Test Driven Development

Testing is the process of evaluating a system/software with the intent to find whether it satisfies the specified requirements or not without any gaps or errors. As most of you know, testers are doing manual as well automation testing to check the software functionality. Can we do something to get more quality in the product while the software is in development process? yes, we can do using TDD.

What is TDD? TDD stands for Test Driven Development. Test-driven development (TDD) is a development technique where we first write a test before we write functional code and use the same test in different stages in development process.

Test-driven development is not about pure development and it is about developing the tests before developing the tests and providing more quality in such a way that there will be no critical issues in the product or software before giving the product to QA team for testing. These unit tests are extremely useful for the product.

TDD life-cycle.

1.     Write the test
2.     Run the test (test does not pass as there is no implementation code)
3.     Write the implementation code to make the test pass
4.     Run all tests, if all the tests are passed then developer can say that the code has met all requirements.
5.     Change the code to remove duplication and to improve the design
6.     Repeat the cycle

Outcome/Result of TDD:
1.     Both testers and developers can work more collaboratively.
2.     Test engineers will get in-depth functionality of a software.
3.     There will be no critical issues in the product.
4.     Improves the Software quality.
5.     TDD provides an assurance that the code works as design/intended.

Practical Experience: Taking Stance On Test Automation

Practical Experience: Taking Stance on Test Automation

It was a year and half ago that I was a bystander of an argument that has repeated itself a dozen times since. Which combination of programming language and supporting tool was better for automation system all across: Java with Sahi or C# with Telerik Test Studio. Each side blew-up weighty arguments: what is easier to do in each language, what language has better libraries, which tool has more flexibility, etc.

Who is right?

It is difficult to settle the argument entirely based on technology characteristics. Because, each language/tool has few aspects where it is better than the other. It is equally hard to judge which attribute is more important to be able to make a decision.

It is an Organizational Decision!

Now, it requires context-switching where we lose some time recalling/adapting to details of the language. It is very important for one to realize and scope the time that it requires for the engineer’s transition and that it requires to maintain existing automation. When the code is not written in the language the engineer prefers, the development and maintenance becomes as likely as not.

How to strategize for test automation in new Language?

Plan to achieve small success and grow. It is not possible to try automating the whole regression suit. Instead, try things, make mistakes and design even better approaches. This process never ends but at a certain point in time you achieve reasonably stronger point of view of the capabilities of the language or the tool. It helps drafting next generation of frameworks that sustain (as they should) over the life time of the product-under-test.

Automation is full time effort, not a side-line. Sometimes automation is extremely underestimated. Again, by starting small and growing, estimating the work can be gauged.

What if even after evaluating the new tool, there isn’t any clear choice? At this point the choice does not matter. The important thing is that we do choose one because the delay may be costlier if you made the wrong decision. Get the team to back whatever the outcome is, follow through with supporting that language.

Security Testing

Internet usage has been increased and became more important in our daily lives. There are many web applications which are hosted and accessed via internet/intranet. And being important and accessed mostly, security has been a concern for many enterprises and people.

Whenever a product or web application is given to the QA team, in most of the organizations only the functionality part of the product/application is being tested. Many a times Security aspect of the product is neglected or given less importance by QA. QA should be taking the lead or responsibility of testing the security aspects of the product too, as QA knows the product very well. Even if developers follow good coding standards, knowingly or unknowingly flaws can be introduced at time in the development lifecycle. Undetected flaws can turn into security vulnerabilities at runtime and it is always a good practice to do security testing, as no web application is totally secured.

Being a QA, if you are into security testing well and good but if you do not, you do not have to worry about it, there are quite a few automated tools which can find security bugs in the product/application but it is always good to have knowledge on different kinds of security issues.

Top Vulnerabilities

OWSAP, a free and open software security community has come up with top 10 vulnerabilities which can be found here (https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet) and SANS over here (https://www.sans.org/top25-software-errors/archive/2010)

There are 2 techniques/analysis

• Static Analysis
• Dynamic Analysis

Static Analysis

Static analysis is a technique which allows us to find bugs without executing the program. A static code analysis will automatically check the source code for compliance with a predefined set of rules or best practices. Static analysis tools are fast and efficient at finding code defects and inconsistencies. This technique is programming language dependent. So the tool should support the programming language in which your product/application is built on.

A static code analysis tool can help with your code review process by

• detecting areas in the code that need to be refactored and simplified
• finding areas of the code that may need more testing or deeper review
• identifying design issues such as Cyclomatic Complexity and helping reduce the code complexity improve maintainability
• identifying potential software quality issues before the code moves to production
• memory leaks, buffer overflows, and even concurrency issues

(http://www.codeexcellence.com/2012/05/what-is-static-analysis-and-why-is-it-important-to-software-testing/)

Here is a list of tools available for applications build on different languages

Language or framework                                Static tools

C or C++                                           Splint, VisualCodeGrepper

Java™ technology                            FindBugs, LAPSE+, VisualCodeGrepper

JavaScript                                         JSLint, JSHint

Python                                              pylint, PyChecker

PHP                                                  RIPS

Ruby on Rails                                  Brakeman, codesake_dawn

Dynamic Analysis

Dynamic Analysis is a technique which allows us to find the bugs while the application running. For dynamic analysis to be efficient the application must be executed with different tests which covers every part of the application. Dynamic analysis does not have access to source code and it detects vulnerabilities by performing attacks. Analysis is not dependent on any programming language.

Dynamic analysis is more useful in finding runtime errors, memory leakage errors, SQL Injection, Cross site scripting, etc.

Both analysis is to be performed as part of security testing.

Few web vulnerability scanners available are IBM Appscan, Burp Suite, Zed Attack Proxy, etc.

Usability testing is important for a successful application

Usability is the measure of a product's potential to accomplish the goals of the user. In information technology, the term is often used in relation to software applications and Web sites, but it can be used in relation to any product that is employed to accomplish a task (for example, a toaster, a car dashboard, or an alarm clock). Some factors used in determining product usability are ease-of-use, visual consistency, and a clear, defined process for evolution.

It is a method by which users of a product are asked to perform certain tasks in an effort to measure the product's ease-of-use, task time, and the user's perception of the experience.

http://www.virtusa.com/images/content/Usability-Testing.jpg

Outcome of the usability testing:

• Improve the usability of the product.
• Helps to identify the different user persona
• Helps to give the best user experience.
• Early identification of the issues in the product, it minimizes the risk of the product failing
• Direct feedback.
• Changing people’s attitude about the users.
• Changing the design and development process.

 

How To Test SAML Authentication

Authentication is playing the vital role in  cloud based applications. Now a days users does not interested to memorise each password for each cloud application and Nobody wants to store their password in application platform. To overcome this  any application which implemented to support SAML based authentication can configure with any SAML based IDP (Identity Provider).

There are so many Cloud IDPs (Salesforce, PingOne, One Login, etc.) and hosted IDPS (Open AM, Open Select, Shibboleth, etc.)

Applications are authenticating with above IDPs using SAML. SAML authentication involves following three entities.

• Service Provider
• Client
• Identity Provider

         

Security Assertion Markup Language (SAML) is an XML standard that allows secure web domains to exchange user authentication and authorization data. Using SAML, an online service provider can contact a separate online identity provider to authenticate users who are trying to access secure content. There are three major components for SAML authentication.

(      a)    Client (Users)

This is the user who can login in to any cloud application.

(      b)    Identity Provider (IDP)

Identity Provider is responsible for

                                 I.            Providing identifiers for users looking to interact with a system

                               II.            Asserting to such a system that such an identifier presented by a user is known to the provider

                             III.            Possibly providing other information about the user that is known to the provider.

                            IV.            An identity provider is a trusted provider that lets you use single sign-on to access other websites

(     c)     Service Provider (SP)

In the use case addressed by SAML, the principal requests a service from the service provider. The service provider requests and obtains an identity assertion from the identity provider. On the basis of this assertion, the service provider can make an access control decision – in other words it can decide whether to perform some service for the connected principal.

To Configure SAML authentication we need to setup things in Identity provider and Service providers

1)      Should have Service provider metadata i.e., Our Application data to register in Identity provider

2)      Should register SP in Identity provider will get information about registration by Identity providers documentation. Need to get IDP metadata to register IDP in our application(SP).

3)      In our application we should register IDP with  IDP metadata.

After configuring the SAML authentication need to verify the following test cases.

·         Login

Users should be able to login into their application using the configured IDPs password (Salesforce credentials) .  

·         Logout

Users should navigate to configured or IDPs logout pages.

·         Change password

Users should able to change their IDPs password from SP and it should get effected in IDP systems and vice versa.

·         Session Management

Login session management should respect the both IDPs and SPs session timeouts

·         SSO-support

If  the user is already had a session in IDP or another SP which uses same IDP then he should not ask for credentials again to login into application.

·         Forgot Password

             Forgot password page is maintained by IDPs only.