Monday, April 18, 2011

I overcame my fears of Security Testing

Today I am very happy. What is so special about today?
I came 4th in the recently concluded security testing competition held at 99tests.

So, what? How does this make special? You are not even in top 3!
This competition is special for many reasons.

First Time - Security Testing
I have been testing software officially close to five years now. I have found few bugs in every application based on different quality criteria - Functionality, Usability, Performance, Testability, Install-ability but never based on SECURITY.
There were many excuses for that:
  • I don't know Security Testing.
  • I am not skilled in Security Testing and I will never be skilled at Security Testing.
  • I need to have strong programming skills. So, no security testing for me.
  • No one asks me to perform Security Testing for this application. Why should I test for this criteria if the customer has not asked for it?
  • The programmers will not fix the security bugs.
  • The books & resources on Security Testing are many & very costly.
Looking back, I feel I wasted a lot of time! 
As I believe in not taking guilt trips but learning from mistakes and moving forward, let us move on.

Date: 13th April 2011 Time: 05:44 AM IST
There was a security competition on 99tests website. 
Myself and Krishnaveni registered for the security competition.

Competition ends on 16th April - 3 days and 6hrs left

I registered to this competition as I wanted to learn about Security Testing.
How can I miss this wonderful opportunity where testers compete and log some cool bugs. Then a thought struck: What is the fun in watching others log bugs? Why be a silent spectator?
I am aware that I can't run as fast as the security experts but I can crawl if not walk!
So, I decided that I will compete as an active competitor instead of being a silent spectator!
A plan was drafted right there!

  • Convert the .chm to pdf [Converted on April 13th - 07:00 AM IST]
  • Print the book [Printed on April 13th - 01:00 PM IST]
  • Read the book [April 13th - 11:00 PM IST for half an hour]
  • Apply leave for Friday [April 14th 05:30 PM IST]
  • Sleep well [ 4 hours]
  • Read the book [April 15th 11AM IST onwards]
  • Update the computer software [April 15th 03:15 PM IST]
  • Test & log bugs [April 16th 01:30 AM IST - 08:00 AM IST
With the goal in sight, passion inside, silence outside, I started security testing.

The BIG day - Friday April 15th!
I had not slept on 14th night as the build was released to us and I was on leave the next day. When I woke up at 11 AM IST, the body was happy after a well deserved rest of 4 continuous hours.
The book Web Security Testing Cookbook was easy to understand, to the point and very informative.

There were so many topics, each topic teaching me something very interesting. As I had applied leave to office, I had the time and the resources. No disturbances. It was easy to make my family understand about the leave [They are used to my strange ways of working by now].

Lunch Time: 12:20 PM IST
After many days, I had the chance to feast on home food. I love my mother's cooking and it had its own sweet effect. I was feeling sleepy and I had two choices:
                     Sleep now when there is no disturbance or sleep when there is noise/power cut
I did not want to waste time, motivated myself to concentrate, focussed my energy on the goal!

I did not sleep. Slowly but steadily, I was getting confident about my chances in this competition. Time was ticking by, I finished a major part of the book.

Break time: 06:00 PM IST
I took a break. I went for a bath and imagined finding bugs in the application and winning the competition.
Mind was fresh after the bath. I continued reading the book along with comparing notes from OWASP guide.
This continued till 11:00 PM IST. The only breaks were for lunch or drinking water or for toilet.

Trust in Alarm: 11:00 PM IST
I was tired. I wanted to sleep but again the 'What if' question came to my mind. What if I overslept and by the time I woke up, the competition ended? As I had not logged even a single bug by now, I was nervous to sleep. Should I stay awake or sleep for two hours?
I trusted the alarm and the alarm info popped up: 2 hrs 20 mins remaining.
Alarm was set to 01:30 AM IST

Final Push! 01:30 AM IST to 08:00 AM IST
I logged seven bugs - read about the topic, tested, investigated, read, logged.
I was not sure if I had done enough. Should I log three more? Should I log 30 more? No answer as my body was searching for the nearest bed!

To be frank, I was very tired and could not concentrate. I had to sleep. The battery of 2.5 hrs could last only 6.5 hrs. Though I would have loved to log more bugs, i was happy that I gave my best!

Results
I woke up at 12:30 PM IST and first task I did was to browse to the competition page to check out the results. This was the screen displayed:

I was so happy. I am still happy. This competition and the entire 4 days effort would motivate me to achieve my goals. And I want to dedicate this victory to one person who kept on encouraging me right from the moment I registered for this competition. Thanks Krishnaveni.

I have taken the first step - I have conquered my fears of Security Testing. What about you?

Leia Mais…

Wednesday, April 6, 2011

End of Q1 - Progress Report

I am Back!
Wish I could say that but I know that I am not at my best yet. My best is yet to come. 
Looking back at the three months in 2011, I am happy and disappointed with my progress so far.

First the 'not so good' news: 
  • I had few books on my list to complete by March. I started reading all the three books. There are quite a lot to read and learn from each of the books though.
  • I wanted to work on my programming skills but that is still a dream.
  • I could not fulfill a dream. I realized that I was not yet prepared for it.
  • Though I promised many people about many things, that remained as a promise. I did not keep the promise.
  • I started getting up late again. I missed the cab few times. I did not practice writing enough.
So, what is the 'good news' after so many 'not so good news'

The good news is that I have realized my mistakes early enough (hope so) and I have started working hard to get back on the right track.

Thanks to all my friends and well wishers - I am working hard towards my goals.

I will bounce back. As they say  - 
“It's not how many times you fall that matters, it's how many times you get back up.”

I will give in my 100 % in the next nine months. Next progress report is due on July 01st 2011.

Leia Mais…

Saturday, April 2, 2011

Thanks Arul...

Unedited Skype chat transcript of a conversation between two testers.
******************************************************************************

[11:41:54 AM] arulprasath: k
[11:42:21 AM] arulprasath: and then tell me or send me any article which explains
[11:42:30 AM] arulprasath: clearly abot
[11:42:39 AM] arulprasath: web application testing
[11:42:42 AM] arulprasath: for fresher
[11:42:47 AM] arulprasath: in software testing
[11:43:33 AM] Ajay Balamurugadas: Have you googled?
[11:43:37 AM] arulprasath: yes
[11:43:43 AM] Ajay Balamurugadas: and then?
[11:43:56 AM] arulprasath: but they  are not up to standards
[11:44:00 AM] arulprasath: ?
[11:44:17 AM] Ajay Balamurugadas: what do you mean by 'they are not up to standards'
[11:44:37 AM] arulprasath: since you are have exp any article which helps freshers
[11:44:43 AM] Ajay Balamurugadas: hmmm
[11:44:46 AM] arulprasath: thats why
[11:45:09 AM] arulprasath: i am asking
[11:45:26 AM] Ajay Balamurugadas: Agreed. Give me few mins plz
[11:45:39 AM] arulprasath: k
[11:46:51 AM] Ajay Balamurugadas: Arul, let me be frank with you
[11:46:59 AM] Ajay Balamurugadas: To help you, you must help me
[11:47:04 AM] arulprasath: k
[11:47:19 AM] Ajay Balamurugadas: 1. Please understand that what you are asking is a very vast subject
[11:47:55 AM] Ajay Balamurugadas: 2. People will respect you more and you will gain more credibility when you show them what efforts you have put
[11:48:07 AM] Ajay Balamurugadas: If you don't understand anything, Ask that.
[11:48:11 AM] Ajay Balamurugadas: Google that
[11:48:16 AM] Ajay Balamurugadas: Read books
[11:48:20 AM] Ajay Balamurugadas: Read articles
[11:48:23 AM] Ajay Balamurugadas: Blog about it
[11:48:32 AM] Ajay Balamurugadas: meet people who know or talk about it
[11:48:49 AM] Ajay Balamurugadas: and ask if your assumptions or understanding is right or wrong
[11:48:57 AM] Ajay Balamurugadas: Now tell me what should I do?
[11:49:21 AM] arulprasath: k i will do  that
[11:49:25 AM] Ajay Balamurugadas: Good!
[11:49:27 AM] arulprasath: :)
[11:49:37 AM | Edited 11:49:42 AM] Ajay Balamurugadas: I will wait for your results of your efforts
[11:50:04 AM] arulprasath: yes surely
[11:50:22 AM] arulprasath: monday i will send article regarding this
[11:50:29 AM] Ajay Balamurugadas: Very good!
[11:50:30 AM] arulprasath: thanks
[11:50:36 AM] arulprasath: :)
[11:50:36 AM] Ajay Balamurugadas: Can I publish this on my blog?
[11:50:56 AM] arulprasath: yes
[11:50:59 AM] Ajay Balamurugadas: :)
[11:51:03 AM] arulprasath: it your decision
[11:51:14 AM] Ajay Balamurugadas: its involving you
[11:51:15 AM] arulprasath: if you feel it is good u can do
[11:51:21 AM] Ajay Balamurugadas: so, I am asking you
[11:51:31 AM] arulprasath: :)
[11:51:45 AM] Ajay Balamurugadas: I will just copy paste the above conversation into a blog post
[11:52:07 AM] arulprasath: k np

******************************************************************************
I am confident that Arul will keep his promise...

Leia Mais…