software test project

  Test documents are a good way to manage the details of a software test project and keep stakeholders informed of the project's progress. Learn what to include in test artifacts such as test strategy documents, test plan documents and test estimate ...  Continue Reading

• The A-B-C's of software testing models

  Testers can use various models when testing software, such as waterfall, iterative and agile styles. Scott Barber explains their differences to help you decide which is best for your software testing team.  Continue Reading

• Five steps for performing an effective software product review

  Review or inspection is an important activity in any project implementation. Performing a good review of the developed product, along with capturing metrics, helps in building a quality product. In this member-submitted article, Murugan Srinivasa ...  Continue Reading

• How to write an effective test report

  This member-submitted tip provides a guideline for essential information that should be included in a test report.  Continue Reading

• Don't mistake user acceptance testing for acceptance testing

  Despite the many references that concur on the definition of acceptance testing, people still get confused. Scott Barber clarifies things in this month's Peak Performance column.  Continue Reading

• How to get developers to buy into software security

  Getting developers' buy-in on security and secure coding practices can be like pulling teeth. But Kevin Beaver has some ideas to get developers thinking about software security and following security practices.  Continue Reading

• Automated software testing: The role of a test engineer

  A core role within the Testing Center of Excellence, the test automation engineer is responsible for automating as much of the testing effort as possible. The challenge is, however, determining what should be automated and in what sequence in order ...  Continue Reading

• Who does what in a Testing Center of Excellence?

  With a Testing Center of Excellence (TCE) an organization can improve its software testing. Learn how and what each TCE participant does in this article from David W. Johnson  Continue Reading

• Why Programs Fail: A Guide to Systematic Debugging -- Chapter 3, Making Programs Fail

  Debugging software is a crucial and complex process. This free chapter explains how to use testing, such as functional and unit testing, in your debugging program.  Continue Reading

• The benefits of testing software by project phase

  There's something to be said for including software testing in all phases of the SDLC. Here's a look at the advantages and how this approach could improve your software development.  Continue Reading

• Improved software testing via a Testing Center of Excellence

  With a Testing Center of Excellence (TCE) companies bring together testing specialists and components to ensure proper testing techniques are applied. Ultimately, the TCE enables testers to improve their software testing, as well as helps them to ...  Continue Reading

• Using workshops to define project scope

  Workshops can be an effective way to bring stakeholders to a consensus on the scope of a software project.  Continue Reading

• Performance and load/stress tests: Two types of capacity tests

  Both performance and load/stress tests help determine the capacity of a system. But for the tests to be successful, certain guidelines should be followed. David W. Johnson reviews those guidelines and offers advice for planning tests.  Continue Reading

• Don't overlook nonfunctional software requirements

  Nonfunctional software requirements describe how well the software does what it does. By exploring quality attributes during requirements elicitation, you can influence the function, design and architecture of the product and help give customers ...  Continue Reading

• How to test Web site login security

  Input validation is critical for the security of Web sites. Here's a techniques you can use to make sure your site isn't vulnerable to SQL injection.  Continue Reading

• Jumpstart CMM/CMMI Software Process Improvements: Using IEEE Software Engineering Standards -- Chapt

  Software project managers who are curious about CMM, CMMI and IEEE software engineering standards will find answers and explanations in this free chapter.  Continue Reading

• Essentials of Lean Six Sigma -- Chapters 1 and 4, Introduction and Improvement

  Software development projects may benefit from he introduction of lean Six Sigma management principles. To learn more about how lean Six Sigma might benefit you, read these two free chapters.  Continue Reading

• Ways to integrate security into the SDLC

  To successfully integrate security into the software development life cycle (SDLC) you need to make sure you factor time for security into the project plan.  Continue Reading

• Developing an approach to performance testing

  While there's no universal approach to testing application performance, there are some activities that are part of nearly every performance testing effort. Scott Barber reviews what those activities are in this month's Peak Performance column.  Continue Reading

• Software testing deliverables: From test plans to status reports

  Core sets of deliverable are required for any software testing phase. In many cases they include a test plan, test case, defect documentation and status report. Learn what is required for each in this tip from David W. Johnson.  Continue Reading

• Using SLOC to estimate software costs, schedules

  Poor cost and schedule estimates ruin projects more than technical, political or development team problems. But if you can determine the source lines of code (SLOC) in an application, you can better gauge the amount of time and effort needed to ...  Continue Reading

• SEI Checklist

  The SEI Checklist can help you define source lines of code (SLOC) values to enable people to carefully explain and define the SLOC measure used in a project.  Continue Reading

• How to document system, software requirements

  There are various formats you can use to document system and software requirements. However, no single one is sufficient to represent all requirements. You need to follow an integrated approach.  Continue Reading

• Software performance testing: You can't test everything

  It's nearly impossible to simulate all the ways an application will be used, so deciding which scenarios to include in a performance test plays a critical role in estimating performance in production. In this month's Peak Performance column, Scott ...  Continue Reading

• Create one text file that contains all the stored procedures and triggers in a database

  This script will send the contents of all the stored procedures, functions and triggers in a database to a text file, eliminating the need to go through every script to find what you're looking for.  Continue Reading

• How to verify the input of special characters

  Here's a quick tip to verify the input of special characters in text boxes on forms.  Continue Reading

• Web application vulnerabilities you don't want to overlook

  When testing Web applications for security flaws, chances are you will miss some weaknesses. Here's a look at 10 commonly overlooked Web application vulnerabilities you can't afford to miss.  Continue Reading

• The role of a software test manager

  Effective software test managers not only understand the discipline of testing, but they are also able to manage and implement a testing process in their organizations. That requires team leading skills, communication skills, and being able to ...  Continue Reading

• How to evaluate testing software and tools

  Selecting the right testing software that meet's the testing organization's long-term and short-term goals can be challenging. But by following a few simple guidelines and using common sense, you can successfully implement the appropriate tool and ...  Continue Reading

• Web application testing: The difference between black, gray and white box testing

  Security is critical when operating a Web application. Black, gray and white box tests are three tests you can conduct to ensure an attacker can't get to your application. Learn what the differences are in this tip from Denim Group's Dan Cornell.  Continue Reading

• Software requirements: Using models to understand users' needs

  Successful software projects involve users early and often to explore and reach closure on requirements. Using analysis models you can depict user needs with a combination of diagrams and structure text such as tables or templated text.  Continue Reading

• Using JMock in test-driven development

  In test-driven development (TDD), it's important to properly implement mock objects. Here is a detailed case study about the using mock object framework JMock in TDD. However, this case study can also be applied using other frameworks and tools.  Continue Reading

• Ambiguous software requirements lead to confusion, extra work

  Ambiguous requirements lead to confusion, wasted effort and rework. This article from software requirements expert Karl E. Wiegers, Ph.D. describes several common types of requirements ambiguity and suggests how to avoid them.  Continue Reading

• Software requirements analysis: Five use case traps to avoid

  Employing use cases during software requirements analysis helps you improve your chances of developing software that truly meets their needs. But there are traps you should avoid, says expert Karl E. Wiegers.  Continue Reading

• CSRF attack vector with Ajax serialization

  Web 2.0 applications are increasingly at risk to cross-site request forgery (CSRF) attacks. Shreeraj Shah explains what those risks are and how you can prevent such attacks.  Continue Reading

• Malicious code injection: It's not just for SQL anymore

  Injection attacks are ubiquitous, and SQL injection is only one version of the exploit. S.P.I. Dynamics' Bryan Sullivan describes these attacks and how to prevent them.  Continue Reading

• Shell script security: Protecting your code

  Shell scripts are vulnerable to bugs and exploits like any other programming language. Learn how to secure your script and protect your applications with these tips from James Turnbull.  Continue Reading

• Challenges of two-factor authentication

  Two-factor authentication offers many security benefits, but can be expensive and ineffective if not implemented carefully. In order to secure your apps, choose your authentication methods and tools wisely.  Continue Reading

• The importance of input validation

  Web applications are vulnerable if you don't practice input validation. Learn how to prevent application attacks such as buffer overflow, SQL injection and cross-site scripting.  Continue Reading

• Buffer overflow tools facilitate application testing

  Web applications are the conduit for buffer overflow attacks on the Web server. As such, it's imperative to make sure your applications cannot be exploited. These tools can help you out.  Continue Reading

• .NET Framework features security mechanism

  The .NET Framework includes a simple but very flexible identity-based security mechanism. The key to using it is a detailed understanding of the Principal and Identity objects.  Continue Reading

• Input Validation Attacks -- Chapter 6, Hacking Exposed Web Applications, Second Edition

  Input validation routines serve as a first line of defense for a Web application. Buffer overflow, directory traversal, cross-site scripting and SQL injection are just a few of the attacks that can result from improper data validation. This chapter ...  Continue Reading

• Understanding directory traversal attacks

  Directory traversal attacks are the very common, very dangerous HTTP exploits you never hear about. For the sake of your Web applications, it's time to start taking notice.  Continue Reading

• Ways to automate SQL injection testing

  Manual testing for SQL injection requires much effort with little guarantee that you'll find every vulnerability. CISSP Kevin Beaver offers a better way: automated SQL injection testing.  Continue Reading

• Threat modeling enhanced with misuse cases

  Misuse cases capture all the possible attacks on an application, as well as mitigation steps. Anurag Agarwal explains how they can help architects correct design flaws, help developers understand a hacker's approach and write more secure code, and ...  Continue Reading

• Secure SDLC: Integrating security into your software development life cycle

  Integrating security into the SDLC is essential for developing quality software. While there are no standard practices, these guidelines can help you develop a custom process for a secure software development life cycle.  Continue Reading

• Penetration testing best practices

  Penetration testing can help you find critical vulnerabilties in your Web applications. Here are some best practices for pen testing to achieve application security.  Continue Reading

• Myth-busting Web application buffer overflows

  If someone managed to exploit a buffer overflow in a Web application, it would result in a critical situation. But the chance of that happening to a custom Web application is slim. Focus instead on cross-site scripting and SQL injection ...  Continue Reading

• Defining and preventing buffer overflows

  Kurt Seifried describes buffer-over flow attacks and how you can guard against them.  Continue Reading

• SOA requires enterprise application security integration architecture

  Web application security in SOA-based systems can be very difficult to achieve. This tip explains how to use authentication and authorization methods, such as JAAS and SAML, will help secure your Web services.  Continue Reading

• How to Break Web Software: Functional and Security Testing of Web Applications and Web Services -- C

  Web application security is dependent on proper coding and session management, and Web application developers must take it upon themselves to code state information so they can enforce rules about page access and session management. This chapter ...  Continue Reading

• Penetration testing versus code review

  Penetration testing and code review both have their advantages. Which application security method is more effective at finding critical vulnerabilities?  Continue Reading

• An inside look at XML encryption

  At the core of Web services security is the ability to encrypt information sent out as XML documents, using XML encryption.  Continue Reading

• How to avoid authentication bypass attacks

  Strong authentication methods may not fully protect your applications. George Wrenn offers some tips for avoiding authentication bypass attacks.  Continue Reading