Indu Selvam

Greenhorn
+ Follow
since Jun 24, 2009
Cows and Likes
Cows
Total received
0
In last 30 days
0
Total given
0
Likes
Total received
0
Received in last 30 days
0
Total given
0
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Indu Selvam

Hi,

I explained little about the penetration testing. I hope it will be useful to you.

Introduction
Penetration testing is an often confused term. Through this guide Corsaire, a world leader in information security, provides a broad overview of what it means, why you would want it, and how to get the most out of the process.

What is a penetration test?
Why conduct penetration testing?
What can be tested?
What should be tested?
What do you get for the money?
What to do to ensure the project is a success
What is a penetration test?
Much of the confusion surrounding penetration testing stems from the fact it is a relatively recent and rapidly evolving field. Additionally, many organisations will have their own internal terminology (one man's penetration test is another's vulnerability audit or technical risk assessment).

At its simplest, a penetration-test (actually, we prefer the term security assessment) is the process of actively evaluating your information security measures. Note the emphasis on 'active' assessment; the information systems will be tested to find any security issues, as opposed to a solely theoretical or paper-based audit.

The results of the assessment will then be documented in a report, which should be presented at a debriefing session, where questions can be answered and corrective strategies can be freely discussed.

Why conduct a penetration test?
From a business perspective, penetration testing helps safeguard your organisation against failure, through:

Preventing financial loss through fraud (hackers, extortionists and disgruntled employees) or through lost revenue due to unreliable business systems and processes.
Proving due diligence and compliance to your industry regulators, customers and shareholders. Non-compliance can result in your organisation losing business, receiving heavy fines, gathering bad PR or ultimately failing. At a personal level it can also mean the loss of your job, prosecution and sometimes even imprisonment.
Protecting your brand by avoiding loss of consumer confidence and business reputation.
From an operational perspective, penetration testing helps shape information security strategy through:

Identifying vulnerabilities and quantifying their impact and likelihood so that they can be managed proactively; budget can be allocated and corrective measures implemented.

What can be tested?

All parts of the way that your organisation captures, stores and processes information can be assessed; the systems that the information is stored in, the transmission channels that transport it, and the processes and personnel that manage it. Examples of areas that are commonly tested are:

Off-the-shelf products (operating systems, applications, databases, networking equipment etc.)
Bespoke development (dynamic web sites, in-house applications etc.)
Telephony (war-dialling, remote access etc.)
Wireless (WIFI, Bluetooth, IR, GSM, RFID etc.)
Personnel (screening process, social engineering etc.)
Physical (access controls, dumpster diving etc.)
What should be tested?
Ideally, your organisation should have already conducted a risk assessment, so will be aware of the main threats (such as communications failure, e-commerce failure, loss of confidential information etc.), and can now use a security assessment to identify any vulnerabilities that are related to these threats. If you haven't conducted a risk assessment, then it is common to start with the areas of greatest exposure, such as the public facing systems; web sites, email gateways, remote access platforms etc.

Sometimes the 'what' of the process may be dictated by the standards that your organisation is required to comply with. For example, a credit-card handling standard (like PCI) may require that all the components that store or process card-holder data are assessed.

What do you get for the money?
While a great deal of technical effort is applied during the testing and analysis, the real value of a penetration test is in the report and debriefing that you receive at the end. If they are not clear and easy to understand, then the whole exercise is of little worth.

Ideally the report and debriefing should be broken into sections that are specifically targeted at their intended audience. Executives need the business risks and possible solutions clearly described in layman's terms, managers need a broad overview of the situation without getting lost in detail, and technical personnel need a list of vulnerabilities to address, with recommended solutions.

What to do to ensure the project is a success
Defining the scope

The scope should be clearly defined, not only in the context of the components to be (or not to be) assessed and the constraints under which testing should be conducted, but also the business and technical objectives. For example penetration testing may be focussed purely on a single application on a single server, or may be more far reaching; including all hosts attached to a particular network.

Choosing a security partner

Another critical step to ensure that your project is a success is in choosing which supplier to use.

As an absolute fundamental when choosing a security partner, first eliminate the supplier who provided the systems that will be tested. To use them will create a conflict of interest (will they really tell you that they deployed the systems insecurely, or quietly ignore some issues).

Detailed below are some questions that you might want to ask your potential security partner:

Is security assessment their core business?
How long have they been providing security assessment services?
Do they offer a range of services that can be tailored to your specific needs?
Are they vendor independent (do they have NDAs with vendors that prevent them passing information to you)?
Do they perform their own research, or are they dependent on out-of-date information that is placed in the public domain by others?
What are their consultant's credentials?
How experienced are the proposed testing team (how long have they been testing, and what is their background and age)?
Do they hold professional certifications, such as PCI, CISSP, CISA, and CHECK?
Are they recognised contributors within the security industry (white papers, advisories, public speakers etc)?
Are the CVs available for the team that will be working on your project?
How would the supplier approach the project?
Do they have a standardised methodology that meets and exceeds the common ones, such as OSSTMM, CHECK and OWASP?
Can you get access to a sample report to assess the output (is it something you could give to your executives; do they communicate the business issues in a non-technical manner)?
What is their policy on confidentiality?
Do they outsource or use contractors?
Are references available from satisfied customers in the same industry sector?
Is there a legal agreement that will protect you from negligence on behalf of the supplier?
Does the supplier maintain sufficient insurance cover to protect your organisation?
Standards compliance
There are a number of good standards and guidelines in relation to information security in general, for penetration tests in particular, and for the storage of certain types of data. Any provider chosen should at least have a working knowledge of these standards and would ideally be exceeding their recommendations.

Notable organisations and standards include:

PCI
The Payment Card Industry (PCI) Data Security Requirements were established in December 2004, and apply to all Members, merchants, and service providers that store, process or transmit cardholder data. As well as a requirement to comply with this standard, there is a requirement to independently prove verification.

ISACA
ISACA was established in 1967 and has become a pace-setting global organization for information governance, control, security and audit professionals. Its IS Auditing and IS Control standards are followed by practitioners worldwide and its research pinpoints professional issues challenging its constituents. CISA, the Certified Information Systems Auditor is ISACA's cornerstone certification. Since 1978, the CISA exam has measured excellence in the area of IS auditing, control and security and has grown to be globally recognized and adopted worldwide as a symbol of achievement.

CHECK
The CESG IT Health Check scheme was instigated to ensure that sensitive government networks and those constituting the GSI (Government Secure Intranet) and CNI (Critical National Infrastructure) were secured and tested to a consistent high level. The methodology aims to identify known vulnerabilities in IT systems and networks which may compromise the confidentiality, integrity or availability of information held on that IT system. In the absence of other standards, CHECK has become the de-facto standard for penetration testing in the UK. This is mainly on account of its rigorous certification process. Whilst good it only concentrates on infrastructure testing and not application. However, open source methodologies such as the following are providing viable and comprehensive alternatives, without UK Government association. It must also be noted that CHECK consultants are only required when the assessment is for HMG or related parties, and meets the requirements above. If you want a CHECK test you will need to surrender your penetration testing results to CESG.

OSSTMM
The aim of The Open Source Security Testing Methodology Manual (OSSTMM) is to set forth a standard for Internet security testing. It is intended to form a comprehensive baseline for testing that, if followed, ensures a thorough and comprehensive penetration test has been undertaken. This should enable a client to be certain of the level of technical assessment independently of other organisation concerns, such as the corporate profile of the penetration-testing provider.

OWASP
The Open Web Application Security Project (OWASP) is an Open Source community project developing software tools and knowledge based documentation that helps people secure web applications and web services. It is an open source reference point for system architects, developers, vendors, consumers and security professionals involved in designing, developing, deploying and testing the security of web applications and Web Services.

The key areas of relevance are the forthcoming Guide to Testing Security of Web Applications and Web Services and the testing tools under the development projects. The Guide to Building Secure Web Applications not only covers design principals, but also is a useful document for setting out criteria by which to assess vendors and test systems.


You can get more information about this from here .

Indu..
12 years ago
Hi

I think you can get the clear information about the XMLUnit Configuration, Click Here


Indu...
12 years ago
Hi,

I think this will be useful to you....

Functional Testing with JMeter
JMeter is a 100% pure Java desktop application. JMeter is found to be very useful and convenient in support of functional testing. Although JMeter is known more as a performance testing tool, functional testing elements can be integrated within the Test Plan, which was originally designed to support load testing. Many other load-testing tools provide little or none of this feature, restricting themselves to performance-testing purposes. Besides integrating functional-testing elements along with load-testing elements in the Test Plan, you can also create a Test Plan that runs these exclusively. In other words, aside from creating a Load Test Plan, JMeter also allows you to create a Functional Test Plan. This flexibility is certainly resource-efficient for the testing project.

In this article by Emily H. Halili, we will give you a walkthrough on how to create a Test Plan as we incorporate and/or configure JMeter elements to support functional testing.

Preparing for Functional Testing
JMeter does not have a built-in browser, unlike many functional-test tools. It tests on the protocol layer, not the client layer (i.e. JavaScripts, applets, and many more.) and it does not render the page for viewing. Although, by default that embedded resources can be downloaded, rendering these in the Listener | View Results Tree may not yield a 100% browser-like rendering. In fact, it may not be able to render large HTML files at all. This makes it difficult to test the GUI of an application under testing.

However, to compensate for these shortcomings, JMeter allows the tester to create assertions based on the tags and text of the page as the HTML file is received by the client. With some knowledge of HTML tags, you can test and verify any elements as you would expect them in the browser.

It is unnecessary to select a specific workload time to perform a functional test. In fact, the application you want to test may even reside locally, with your own machine acting as the "localhost" server for your web application. For this article, we will limit ourselves to selected functional aspects of the page that we seek to verify or assert.

Using JMeter Components
We will create a Test Plan in order to demonstrate how we can configure the Test Plan to include functional testing capabilities. The modified Test Plan will include these scenarios:

1. Create Account—New Visitor creating an Account
2. Login User—User logging in to an Account
Following these scenarios, we will simulate various entries and form submission as a request to a page is made, while checking the correct page response to these user entries. We will add assertions to the samples following these scenarios to verify the 'correctness' of a requested page. In this manner, we can see if the pages responded correctly to invalid data. For example, we would like to check that the page responded with the correct warning message when a user enters an invalid password, or whether a request returns the correct page.

You can get this article from HERE

All the best..

Indu...


12 years ago
Hi,

ISTQB Software Testing Certification:
The global standard for certification of software testers.

ISTQB software testing certification offers your company advantages no other software testing certification can match:

ISTQB software testing certification is practical, so it complements the way you work. Theory is important, but we recognize that you have real-world software testing problems. That’s why ISTQB software testing certification is designed to demonstrate that you have the knowledge and skills needed for your everyday software testing challenges.

ISTQB software testing certification is global, so it can grow with you. Developed by more than 100 global software testing experts, offered in more than 30 countries, and with more than 110,000 certified software testers worldwide, ISTQB software testing certification is the most widely recognized and fastest-growing software tester certification in the world.

ISTQB software testing certification is credible, so others will respect your choice. We freely offer the ISTQB certification syllabi and software testing glossary, and let you choose your own education: a course from an accredited provider, in-house study groups or software testing seminars, or even self-study via software testing books and Web sites. ISTQB gives you the freedom and credibility of choice.

ISTQB software testing certification is trusted, so you’ll feel good about your choice both now and in the future. ISTQB is the world’s only not-for-profit organization dedicated solely to providing practical, globally-accepted software testing certification in more than 30 countries. You can trust ISTQB to give you and your company the latest, most practical, broadly accepted software testing certification in the world.

QAI :

QAI is the home of CSQA,CSTE and other certifications.

CSQA
The approach to CSQA is simple-make sure you understand all the topics given in the CBOK very clearly. First decide when you are going to write the exam.
Then set goals for urself depending on the time available, like completing each Sklil category in 10 days.
Get a copy of the CBOK as soon as possible, if you are not having it.
Prepare questions for yourself; make sure you are well versed with the quality vocabulary.
Also try to correlate the quality principles/concepts which you are studying to what you are doing/have to do in your current and future roles as a QA Professional.
If these steps are followed, it should not be a problem in getting CSQA certified.

I Wish you all the best.

You can get more article from Here .

Indu..




12 years ago
Hi,

I give some explanation about the integration of QTP with Cruise.

There are different ways to integrate QTP and Cruise but this is one I first used with Winrunner. It does require another Mercury product, being Quality Center (or Test Director) and a little publicized tool called TDTestSetRun, which you can get from Mercury’s support site. This little executable allows you to call a test set from within Quality Center. Therefore you add all of the QTP tests you want to run into a test set in Quality Center (or you could do multiple and make multiple calls), then use TDTestSetRun to remotely invoke the test set. The trick is how to report back to Cruise that the tests failed (they will pass by default). To do this I used ant to check for the existence of a file and on each test in the Test Set created an on error (via preferences) task to create the file, which it will do only if the test fails.

There are of course drawbacks to this approach (apart from the cost of the tools!), for example the test results are not communicated back to Cruise (only a pass/fail result). By using Quality Center’s API you could get more information out if you wanted to. It will only run from a Windows PC and the TDTestSetRun application is very buggy. It gives very little and poor feedback if you make a mistake and seems to be very sensitive about the name of the folders and test set’s. One tip if you are having problems is make the test set appear at the top, so call it automated tests for example. Also I have found using a space in the test set name and not in the folder name works.

Below is a sample build.xml file which demonstrates a call to TDTestSetRun and fails if a file exists.

<project name=”Example” default=”runtest” basedir=”.”>
<description>
simple example build file for calling QTP or Winrunner tests in Quality Center
</description>
<!– set global properties for this build –>
<property name=”TDRunTestDir” location=”C:\TDTestSetRun”/>

<target name=”init”>
<delete file=”${TDRunTestDir}\TestFailed.txt”/>
</target>

<target name=”runtest” depends=”init”
description=”Run test set from Quality Center” >
<exec executable=”${TDRunTestDir}\TDRunTestSet.exe” output=”${TDRunTestDir}\Result.txt”>
<arg line=”/s:http://qulaitycenterserver/qcbin”/>
<arg line=”/n: Domain”/>
<arg line=”/d:Project Name”/>
<arg line=”/u:username”/>
<arg line=”/p:password”/>
<arg line=””/t:Automated Tests””/>
<arg line=”/f:Root\Folder\”/>
<arg line=”/l”/> <!–This option is to run the QTP tests locally.–>
</exec>
<fail message=”Tests Failed, see Quality Center for more information”>
<condition>
<available file=”${TDRunTestDir}\TestFailed.txt”/>
</condition>
</fail>
</target>

</project>

You can get more articles like this from Macrotesting Articles

Indu..

12 years ago
Hi,

I give some of the applications to test GUI.

Tuitest 0.1

Applicationt Name : Tuitest 0.1
Description : tuitest is a tool to create and run automated tests of text user interfaces. It is meant as a complement to the widespread use of unit tests, and uses concepts known from GUI testing tools with the difference that it applies them specifically to text- and terminal-based user interfaces. It consists of a recorder that records the interaction with an application under tests and generates a Ruby script that replays the same interaction, optionally with the same timing. Ruby replaying is supported through a native Ruby module.

Open HMI Tester

Applicationt Name : Open HMI Tester
Description : "Open HMI Tester" is a GUI Testing tool following an open architecture that describes a non intrusive capture/replay tool based on GUI Events. It may be adapted to support different windowing systems and operating systems used in the testing environment

You can get these applications from Macrotesting Applications . I think it will be very useful to you.


Indu

12 years ago