We all know security is important, so it’s no surprise many middleware products have some sort of hook into a user repository – e.g., LDAP – for user based authentication and authorisation. I’m currently at the critical point for testing this in a new product: that is, moving from function-level testing in an isolated repository (thrown together with maybe 100 fake users) to IBM’s live internal LDAP-based repository “Bluepages”. The advantage of the latter is that it comes prepopulated with hundreds of thousands of users and is excellent proof that our products integrate well with existing infrastructures: ideal for customer demos. I just need to tread carefully, as these are real systems I’m working with… so I will be paying very close attention to the behaviour of my product.

How does a website hosting a search for used cars already know my postcode?

I was a little confused about this, but the answer is obvious – yes I had used this search service before. In fact the basic search criteria could be easily pre-populated from data already persisted to my machine. The website in question utilizes Adobe Flash Player technology and a quick trip to their Settings Manager helped me understand what was going on. In my case the feature was quite convenient, but certainly behaviuor to be aware of if you are using a shared machine.

A few days ago, the network interface on my system ground to a halt. The arp and netstat commands suggested something strange might be going on, but I really needed to correlate the network connections with the system processes. I then discovered the -b flag for netstat (on Windows XP) which does exactly this, and helped me to isolate the problem.

More information on netstat and the -b flag is available here > http://commandwindows.com/netstat.htm

I found this article in a BCS security news letter that I received in my inbox this morning.

It provides an interesting angle on the testing (checking) of web applications, as even a seemingly trivial deployment may be exploited as part of a system attack.

(more…)

I was sent this link this week by fellow Test Architect, Alasdair Paton.

Dangerous coding errors revealed

25 of the most dangerous bugs in software as defined by the US National Security Agency (NSA). The question Alasdair posed was how many of these had I found? I also wondered how many we actually go looking for?
I could see about 6 or 7 that we see regularly and actively look for.

Thoughts?