Friday, 7 July 2017

On the Last Three Months - My Conference Talk, Free Learning Resources and Learning Security Testing

Dear All, apologies for the lack of recent blogs.

It has been a hectic three months, however most rewarding and interesting. I have condensed some of the most interesting events and activities below.

Quality Software Australia 2017 Conference

I had a talk proposal accepted and was thus invited to speak at Quality Software Australia 2017 in Melbourne, Australia. The talk, which was well attended and received, was on "Generating Random and Fake Test Data for Functional and Fuzz Testing" - you can find the slides here. A precursor to the talk was done the previous year at the Sydney Testers Meetup Group and repeated a month before the conference as an Avocado Consulting (my employer) Brown Bag lunch event.

As part of the demo for the talk above I created an Excel 2013 and above add-in to automatically populate fake user name, address, phone number and other data. This is available freely and can be found here.

While I have done a few talks before at Sydney Testers, this was my first conference talk and only my second ever test conference attended. I didn't quite know what to expect from the organisers, other speakers and attendees especially since I don't have a high profile as a tester. I needn't have worried. The organisers, led by Rajesh Mathur, along with other speakers were extremely friendly and amicable and knew their stuff. The speakers were treated very well by the organising committee and I made many new acquaintances. I took great pleasure from speaking with attendees and the great talks presented by people passionate about their subject.

All were great but the highlights for me included the first day's keynote speaker Mike Lyles, whose talk "The Drive-Thru Is Not Always Faster" was a masterclass in energy, poise and preparation (despite the fact that he had just arrived from a delayed trans-Pacific flight a few hours before the keynote!), Smita Mishra's thought-provoking discussion "Debugging Diversity", David Bell's talk "The continuum of certificates and skills" and my Sydney Testers colleague Sunil Kumar on "The no-man’s land of microservices & its testing". Sadly due to my work commitments I was not able to attend a further day of seminars, something I would probably have greatly enjoyed.

The Quality Software Australia team is conducting a conference in Sydney, Australian Testing Days 2017, on the 30th October. If it is anything like the above and you happen to be in Sydney at that time, I would fully recommend it.

Free Learning Resources for Testers

On the 20th April, frustrated by the lack of a centralised, unbiased source for testing resources and with an idea of setting up a free curriculum for new and improving testers, I created a Github project for a library of links covering a wide area of testing articles, videos, blogs, podcasts and associated computer science and programming resources. Currently at least 300 links have been added.

This was promoted on Twitter, LinkedIn and at the Lightning Talks section of QSA2017 (see above) and has been well visited - being starred by 72 people and forked by twenty, with six external contributions in total. The resources are being frequently updated and extended, and it is worth a visit.

Security and Penetration Testing

The university where I am a student, the University of New South Wales (UNSW), started a new and innovative CS lecture and lab-based course module on web security and pentesting. This being an area I was quite ignorant in, I signed up to and studied it part time for about three months.

The course, based largely on the 2013 OWASP Top 10, covered such areas as -

Threat Modelling
Cross Site Scripting (XSS)
Authentication Bypass and Privilege Escalation
Shell and SQL Injection attacks
Directory Traversal
Social Engineering
Third Party Vulnerabilities (i.e. flaws in Wordpress)

The main lecturers for the course were practitioners of security testing at Commonwealth Bank of Australia, Norman Yue and Abhijeth Dugginapeddi. As teachers go, I found them amazing, passionate and knowledgeable. I found the course a real pleasure despite being very challenging and hard work in places.

As part of the community contribution for the above I created a tool for the automated execution and display of HTTP requests and responses from a list of URLs and parameters in an Excel spreadsheet. This is freely available at and can be found at my github.

Penetration Testing and Security are seen as a niche area almost separate from the wider testing community - seen as an afterthought and done by a separate team almost at the end of the development lifecycle, however with the critical risk caused by data breaches and numerous cyber attacks by state and non-state entity in recent years the testing community cannot afford to be ignorant about web security. I believe that this should be treated with the same attention and respect as say functional and performance testing, with security standards and prevention at the requirements and design phases of the project and all of us (while not necessarily having the knowledge to be pentesters) aware of the kinds of attacks listed above and how to mitigate them.

In view of the above, I arranged that Abhijeth Dugginapeddi and Norman Yue speak about web security testing at the Sydney Testers meetup at Thoughtworks on 5th July. Their lively and most informative talk "Security for Non-Security Engineers", very much on the lines of the course above, was recorded and can be seen here. It is well worth watching.