Applying Emotional Intelligence to Testing

Did you face the following situations in you career?

 In regression(last round of) testing stage, you logged a defect and developer did not consider it for this release. Same defect raised by the customer after releasing the product/project. Higher management asks you like "Why you did not communicate with us regarding this defect before release?". How do you answer this question?

Another situation like, your manager asked you to test/automate a feature. You analysed the feature and came up with three weeks schedule. Your manager accepts it and after one day he changes time from three weeks to one week. How do you handle this situation?

In both cases what actually upsets you? How do you actually communicate back in the right way?

You need to understand where another person is coming from. So that you communicate well. If you keep talking about test cases, they don't care.

Emotional intelligence is understanding what triggers you in terms of emotions, and then how you handle those emotions

A lot of testers focus on their technical skills and they learn lot tools and techniques.But they don't concentrate on communication skills.

 “Information and communication are two words that are interchangeably used, but mean very different things—information is giving out and communication is getting through,” - a quote by Sidney Harris 

We provide information for people to make those decisions, but it's the communication aspect that actually determines how successful we are.

We're distracted. We should listen with our eyes.

There was a young boy with father at the breakfast table and he says, “Daddy, I want to read to you,” and the father is there with the newspaper and he says, “Yes, I'm listening, dear” and he says, “No, no, Daddy, Daddy. I want to read to you, please listen to me.” Father says, with the newspaper, “I'm listening.” The child gets up from the table, pulls the newspaper down and says, “Silly daddy, you need to listen with your eyes.”

We're very distracted, and we're not always actively listening because we're inside our phone or we're thinking about what we have to do next. We get so caught up in all of our things in our heads even that we aren't present all the time

Testing SSL certificate validity – client and server

When accessing a web application via the https protocol, a secure channel is established between the client (usually the browser) and the server. The identity of one (the server) or both parties (client and server) is then established by means of digital certificates. In order for the communication to be set up, a number of checks on the certificates must be passed. a) checking if the Certificate Authority (CA) is a known one (meaning one considered trusted), b) checking that the certificate is currently valid, and c) checking that the name of the site and the name reported in the certificate match. Remember to upgrade your browser because CA certs expired too, in every release of the browser, CA Certs has been renewed. Moreover it's important to update the browser because more web sites require strong cipher more of 40 or 56 bit.
Let’s examine each check more in detail.
a) Each browser comes with a preloaded list of trusted CAs, against which the certificate signing CA is compared (this list can be customized and expanded at will). During the initial negotiations with an https server, if the server certificate relates to a CA unknown to the browser, a warning is usually raised. This happens most often because a web application relies on a certificate signed by a self-established CA. Whether this is to be considered a concern depends on several factors. For example, this may be fine for an Intranet environment (think of corporate web email being provided via https; here, obviously all users recognize the internal CA as a trusted CA). When a service is provided to the general public via the Internet, however (i.e. when it is important to positively verify the identity of the server we are talking to), it is usually imperative to rely on a trusted CA, one which is recognized by all the user base (and here we stop with our considerations; we won’t delve deeper in the implications of the trust model being used by digital certificates).
b) Certificates have an associated period of validity, therefore they may expire. Again, we are warned by the browser about this. A public service needs a temporally valid certificate; otherwise, it means we are talking with a server whose certificate was issued by someone we trust, but has expired without being renewed.
c) What if the name on the certificate and the name of the server do not match? If this happens, it might sound suspicious. For a number of reasons, this is not so rare to see. A system may host a number of name-based virtual hosts, which share the same IP address and are identified by means of the HTTP 1.1 Host: header information. In this case, since the SSL handshake checks the server certificate before the HTTP request is processed, it is not possible to assign different certificates to each virtual server. Therefore, if the name of the site and the name reported in the certificate do not match, we have a condition which is typically signalled by the browser. To avoid this, one of two techniques should be used. First is Server Name Indication (SNI), which is a TLS extension from RFC 3546; and second is IP-based virtual servers must be used. [2] and [3] describe techniques to deal with this problem and allow name-based virtual hosts to be correctly referenced.

Metrics needed to measure the quality of the product in Agile

One of the most important things in Software projects is measuring the quality of Software. Here are few metrics that we follow in our company and which plays an important role in measuring our software's quality.

Stories committed vs Stories delivered
The ability of teams to meet their commitments on schedule and with the highest standards. Failing to deliver at right time causes delays and rework.

Quality across sprints
QA doesn't have time and resources to test each and every build in sprint. So, one of the major metrics is automation within the sprint. The feature/story delivered in sprint should be automated in same sprint.

Defect Age (Bug cycle time)
It is known fact that the fixing code at one place affects other. Also, we have a famous saying that "A Stitch in-time saves nine". Fixing a bug in time saves many regression.

Defect Density
A straight forward metric to measure the defects that were introduced vs the new lines of code written. All kinds of defect metrics can be used to calculate defect rate of the product. A good defect
rate target should lead to a release-to-release reduction in the total number of defects.

Customer Satisfaction
It is a good practice to consider Customer's perspective. While fixing, there might be few defects which are not valid or major in our perspective like documentation and usability bugs. These increases customer problems.

Code Coverage
A good code coverage metrics is also a measure for the quality of the product.

Validate Styling of Web Application using Telerik Test Studio

Apart from Functional, User Interface layout verifications, Test Studio can be used for validating the Styles of a web page which is under test.

I came across this feature, while evaluating an approach to test the web application which has multiple themes. Your automated tests should even run when the styling of your web page has changed. To ensure that styling did not impact any User Interface layout and caused functionality issues.

Let's see how to do it.

1. Start recording your web page.
2. Highlight the element that you want to validate for CSS.
3. In the DOM explorer, Select the element and click on Style in Verifications. (as shown in below image).

There are two Primary in the Styles that you need to choose depending on the web page under test. Basically, you should know, whether your application under test styling comes from a CSS file or from a web page itself.  
a. Computed Style - A inherited or cascading styles
b. Inline Style

Mostly, the modern web applications use CSS file from where the styles are used.

There are many options in Style, which lets you validate almost all variations of a web page styling.

You could also use regular expressions in case the web page styling changes dynamically.
For e.g. Themes.

4. Once you have selected to use a specific criteria, Select Add step. This will create a step in the Test.

In this way you can test the Style's of a web application.  

OE DataServer testing with Oracle db with required previleges

You need to have below permissions for your oracle user to use all the functionality of OpenEdge DataServer for Oracle-

You may face permission issue or unexpected result while testing OE dataserver with oracle, if you miss any of the privileges mentioned above. 

Points to consider while developing or running your test using Cygwin

• Cygwin is a free software but for MKS you need to buy the license.     
• Cygwin uses /dev/null and MKS uses nul.
• Cygwin follows Unix convention including line endings.
• UNAME returns Windows_NT in case of MKS but CYGWIN returns  CYGWIN_NT-6.1-WOW.
• UMASK: MKS seems to have problems with file/directory permissions, usually leaving permissions wide open or ill-defined. In case of CYGWIN it is much better.
• Administrator: MKS has had some problems being used by anyone other than the one who installed it, I'm not sure what this problem is. CYGWIN may or may not have this problem.
• Cygwin follows the POSIX standards. This means that paths are /cygdrive/c/. MKS PATH is the same as Windows PATH, using the ';' path separator character, and must be quoted if it has any embedded spaces. It can contain a mix of \\ and / file separator characters apparently.
• ENVIRONMENT VARIABLES: It appears that CYGWIN inherits Windows system variables with their names mapped to all uppercase, so things like windir, SystemDrive, SystemRoot, and MSDEVDIR, turn into WINDIR, SYSTEMDRIVE, SYSTEMROOT. The MKS shells don't have this behavior.

Short regression cycles in sprint

In agile process, each new functionality is tested in the sprint which helps the Engineering team to get feedback at the earliest and to make the process go smoothly, it is crucial for development team to provide a successful build to testing team.

QA will test the feature or functionality implemented in the sprint and log defects and the DEV team triages and fixes the defects. This all looks fine.

The problem or the challenge is:
The feature or the functionality would have been tested thoroughly however, integration points might not be covered. The integration points might be between products, components or features.
Some organisations have a different team for testing integration points between products. Though testing is not done in every sprint. Still the component, feature level integration are the responsibility of the sprint team.
In general, testing these integration points are only performed once or twice in the end of a release cycle and lot of defects are filed and fixed. A phase wherein a stressed release end cycle for the engineering team is observed.

Typically, a quick regression cycle at the end of sprint would make things look easy for the engineering team. However, it is difficult to achieve in sprints less than 3 weeks.

To make things simple, you could adopt the below
1. A build verification and acceptance tests for daily builds.
2. Practice code commit reports efficiently.
3. Run the automated regression tests.
4. Produce tests which cover component and feature level integration.

Have a short regression cycle atleast after two sprints which covers manual and automated testing.

Code Coverage – Measure the quality of your testing

Many of you (testing guys) may have already heard of code coverage and related tools. However, let’s talk about why do we need code coverage, how does it helps and when do we need to do code coverage analysis.

Code Coverage Analysis helps finding more bugs in our application code by finding the areas which are not being covered in our testing. It measures how many lines/blocks/arcs of our code are executed while the automated tests are running. And the coverage is collected by using specialized tools to instrument the binaries to add tracing calls and run a full set of automated tests against the instrumented product. A good tool will give us not only the percentage of the code that is executed, but also will allow us to drill into the data and see exactly which lines of code were executed/not executed during particular test which inturn gives us the test cases missing.

There are many tools available in market that can be used to indicate which code is being executed when running through test cases, for example in our company, we use Clover for all our Java based applications and Pure Coverage for C/C++ based applications. Code Coverage is a white box testing which can be executed mostly at testing phases like regression or integration testing.

DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them

Certificates and Encodings

At its core an X.509 certificate is a digital document that has been encoded and/or digitally signed according to RFC 5280.
In fact, the term X.509 certificate usually refers to the IETF’s PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, as specified in RFC 5280, commonly referred to as PKIX for Public Key Infrastructure (X.509).

X509 File Extensions

The first thing we have to understand is what each type of file extension is.   There is a lot of confusion about what DER, PEM, CRT, and CER are and many have incorrectly said that they are all interchangeable.  While in certain cases some can be interchanged the best practice is to identify how your certificate is encoded and then label it correctly.  Correctly labeled certificates will be much easier to manipulat

Encodings (also used as extensions)

• .DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension.   Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
• .PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.

Common Extensions

• .CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous.  Most common among *nix systems
• CER = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer)  The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
• .KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.

The only time CRT and CER can safely be interchanged is when the encoding type can be identical.  (ie  PEM encoded CRT = PEM encoded CER)

Common OpenSSL Certificate Manipulations

There are four basic types of certificate manipulations. View, Transform, Combination , and Extraction

View

Even though PEM encoded certificates are ASCII they are not human readable.  Here are some commands that will let you output the contents of a certificate in human readable form;

View PEM encoded certificate

Use the command that has the extension of your certificate replacing cert.xxx with the name of your certificate

openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout

If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the “View DER encoded certificate  below”

unable to load certificate
12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE

View DER encoded Certificate

openssl x509 -in certificate.der -inform der -text -noout

If you get the following error it means that you are trying to view a PEM encoded certificate with a command meant for DER encoded certs. Use a command in the “View PEM encoded certificate above

unable to load certificate
13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509

Transform

Transforms can take one type of encoded certificate to another. (ie. PEM To DER conversion)

PEM to DER

openssl x509 -in cert.crt -outform der -out cert.der

DER to PEM

openssl x509 -in cert.crt -inform der -outform pem -out cert.pem

Combination

In some cases it is advantageous to combine multiple pieces of the X.509 infrastructure into a single file.  One common example would be to combine both the private key and public key into the same certificate.
The easiest way to combine certs keys and chains is to convert each to a PEM encoded certificate then simple copy the contents of each file into a new file.   This is suitable for combining files to use in applications lie Apache.

Extraction

Some certs will come in a combined form.  Where one file can contain any one of: Certificate, Private Key, Public Key, Signed Certificate, Certificate Authority (CA), and/or Authority Chain.

Ref: https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them

How to create a self-signed SSL Certificate

Overview

The following is an extremely simplified view of how SSL is implemented and what part the certificate plays in the entire process.
Normal web traffic is sent unencrypted over the Internet. That is, anyone with access to the right tools can snoop all of that traffic. Obviously, this can lead to problems, especially where security and privacy is necessary, such as in credit card data and bank transactions. The Secure Socket Layer is used to encrypt the data stream between the web server and the web client (the browser).
SSL makes use of what is known as asymmetric cryptography, commonly referred to as public key cryptography (PKI). With public key cryptography, two keys are created, one public, one private. Anything encrypted with either key can only be decrypted with its corresponding key. Thus if a message or data stream were encrypted with the server's private key, it can be decrypted only using its corresponding public key, ensuring that the data only could have come from the server.
If SSL utilizes public key cryptography to encrypt the data stream traveling over the Internet, why is a certificate necessary? The technical answer to that question is that a certificate is not really necessary - the data is secure and cannot easily be decrypted by a third party. However, certificates do serve a crucial role in the communication process. The certificate, signed by a trusted Certificate Authority (CA), ensures that the certificate holder is really who he claims to be. Without a trusted signed certificate, your data may be encrypted, however, the party you are communicating with may not be whom you think. Without certificates, impersonation attacks would be much more common.

Step 1: Generate a Private Key

The openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage.

The first step is to create your RSA Private Key. This key is a 1024 bit RSA key which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text.

openssl genrsa -des3 -out server.key 1024

Generating RSA private key, 1024 bit long modulus
.........................................................++++++
........++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

Step 2: Generate a CSR (Certificate Signing Request)

Once the private key is generated a Certificate Signing Request can be generated. The CSR is then used in one of two ways. Ideally, the CSR will be sent to a Certificate Authority, such as Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate. The second option is to self-sign the CSR, which will be demonstrated in the next section.

During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate. One of the prompts will be for "Common Name (e.g., YOUR name)". It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL. If the website to be protected will be https://public.akadia.com, then enter public.akadia.com at this prompt. The command to generate the CSR is as follows:

openssl req -new -key server.key -out server.csr

Country Name (2 letter code) [GB]:CH
State or Province Name (full name) [Berkshire]:Bern
Locality Name (eg, city) [Newbury]:Oberdiessbach
Organization Name (eg, company) [My Company Ltd]:Akadia AG
Organizational Unit Name (eg, section) []:Information Technology
Common Name (eg, your name or your server's hostname) []:public.akadia.com
Email Address []:martin dot zahn at akadia dot ch
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 3: Remove Passphrase from Key

One unfortunate side-effect of the pass-phrased private key is that Apache will ask for the pass-phrase each time the web server is started. Obviously this is not necessarily convenient as someone will not always be around to type in the pass-phrase, such as after a reboot or crash. mod_ssl includes the ability to use an external program in place of the built-in pass-phrase dialog, however, this is not necessarily the most secure option either. It is possible to remove the Triple-DES encryption from the key, thereby no longer needing to type in a pass-phrase. If the private key is no longer encrypted, it is critical that this file only be readable by the root user! If your system is ever compromised and a third party obtains your unencrypted private key, the corresponding certificate will need to be revoked. With that being said, use the following command to remove the pass-phrase from the key:

cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

The newly created server.key file has no more passphrase in it.

-rw-r--r-- 1 root root 745 Jun 29 12:19 server.csr
-rw-r--r-- 1 root root 891 Jun 29 13:22 server.key
-rw-r--r-- 1 root root 963 Jun 29 13:22 server.key.org

Step 4: Generating a Self-Signed Certificate

At this point you will need to generate a self-signed certificate because you either don't plan on having your certificate signed by a CA, or you wish to test your new SSL implementation while the CA is signing your certificate. This temporary certificate will generate an error in the client browser to the effect that the signing certificate authority is unknown and not trusted.
To generate a temporary certificate which is good for 365 days, issue the following command:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CH/ST=Bern/L=Oberdiessbach/O=Akadia AG/OU=Information
Technology/CN=public.akadia.com/Email=martin dot zahn at akadia dot ch
Getting Private key

Step 5: Installing the Private Key and Certificate

When Apache with mod_ssl is installed, it creates several directories in the Apache config directory. The location of this directory will differ depending on how Apache was compiled.

cp server.crt /usr/local/apache/conf/ssl.crt
cp server.key /usr/local/apache/conf/ssl.key

Step 6: Configuring SSL Enabled Virtual Hosts

SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
   "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Step 7: Restart Apache and Test

/etc/init.d/httpd stop
/etc/init.d/httpd start

https://public.akadia.com

Ref:  http://www.akadia.com/services/ssh_test_certificate.html

Test your code without disturb by other user by putting message on login screen of your test machine

If you want to perform some testing without any bodies interference in your test machine which has multiple user access, then you can configure your test machine by user-defined message to the login screen of your test machine.

We can do it easily by doing some registry changes.

Editing the registry

It is important to keep in mind that the registry is vital to the operating system and changing it can be dangerous if you inadvertently make a mistake. Do it if you really need it.

To launch the Registry Editor, click the Start button, type regedit in the Start Search box, and press [Enter]. When the UAC dialog box appears, respond appropriately.

Exploratory testing in Agile

Development cycles are short, Features often evolve or change quickly, Feature requirements are incomplete or bound to change. QAing the features in such short cycles needs effective planning.

Sanity testing or smoke testing would make things better in such situations. However, there are other aspects like feature integrations, performance, non-functional, test plan updates, etc are left at risk.

To a certain extent, automated regression tests would make a difference. Running these tests are every nightly build will boost up the confidence of the engineering. However, these tests would produce desired results when the features under test do not change drastically.

To keep up to the pace in such situations, Exploratory Testing would be considered as an important activity.

Exploratory testing focuses on new features which have been developed, Complex or new scenarios that have not been covered in manual or automated testing. It is a process oriented while adapting techniques and is limited to scope.

It is very similar to adhoc testing however, some key differences should be noted:

Adhoc Testing	Exploratory Testing
Doesn't have a any process/test case/Test scenario defined/preplanned to do it.  It involves simultaneous test design and test execution	Simultaneous learning, test design and test execution. It is a type of adhoc testing, but here the tester does not have much idea about the application, the tester explores the system in an attempt to learn the application and simultaneously test it
Advisable that adhoc testing is conducted by the same test engineer who has basically completed formal testing	Exploratory testing comes under experience based testing, the people having better idea about the application should be given with this responsibility

Exploratory testing produces a quick feedback on a functionality or the system. Helps to get familiar with the features, enhance the understanding of the system and hence testers efficiency is increased.

Good user experience

Two words are often used synonymously while describing a good user experience using an application.

The Usability and The User Experience(UX).

Both Usability and User experience are essential to the success of a application.

Usability focuses on goal achievement when using an application while a User experience focuses on design, human factors, accessibility, marketing as well as usability.

User experience(UX) focuses on having a deep understanding of users, what they need, what they value, their abilities, and also their limitations. Business goals and objectives of the application are also accounted.

Some of the common misperceptions
1. Thinking that because something is easy to use, it's a good user experience.
2. Thinking a beautiful design will magically make an application easy or intuitive to use.

When do we say that an application is usable?
An application which enables user to achieve their goals quickly, with minumum fuss or frustation and without error while been intuitive, simple or extremely learnable.

When do we say that the user experience is good using the application?
A usable application which emphasize on presentation, interactive behaviour, functionality, assistive capabilities and system performance.

Some factors to be considered to see if the application is usable and gives a good user experience
1. Adoptability
2. Learnability
3. Efficiency
4. Transparency
5. Desirability

These factors will be detailed soon...

Difference among performance, load, stress and volume tests

Many people often confuse performance testing with load, stress or volume testing. Here is the simple difference as far as i know. For this, lets take the example of a shopping cart application.

In case of performance testing, application should be tested under normal load say, testing the response time taken to list the items when an item is searched.

In case of load testing, application should be tested with high load like triggering the same search operation by multiple number of users until it slows down. Volume testing is also similar to load testing.

In case of stress testing, application should be tested with high load till the application crashes. Few other cases include testing the application when system is out of resources.

Telerik Test Studio Tip: Less-Expensive alternatives for simulate real Type and simulate real click

In test cases, we often encounter situations which do not work as expected such as normal click 

(Pages.MyDashboardDataDirect.LogOutLink.Click();) or setting value to text box 

(Pages.LoginPage.UserNameTextBox.Text = “User123”;).

For example, take a simple login scenario. Assume we have a login page wherein Submit will be enabled only after user enter User Name through keyboard because developers might be validating and enabling Submit button based on the keyup event. In such case, setting the value to User Name Text Box will not enable Submit button. To handle such type of keyboard or mouse actions, Telerik Test Studio provides an option to simulate these actions with real actions ( SimulateRealTyping, SimulateRealClick). 

The main concern here is, such simulated action demands active session to run. It is expensive for an organization to provide physical machines for running test case on a daily basis or in 24 X 7 mode. Best practice is to avoid such actions and search for an alternative. One way of avoiding such actions is, using JavaScript to trigger actions like keyup,  keydown, click etc. Telerik Test Studio provides a method to invoke JavaScript. An example is given below to explain how to use this method.

Problem definition1: 

1.Submit button in login page will be enabled based on validation on User Name Text Box.

2. Validation will be called based on key board event( keyup). 

 Solution1 (Not recommended):

Use SimulateRealTyping feature to enter text in the textbox.

Here, test step demands active session to run.

Solution 2 (Recommended):

SetValue to textbox and trigger keyup event using InvokeScript function.

Pages.LoginPage.UserNameTextBox.Text = “User123”;

String JS ="$('[id=name]').trigger('keyup')";

ActiveBrowser.Actions.InvokeScript(JS);

Here, test step will run without an active session.

What is SSLyze?

SSLyze

Fast and full-featured SSL scanner.

Description

SSLyze is a Python tool that can analyze the SSL configuration of a server by
connecting to it. It is designed to be fast and comprehensive, and should help
organizations and testers identify misconfigurations affecting their SSL
servers.

Key features include:
* Multi-processed and multi-threaded scanning (it's fast)
* SSL 2.0/3.0 and TLS 1.0/1.1/1.2 compatibility
* Performance testing: session resumption and TLS tickets support
* Security testing: weak cipher suites, insecure renegotiation, CRIME, Heartbleed and more
* Server certificate validation and revocation checking through OCSP stapling
* Support for StartTLS handshakes on SMTP, XMPP, LDAP, POP, IMAP, RDP and FTP
* Support for client certificates when scanning servers that perform mutual authentication
* XML output to further process the scan results
* And much more !

Installation

SSLyze requires Python 2.7; the supported platforms are Windows 7 32/64 bits,
Linux 32/64 bits and OS X 64 bits.

SSLyze is statically linked with OpenSSL. For this reason, the easiest
way to run SSLyze is to download one the pre-compiled packages available in
the GitHub releases section for this project, at
https://github.com/iSECPartners/sslyze/releases.

Usage

### Command line options

The following command will provide the list of available command line options:
    $ python sslyze.py -h


### Sample command line:

    $ python sslyze.py --regular www.isecpartners.com:443 www.google.com

See the test folder for additional examples.

Build / nassl

SSLyze is all Python code but since version 0.7, it uses a custom OpenSSL
wrapper written in C called nassl. The pre-compiled packages for SSLyze
contain a compiled version of this wrapper in sslyze/nassl. If you want to
clone the SSLyze repo, you will have to get a compiled version of nassl from
one of the SSLyze packages and copy it to sslyze-master/nassl, in order to get
SSLyze to run.

The source code for nassl is hosted at https://github.com/nabla-c0d3/nassl.

Py2exe Build

SSLyze can be packaged as a Windows executable by running the following command:

    $ python.exe setup_py2exe.py py2exe

License

GPLv2 - See LICENSE.txt.




Ref: https://github.com/iSECPartners/sslyze

Overview on Telerik Test Framework

What is Telerik Test Framework?

Telerik’s Test Studio is a tool with record/replay capability for automation. The Test Studio’s underlying Testing Framework also provides the ability for QA / developers to write UI tests with most of the common unit testing frameworks like NUnit, MSTest etc.

This framework lets you write code-only tests and exercise the full functionality of the testing platform.

Background:

WebAii is a web automation testing framework, originally developed by ArtOfTest, now provided as a free framework by Telerik. This is very similar to other existing browser automation tools such as Selenium (even QTP). However, unlike Selenium, it is not an open source tool – it is developed and supported by Telerik. The tool is completely free to use (with a paid support option) – and a paid for version of this product is the “Test Studio”, which provides rich UI to record and playback test cases.

Features:

• As Telerik Testing Framework is fully integrated within Visual Studio Team System, it leverages functionalities such as test case management and execution, source control, execution, and reporting by using Microsoft TFS.
• Testing Framework exposes numerous properties and methods to easily build non-brittle, maintainable functional tests 
• Set implicit and explicit waits, test drag-n-drop and hovers, dynamic page elements, complex animations, generic and custom UI controls, and more. 
• Expand your browser compatibility testing to all the latest major browsers: IE, Chrome, Firefox and Safari without ever changing your test case code. 
• The Framework is a pure .NET stack that requires only one DLL with no dependencies on any third party tools.

TestStudio Vs TestFramework

Telerik Testing Framework is the foundation. It provides all the base functionality used by Test Studio. Test Studio is GUI.