SlideShare ist ein Scribd-Unternehmen logo

How penetration testing techniques can help you improve your qa skills

Marian Marinov
Marian Marinov

QA: Challenge Accepted 3.0

Bildung
1 von 32
Downloaden Sie, um offline zu lesen
How PENETRATION TESTING techniques CAN HELP YOU IMPROVE your QA skills Marian HackMan Marinov <mm@siteground.com>
Who am I?Who am I? ❖ Chief System Architect of Siteground.com ❖ Sysadmin since 1996 ❖ Organizer of OpenFest, BG Perl Workshops, LUG-BG and similar :) ❖ Teaching Network Security and Linux System Administration at Sofia University
☹☹☹☹☹☹ The QA position is underrated and heavily undermined by the web industry
☹☹☹☹☹☹ The QA position is underrated and heavily undermined by the web industry I really admire the work that QA people do!
Let's clear some stuffLet's clear some stuff ❖ Black box testing ❖ Gray box testing ❖ White box testing
Pentesting what?Pentesting what? ❖ Pentesting is actually QA testing :) ❖ The plans that pentesters prepare for attacks are similar to the plans QA devise to test the same software. ❖ The difference is the way the testing is performed and what is evaluated for testing.
The fist part of the presentation would be about Black/Grey box testing The fist part of the presentation would be about Black/Grey box testing Simply because it shows some very important differences Simply because it shows some very important differences
Pentester vs. QAPentester vs. QA
Pentesters start by gathering information about the infrastructure and the software Pentesters start by gathering information about the infrastructure and the software QA guys, usually relay on Devs, Documentation and Requirements for the same info QA guys, usually relay on Devs, Documentation and Requirements for the same info
Pentesters define the expected successful result by running one real life test and writing down its result. Than every other response is considered failure Pentesters define the expected successful result by running one real life test and writing down its result. Than every other response is considered failure Every time a QA see an error in the logs of the app or the server, she is considering it, a failure Every time a QA see an error in the logs of the app or the server, she is considering it, a failure
Pentesters try to find the places that are most likely to be vulnerable (common flaws and bugs) Pentesters try to find the places that are most likely to be vulnerable (common flaws and bugs) QAs tryies to test the whole applicationQAs tryies to test the whole application
Pentesters always look for chain of events, that if triggered, will give them access (Design vulnerabilities) Pentesters always look for chain of events, that if triggered, will give them access (Design vulnerabilities) QAs usually focus on the current layer of the application and relay on the tests of the next level to cover the whole QAs usually focus on the current layer of the application and relay on the tests of the next level to cover the whole
Pentesters try to use and abuse unspecified behavior in functions, and for that they try generate all impossible inputs Pentesters try to use and abuse unspecified behavior in functions, and for that they try generate all impossible inputs QAs usually limit their tests to a predefined set of inputs or limited number of generated inputs QAs usually limit their tests to a predefined set of inputs or limited number of generated inputs
Every time a test fails, pentesters expand the search Every time a test fails, pentesters expand the search With QAs, every time a test fails, they return the code to the Dev team With QAs, every time a test fails, they return the code to the Dev team
Pentesters have more time and they are working on the LIVE environment Pentesters have more time and they are working on the LIVE environment QAs do their tests on mockup/staging environments QAs do their tests on mockup/staging environments
Pentesters use tools for generating wordlist and dictionaries Pentesters use tools for generating wordlist and dictionaries QAs should start doing the same...QAs should start doing the same...
Sometimes pentesters get their hands on binaries and they do try to reverse them, to understand and break them Sometimes pentesters get their hands on binaries and they do try to reverse them, to understand and break them I'm yet to see a QA do some reversing...I'm yet to see a QA do some reversing...
❖❖ Decision table testingDecision table testing ❖❖ All-pairs testingAll-pairs testing ❖❖ Equivalence partitioningEquivalence partitioning ❖❖ Boundary value analysisBoundary value analysis ❖❖ Cause–effect graphCause–effect graph ❖❖ Error guessingError guessing ❖❖ State transition testingState transition testing ❖❖ Use case testingUse case testing ❖❖ User story testingUser story testing ❖❖ Domain analysisDomain analysis ❖❖ Combining techniqueCombining technique Black/Gray box testingBlack/Gray box testing
Generally pentesters use more tools for a single test then QAs. They try to combine more then one completely valid use case, to construct one test, that will break the system. Generally pentesters use more tools for a single test then QAs. They try to combine more then one completely valid use case, to construct one test, that will break the system.
And here is something from the bookAnd here is something from the book Exploiting SoftwareExploiting Software:: An attacker starts with breaking theAn attacker starts with breaking the rules and undermining assumptions.rules and undermining assumptions. One of the key assumptions to test isOne of the key assumptions to test is the "implicit trust" assumption.the "implicit trust" assumption. Attackers will always break any ruleAttackers will always break any rule relating to when, where, and what isrelating to when, where, and what is "allowed""allowed" Black/Gray box testingBlack/Gray box testing
If you want to broaden your test case horizons... I advise you to read the specific techniques outlined in "Exploiting Software" If you want to broaden your test case horizons... I advise you to read the specific techniques outlined in "Exploiting Software"
❖❖ shell command injectionshell command injection * argument injection* argument injection * command delimiters* command delimiters * multiple parsers and double escapes* multiple parsers and double escapes ❖❖ Plumbing pipes, ports and permissionsPlumbing pipes, ports and permissions ❖❖ Exploiting the filesystemExploiting the filesystem * user-supplied variable passed to the filesystem calls* user-supplied variable passed to the filesystem calls * postfix null terminator* postfix null terminator * postfix null terminate and backslash* postfix null terminate and backslash * relative path traversal* relative path traversal ❖❖ Manipulating environment variablesManipulating environment variables ❖❖ Leveraging poor session authenticationLeveraging poor session authentication * Session ID, Resource ID and Blind trust* Session ID, Resource ID and Blind trust * Bruteforcing session IDs* Bruteforcing session IDs * Multiple paths of authentication* Multiple paths of authentication * Failure to check error codes* Failure to check error codes Specific techniquesSpecific techniques
❖❖ Every QA is doing exactly thisEvery QA is doing exactly this White box testingWhite box testing
❖❖ Every QA is doing exactly thisEvery QA is doing exactly this ❖❖ But let's look at the differencesBut let's look at the differences White box testingWhite box testing
❖❖ Pentesters do whitebox testingPentesters do whitebox testing * when they are testing opensource apps* when they are testing opensource apps * if they were given the code* if they were given the code ❖❖ Pentesters usually try to find bugs in thePentesters usually try to find bugs in the integration between the app they have theintegration between the app they have the source to and the app which source they don'tsource to and the app which source they don't ❖❖ Pentesters check, does the software complyPentesters check, does the software comply withwith allall the security guidelines for the specificthe security guidelines for the specific language or systemlanguage or system White box testingWhite box testing
❖❖ Pentesters use debuggersPentesters use debuggers * to inject code* to inject code * change memory* change memory * even change the flow of the application* even change the flow of the application ❖❖ Injecting code or otherwise influencing theInjecting code or otherwise influencing the application is considered by many, not possible.application is considered by many, not possible. * This is now a reality!* This is now a reality! ❖❖ Pentesters consider bug in one layer as anPentesters consider bug in one layer as an open door for your whole appopen door for your whole app White box testingWhite box testing
❖❖ Code coverageCode coverage * Control flow testing* Control flow testing * Data flow testing* Data flow testing * Branch testing* Branch testing * Statement coverage* Statement coverage * Decision coverage* Decision coverage * Modified condition/decision coverage* Modified condition/decision coverage * Prime path testing* Prime path testing * Path testing* Path testing White box testingWhite box testing QA
❖❖ Code static analysisCode static analysis ❖❖ Analysis ofAnalysis of * memory states, finding possible entry* memory states, finding possible entry points for malicious codepoints for malicious code * interaction between different parts of* interaction between different parts of the software(exchanging data betweenthe software(exchanging data between APIs and Frameworks)APIs and Frameworks) ❖❖ Forcing race conditions, filling buffersForcing race conditions, filling buffers and then examining the performance ofand then examining the performance of the app and its memory structuresthe app and its memory structures White box testingWhite box testing QA
❖❖ In order to be able to build moreIn order to be able to build more extensive tests, you have to be aware ofextensive tests, you have to be aware of the possible issues that may happenthe possible issues that may happen with:with: - your software- your software - the language(s) that you are using- the language(s) that you are using - the infrastructure that is hosting your- the infrastructure that is hosting your applicationsapplications Finally!Finally!
We are hiring!We are hiring! THANK YOUTHANK YOU Marian HackMan Marinov <mm@siteground.com>
Related booksRelated books Marian HackMan Marinov <mm@siteground.com>
We are hiring!We are hiring! THANK YOUTHANK YOU Marian HackMan Marinov <mm@siteground.com>

Empfohlen

Unit Testing Your Application
Unit Testing Your ApplicationUnit Testing Your Application
Unit Testing Your ApplicationPaladin Web Services
 
Unit Test + Functional Programming = Love
Unit Test + Functional Programming = LoveUnit Test + Functional Programming = Love
Unit Test + Functional Programming = LoveAlvaro Videla
 
Benefit From Unit Testing In The Real World
Benefit From Unit Testing In The Real WorldBenefit From Unit Testing In The Real World
Benefit From Unit Testing In The Real WorldDror Helper
 
Dependency Injection in iOS
Dependency Injection in iOSDependency Injection in iOS
Dependency Injection in iOSPablo Villar
 
An Introduction to Unit Testing
An Introduction to Unit TestingAn Introduction to Unit Testing
An Introduction to Unit TestingJoe Tremblay
 
An Introduction to Test Driven Development
An Introduction to Test Driven Development An Introduction to Test Driven Development
An Introduction to Test Driven Development CodeOps Technologies LLP
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisRune Sundling
 
iOS Test-Driven Development
iOS Test-Driven DevelopmentiOS Test-Driven Development
iOS Test-Driven DevelopmentPablo Villar
 

Empfohlen

Unit Testing Your Application
Unit Testing Your ApplicationUnit Testing Your Application
Unit Testing Your ApplicationPaladin Web Services
 
Unit Test + Functional Programming = Love
Unit Test + Functional Programming = LoveUnit Test + Functional Programming = Love
Unit Test + Functional Programming = LoveAlvaro Videla
 
Benefit From Unit Testing In The Real World
Benefit From Unit Testing In The Real WorldBenefit From Unit Testing In The Real World
Benefit From Unit Testing In The Real WorldDror Helper
 
Dependency Injection in iOS
Dependency Injection in iOSDependency Injection in iOS
Dependency Injection in iOSPablo Villar
 
An Introduction to Unit Testing
An Introduction to Unit TestingAn Introduction to Unit Testing
An Introduction to Unit TestingJoe Tremblay
 
An Introduction to Test Driven Development
An Introduction to Test Driven Development An Introduction to Test Driven Development
An Introduction to Test Driven Development CodeOps Technologies LLP
 
Static code analysis
Static code analysisStatic code analysis
Static code analysisRune Sundling
 
iOS Test-Driven Development
iOS Test-Driven DevelopmentiOS Test-Driven Development
iOS Test-Driven DevelopmentPablo Villar
 
The Test way
The Test wayThe Test way
The Test wayMikhail Grinfeld
 
Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Alexandre (Shura) Iline
 
Is this how you hate unit testing?
Is this how you hate unit testing?Is this how you hate unit testing?
Is this how you hate unit testing?Steven Mak
 
TDD (Test Driven Design)
TDD (Test Driven Design)TDD (Test Driven Design)
TDD (Test Driven Design)nedirtv
 
Test Driven Development (TDD) Preso 360|Flex 2010
Test Driven Development (TDD) Preso 360|Flex 2010Test Driven Development (TDD) Preso 360|Flex 2010
Test Driven Development (TDD) Preso 360|Flex 2010guest5639fa9
 
How and what to unit test
How and what to unit testHow and what to unit test
How and what to unit testEugenio Lentini
 
When develpment met test(shift left testing)
When develpment met test(shift left testing)When develpment met test(shift left testing)
When develpment met test(shift left testing)SangIn Choung
 
Testing untestable code - STPCon11
Testing untestable code - STPCon11Testing untestable code - STPCon11
Testing untestable code - STPCon11Stephan Hochdörfer
 
Unit testing legacy code
Unit testing legacy codeUnit testing legacy code
Unit testing legacy codeLars Thorup
 
DevOps - Boldly Go for Distro
DevOps - Boldly Go for DistroDevOps - Boldly Go for Distro
DevOps - Boldly Go for DistroPaul Boos
 
Realtime selenium interview questions
Realtime selenium interview questionsRealtime selenium interview questions
Realtime selenium interview questionsKuldeep Pawar
 
Test driven development and unit testing with examples in C++
Test driven development and unit testing with examples in C++Test driven development and unit testing with examples in C++
Test driven development and unit testing with examples in C++Hong Le Van
 
TestDrivenDeveloment
TestDrivenDevelomentTestDrivenDeveloment
TestDrivenDevelomentAntonio Tapper
 
Unit Tests And Automated Testing
Unit Tests And Automated TestingUnit Tests And Automated Testing
Unit Tests And Automated TestingLee Englestone
 
PVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniquePVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniqueAndrey Karpov
 
TDD Flow: The Mantra in Action
TDD Flow: The Mantra in ActionTDD Flow: The Mantra in Action
TDD Flow: The Mantra in ActionDionatan default
 
Software testing ... who’s responsible is it?
Software testing ... who’s responsible is it?Software testing ... who’s responsible is it?
Software testing ... who’s responsible is it?Manjula03809891
 
Pragmatic Code Coverage
Pragmatic Code CoveragePragmatic Code Coverage
Pragmatic Code CoverageAlexandre (Shura) Iline
 
Practical (J)Unit Testing (2009)
Practical (J)Unit Testing (2009)Practical (J)Unit Testing (2009)
Practical (J)Unit Testing (2009)Peter Kofler
 
Introduction to TDD (Test Driven development) - Ahmed Shreef
Introduction to TDD (Test Driven development) - Ahmed ShreefIntroduction to TDD (Test Driven development) - Ahmed Shreef
Introduction to TDD (Test Driven development) - Ahmed ShreefAhmed Shreef
 
LUG-BG - Kostadin Slavkov - PostgreSQL 10
LUG-BG - Kostadin Slavkov - PostgreSQL 10LUG-BG - Kostadin Slavkov - PostgreSQL 10
LUG-BG - Kostadin Slavkov - PostgreSQL 10Marian Marinov
 
Introduction to python
Introduction to pythonIntroduction to python
Introduction to pythonMarian Marinov
 

Weitere ähnliche Inhalte

Was ist angesagt?

Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Alexandre (Shura) Iline
 
Is this how you hate unit testing?
Is this how you hate unit testing?Is this how you hate unit testing?
Is this how you hate unit testing?Steven Mak
 
TDD (Test Driven Design)
TDD (Test Driven Design)TDD (Test Driven Design)
TDD (Test Driven Design)nedirtv
 
Test Driven Development (TDD) Preso 360|Flex 2010
Test Driven Development (TDD) Preso 360|Flex 2010Test Driven Development (TDD) Preso 360|Flex 2010
Test Driven Development (TDD) Preso 360|Flex 2010guest5639fa9
 
How and what to unit test
How and what to unit testHow and what to unit test
How and what to unit testEugenio Lentini
 
When develpment met test(shift left testing)
When develpment met test(shift left testing)When develpment met test(shift left testing)
When develpment met test(shift left testing)SangIn Choung
 
Testing untestable code - STPCon11
Testing untestable code - STPCon11Testing untestable code - STPCon11
Testing untestable code - STPCon11Stephan Hochdörfer
 
Unit testing legacy code
Unit testing legacy codeUnit testing legacy code
Unit testing legacy codeLars Thorup
 
DevOps - Boldly Go for Distro
DevOps - Boldly Go for DistroDevOps - Boldly Go for Distro
DevOps - Boldly Go for DistroPaul Boos
 
Realtime selenium interview questions
Realtime selenium interview questionsRealtime selenium interview questions
Realtime selenium interview questionsKuldeep Pawar
 
Test driven development and unit testing with examples in C++
Test driven development and unit testing with examples in C++Test driven development and unit testing with examples in C++
Test driven development and unit testing with examples in C++Hong Le Van
 
Unit Tests And Automated Testing
Unit Tests And Automated TestingUnit Tests And Automated Testing
Unit Tests And Automated TestingLee Englestone
 
PVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniquePVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniqueAndrey Karpov
 
TDD Flow: The Mantra in Action
TDD Flow: The Mantra in ActionTDD Flow: The Mantra in Action
TDD Flow: The Mantra in ActionDionatan default
 
Software testing ... who’s responsible is it?
Software testing ... who’s responsible is it?Software testing ... who’s responsible is it?
Software testing ... who’s responsible is it?Manjula03809891
 
Practical (J)Unit Testing (2009)
Practical (J)Unit Testing (2009)Practical (J)Unit Testing (2009)
Practical (J)Unit Testing (2009)Peter Kofler
 
Introduction to TDD (Test Driven development) - Ahmed Shreef
Introduction to TDD (Test Driven development) - Ahmed ShreefIntroduction to TDD (Test Driven development) - Ahmed Shreef
Introduction to TDD (Test Driven development) - Ahmed ShreefAhmed Shreef
 

Was ist angesagt? (20)

The Test way
The Test wayThe Test way
The Test way
 
Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.Java code coverage with JCov. Implementation details and use cases.
Java code coverage with JCov. Implementation details and use cases.
 
Is this how you hate unit testing?
Is this how you hate unit testing?Is this how you hate unit testing?
Is this how you hate unit testing?
 
TDD (Test Driven Design)
TDD (Test Driven Design)TDD (Test Driven Design)
TDD (Test Driven Design)
 
Test Driven Development (TDD) Preso 360|Flex 2010
Test Driven Development (TDD) Preso 360|Flex 2010Test Driven Development (TDD) Preso 360|Flex 2010
Test Driven Development (TDD) Preso 360|Flex 2010
 
How and what to unit test
How and what to unit testHow and what to unit test
How and what to unit test
 
When develpment met test(shift left testing)
When develpment met test(shift left testing)When develpment met test(shift left testing)
When develpment met test(shift left testing)
 
Testing untestable code - STPCon11
Testing untestable code - STPCon11Testing untestable code - STPCon11
Testing untestable code - STPCon11
 
Unit testing legacy code
Unit testing legacy codeUnit testing legacy code
Unit testing legacy code
 
DevOps - Boldly Go for Distro
DevOps - Boldly Go for DistroDevOps - Boldly Go for Distro
DevOps - Boldly Go for Distro
 
Realtime selenium interview questions
Realtime selenium interview questionsRealtime selenium interview questions
Realtime selenium interview questions
 
Test driven development and unit testing with examples in C++
Test driven development and unit testing with examples in C++Test driven development and unit testing with examples in C++
Test driven development and unit testing with examples in C++
 
TestDrivenDeveloment
TestDrivenDevelomentTestDrivenDeveloment
TestDrivenDeveloment
 
Unit Tests And Automated Testing
Unit Tests And Automated TestingUnit Tests And Automated Testing
Unit Tests And Automated Testing
 
PVS-Studio and static code analysis technique
PVS-Studio and static code analysis techniquePVS-Studio and static code analysis technique
PVS-Studio and static code analysis technique
 
TDD Flow: The Mantra in Action
TDD Flow: The Mantra in ActionTDD Flow: The Mantra in Action
TDD Flow: The Mantra in Action
 
Software testing ... who’s responsible is it?
Software testing ... who’s responsible is it?Software testing ... who’s responsible is it?
Software testing ... who’s responsible is it?
 
Pragmatic Code Coverage
Pragmatic Code CoveragePragmatic Code Coverage
Pragmatic Code Coverage
 
Practical (J)Unit Testing (2009)
Practical (J)Unit Testing (2009)Practical (J)Unit Testing (2009)
Practical (J)Unit Testing (2009)
 
Introduction to TDD (Test Driven development) - Ahmed Shreef
Introduction to TDD (Test Driven development) - Ahmed ShreefIntroduction to TDD (Test Driven development) - Ahmed Shreef
Introduction to TDD (Test Driven development) - Ahmed Shreef
 

Andere mochten auch

LUG-BG - Kostadin Slavkov - PostgreSQL 10
LUG-BG - Kostadin Slavkov - PostgreSQL 10LUG-BG - Kostadin Slavkov - PostgreSQL 10
LUG-BG - Kostadin Slavkov - PostgreSQL 10Marian Marinov
 
Introduction to python
Introduction to pythonIntroduction to python
Introduction to pythonMarian Marinov
 
Practical my sql performance optimization
Practical my sql performance optimizationPractical my sql performance optimization
Practical my sql performance optimizationMarian Marinov
 
Gluster.community.day.2013
Gluster.community.day.2013Gluster.community.day.2013
Gluster.community.day.2013Udo Seidel
 
Protecting your home and office in the era of IoT
Protecting your home and office in the era of IoTProtecting your home and office in the era of IoT
Protecting your home and office in the era of IoTMarian Marinov
 
Comparison of foss distributed storage
Comparison of foss distributed storageComparison of foss distributed storage
Comparison of foss distributed storageMarian Marinov
 
Io t introduction to electronics
Io t introduction to electronicsIo t introduction to electronics
Io t introduction to electronicsMarian Marinov
 
Lxd the proper way of runing containers
Lxd the proper way of runing containersLxd the proper way of runing containers
Lxd the proper way of runing containersMarian Marinov
 
Securing the network for VMs or Containers
Securing the network for VMs or ContainersSecuring the network for VMs or Containers
Securing the network for VMs or ContainersMarian Marinov
 
Computer vision for your projects
Computer vision for your projectsComputer vision for your projects
Computer vision for your projectsMarian Marinov
 
Make your internship "worth it"
Make your internship "worth it"Make your internship "worth it"
Make your internship "worth it"Marian Marinov
 
Moving your router inside container
Moving your router inside container Moving your router inside container
Moving your router inside container Marian Marinov
 
LUG-BG 2017 - Rangel Ivanov - Spread some butter - BTRFS
LUG-BG 2017 - Rangel Ivanov - Spread some butter - BTRFSLUG-BG 2017 - Rangel Ivanov - Spread some butter - BTRFS
LUG-BG 2017 - Rangel Ivanov - Spread some butter - BTRFSMarian Marinov
 
Protecting your data when entering the US
Protecting your data when entering the USProtecting your data when entering the US
Protecting your data when entering the USMarian Marinov
 
Why we are migrating to Slackware
Why we are migrating to SlackwareWhy we are migrating to Slackware
Why we are migrating to SlackwareMarian Marinov
 
How to setup your linux server
How to setup your linux serverHow to setup your linux server
How to setup your linux serverMarian Marinov
 
Performance comparison of Distributed File Systems on 1Gbit networks
Performance comparison of Distributed File Systems on 1Gbit networksPerformance comparison of Distributed File Systems on 1Gbit networks
Performance comparison of Distributed File Systems on 1Gbit networksMarian Marinov
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux FirewallMarian Marinov
 

Andere mochten auch (20)

LUG-BG - Kostadin Slavkov - PostgreSQL 10
LUG-BG - Kostadin Slavkov - PostgreSQL 10LUG-BG - Kostadin Slavkov - PostgreSQL 10
LUG-BG - Kostadin Slavkov - PostgreSQL 10
 
Introduction to python
Introduction to pythonIntroduction to python
Introduction to python
 
Practical my sql performance optimization
Practical my sql performance optimizationPractical my sql performance optimization
Practical my sql performance optimization
 
Gluster.community.day.2013
Gluster.community.day.2013Gluster.community.day.2013
Gluster.community.day.2013
 
Protecting your home and office in the era of IoT
Protecting your home and office in the era of IoTProtecting your home and office in the era of IoT
Protecting your home and office in the era of IoT
 
4 Sessions
4 Sessions4 Sessions
4 Sessions
 
Comparison of foss distributed storage
Comparison of foss distributed storageComparison of foss distributed storage
Comparison of foss distributed storage
 
Io t introduction to electronics
Io t introduction to electronicsIo t introduction to electronics
Io t introduction to electronics
 
Lxd the proper way of runing containers
Lxd the proper way of runing containersLxd the proper way of runing containers
Lxd the proper way of runing containers
 
Securing the network for VMs or Containers
Securing the network for VMs or ContainersSecuring the network for VMs or Containers
Securing the network for VMs or Containers
 
Computer vision for your projects
Computer vision for your projectsComputer vision for your projects
Computer vision for your projects
 
Make your internship "worth it"
Make your internship "worth it"Make your internship "worth it"
Make your internship "worth it"
 
Moving your router inside container
Moving your router inside container Moving your router inside container
Moving your router inside container
 
LUG-BG 2017 - Rangel Ivanov - Spread some butter - BTRFS
LUG-BG 2017 - Rangel Ivanov - Spread some butter - BTRFSLUG-BG 2017 - Rangel Ivanov - Spread some butter - BTRFS
LUG-BG 2017 - Rangel Ivanov - Spread some butter - BTRFS
 
Protecting your data when entering the US
Protecting your data when entering the USProtecting your data when entering the US
Protecting your data when entering the US
 
Why we are migrating to Slackware
Why we are migrating to SlackwareWhy we are migrating to Slackware
Why we are migrating to Slackware
 
Home assistant
Home assistantHome assistant
Home assistant
 
How to setup your linux server
How to setup your linux serverHow to setup your linux server
How to setup your linux server
 
Performance comparison of Distributed File Systems on 1Gbit networks
Performance comparison of Distributed File Systems on 1Gbit networksPerformance comparison of Distributed File Systems on 1Gbit networks
Performance comparison of Distributed File Systems on 1Gbit networks
 
nftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewallnftables - the evolution of Linux Firewall
nftables - the evolution of Linux Firewall
 

Ähnlich wie How penetration testing techniques can help you improve your qa skills

Beyond TDD: Enabling Your Team to Continuously Deliver Software
Beyond TDD: Enabling Your Team to Continuously Deliver SoftwareBeyond TDD: Enabling Your Team to Continuously Deliver Software
Beyond TDD: Enabling Your Team to Continuously Deliver SoftwareChris Weldon
 
TDD for Testers Workshop
TDD for Testers WorkshopTDD for Testers Workshop
TDD for Testers WorkshopSarah Usher
 
Google, quality and you
Google, quality and youGoogle, quality and you
Google, quality and younelinger
 
The Professional Programmer
The Professional ProgrammerThe Professional Programmer
The Professional ProgrammerDave Cross
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
What is Software Testing | Edureka
What is Software Testing | EdurekaWhat is Software Testing | Edureka
What is Software Testing | EdurekaEdureka!
 
Seacon Continuous Delivery Pipeline Tools Track
Seacon Continuous Delivery Pipeline Tools TrackSeacon Continuous Delivery Pipeline Tools Track
Seacon Continuous Delivery Pipeline Tools TrackMark Rendell
 
Black box testing lecture 11
Black box testing lecture 11Black box testing lecture 11
Black box testing lecture 11Abdul Basit
 
Computer Software Testing Basics introduced.ppt
Computer Software Testing Basics introduced.pptComputer Software Testing Basics introduced.ppt
Computer Software Testing Basics introduced.pptTrevorChinguwo
 
Principles and Practices in Continuous Deployment at Etsy
Principles and Practices in Continuous Deployment at EtsyPrinciples and Practices in Continuous Deployment at Etsy
Principles and Practices in Continuous Deployment at EtsyMike Brittain
 
Continuous delivery is more than dev ops
Continuous delivery is more than dev opsContinuous delivery is more than dev ops
Continuous delivery is more than dev opsAgile Montréal
 
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...Applitools
 
Black box testing
Black box testingBlack box testing
Black box testingAbdul Basit
 
12 sdd lesson testing and evaluating
12 sdd lesson testing and evaluating12 sdd lesson testing and evaluating
12 sdd lesson testing and evaluatingMike Cusack
 
Unit and integration Testing
Unit and integration TestingUnit and integration Testing
Unit and integration TestingDavid Berliner
 

Ähnlich wie How penetration testing techniques can help you improve your qa skills (20)

Beyond TDD: Enabling Your Team to Continuously Deliver Software
Beyond TDD: Enabling Your Team to Continuously Deliver SoftwareBeyond TDD: Enabling Your Team to Continuously Deliver Software
Beyond TDD: Enabling Your Team to Continuously Deliver Software
 
TDD for Testers Workshop
TDD for Testers WorkshopTDD for Testers Workshop
TDD for Testers Workshop
 
Google, quality and you
Google, quality and youGoogle, quality and you
Google, quality and you
 
The Professional Programmer
The Professional ProgrammerThe Professional Programmer
The Professional Programmer
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
What is Software Testing | Edureka
What is Software Testing | EdurekaWhat is Software Testing | Edureka
What is Software Testing | Edureka
 
Software testing
Software testingSoftware testing
Software testing
 
Tec314
Tec314Tec314
Tec314
 
Seacon Continuous Delivery Pipeline Tools Track
Seacon Continuous Delivery Pipeline Tools TrackSeacon Continuous Delivery Pipeline Tools Track
Seacon Continuous Delivery Pipeline Tools Track
 
Black box testing lecture 11
Black box testing lecture 11Black box testing lecture 11
Black box testing lecture 11
 
Computer Software Testing Basics introduced.ppt
Computer Software Testing Basics introduced.pptComputer Software Testing Basics introduced.ppt
Computer Software Testing Basics introduced.ppt
 
Review of an open source unit test tool- Cucumber_Presentation
Review of an open source unit test tool- Cucumber_PresentationReview of an open source unit test tool- Cucumber_Presentation
Review of an open source unit test tool- Cucumber_Presentation
 
Principles and Practices in Continuous Deployment at Etsy
Principles and Practices in Continuous Deployment at EtsyPrinciples and Practices in Continuous Deployment at Etsy
Principles and Practices in Continuous Deployment at Etsy
 
Application Testing
Application TestingApplication Testing
Application Testing
 
Continuous delivery is more than dev ops
Continuous delivery is more than dev opsContinuous delivery is more than dev ops
Continuous delivery is more than dev ops
 
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
 
Black box testing
Black box testingBlack box testing
Black box testing
 
Testing smells
Testing smellsTesting smells
Testing smells
 
12 sdd lesson testing and evaluating
12 sdd lesson testing and evaluating12 sdd lesson testing and evaluating
12 sdd lesson testing and evaluating
 
Unit and integration Testing
Unit and integration TestingUnit and integration Testing
Unit and integration Testing
 

Mehr von Marian Marinov

Dev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & LoggingDev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & LoggingMarian Marinov
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsMarian Marinov
 
Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?Marian Marinov
 
Introduction and replication to DragonflyDB
Introduction and replication to DragonflyDBIntroduction and replication to DragonflyDB
Introduction and replication to DragonflyDBMarian Marinov
 
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQMessage Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQMarian Marinov
 
How to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdfHow to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdfMarian Marinov
 
How to survive in the work from home era
How to survive in the work from home eraHow to survive in the work from home era
How to survive in the work from home eraMarian Marinov
 
Improve your storage with bcachefs
Improve your storage with bcachefsImprove your storage with bcachefs
Improve your storage with bcachefsMarian Marinov
 
Control your service resources with systemd
Control your service resources with systemd Control your service resources with systemd
Control your service resources with systemd Marian Marinov
 
Comparison of-foss-distributed-storage
Comparison of-foss-distributed-storageComparison of-foss-distributed-storage
Comparison of-foss-distributed-storageMarian Marinov
 
Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?Marian Marinov
 
Securing your MySQL server
Securing your MySQL serverSecuring your MySQL server
Securing your MySQL serverMarian Marinov
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKMarian Marinov
 
Challenges with high density networks
Challenges with high density networksChallenges with high density networks
Challenges with high density networksMarian Marinov
 
SiteGround building automation
SiteGround building automationSiteGround building automation
SiteGround building automationMarian Marinov
 
Preventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel trackingPreventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel trackingMarian Marinov
 
Managing a lot of servers
Managing a lot of serversManaging a lot of servers
Managing a lot of serversMarian Marinov
 
Let's Encrypt failures
Let's Encrypt failuresLet's Encrypt failures
Let's Encrypt failuresMarian Marinov
 

Mehr von Marian Marinov (20)

Dev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & LoggingDev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & Logging
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanisms
 
Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?Microservices: Benefits, drawbacks and are they for me?
Microservices: Benefits, drawbacks and are they for me?
 
Introduction and replication to DragonflyDB
Introduction and replication to DragonflyDBIntroduction and replication to DragonflyDB
Introduction and replication to DragonflyDB
 
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQMessage Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
Message Queuing - Gearman, Mosquitto, Kafka and RabbitMQ
 
How to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdfHow to successfully migrate to DevOps .pdf
How to successfully migrate to DevOps .pdf
 
How to survive in the work from home era
How to survive in the work from home eraHow to survive in the work from home era
How to survive in the work from home era
 
Managing sysadmins
Managing sysadminsManaging sysadmins
Managing sysadmins
 
Improve your storage with bcachefs
Improve your storage with bcachefsImprove your storage with bcachefs
Improve your storage with bcachefs
 
Control your service resources with systemd
Control your service resources with systemd Control your service resources with systemd
Control your service resources with systemd
 
Comparison of-foss-distributed-storage
Comparison of-foss-distributed-storageComparison of-foss-distributed-storage
Comparison of-foss-distributed-storage
 
Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?Защо и как да обогатяваме знанията си?
Защо и как да обогатяваме знанията си?
 
Securing your MySQL server
Securing your MySQL serverSecuring your MySQL server
Securing your MySQL server
 
Sysadmin vs. dev ops
Sysadmin vs. dev opsSysadmin vs. dev ops
Sysadmin vs. dev ops
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
 
Challenges with high density networks
Challenges with high density networksChallenges with high density networks
Challenges with high density networks
 
SiteGround building automation
SiteGround building automationSiteGround building automation
SiteGround building automation
 
Preventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel trackingPreventing cpu side channel attacks with kernel tracking
Preventing cpu side channel attacks with kernel tracking
 
Managing a lot of servers
Managing a lot of serversManaging a lot of servers
Managing a lot of servers
 
Let's Encrypt failures
Let's Encrypt failuresLet's Encrypt failures
Let's Encrypt failures
 

Kürzlich hochgeladen

ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxAreebaZafar22
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxVishalSingh1417
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxDenish Jangid
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPoojaSen20
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701bronxfugly43
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...Nguyen Thanh Tu Collection
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.MaryamAhmad92
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.christianmathematics
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Role Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptxRole Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptxNikitaBankoti2
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxheathfieldcps1
 

Kürzlich hochgeladen (20)

ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Role Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptxRole Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptx
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 

How penetration testing techniques can help you improve your qa skills

  • 1. How PENETRATION TESTING techniques CAN HELP YOU IMPROVE your QA skills Marian HackMan Marinov <mm@siteground.com>
  • 2. Who am I?Who am I? ❖ Chief System Architect of Siteground.com ❖ Sysadmin since 1996 ❖ Organizer of OpenFest, BG Perl Workshops, LUG-BG and similar :) ❖ Teaching Network Security and Linux System Administration at Sofia University
  • 3. ☹☹☹☹☹☹ The QA position is underrated and heavily undermined by the web industry
  • 4. ☹☹☹☹☹☹ The QA position is underrated and heavily undermined by the web industry I really admire the work that QA people do!
  • 5. Let's clear some stuffLet's clear some stuff ❖ Black box testing ❖ Gray box testing ❖ White box testing
  • 6. Pentesting what?Pentesting what? ❖ Pentesting is actually QA testing :) ❖ The plans that pentesters prepare for attacks are similar to the plans QA devise to test the same software. ❖ The difference is the way the testing is performed and what is evaluated for testing.
  • 7. The fist part of the presentation would be about Black/Grey box testing The fist part of the presentation would be about Black/Grey box testing Simply because it shows some very important differences Simply because it shows some very important differences
  • 9. Pentesters start by gathering information about the infrastructure and the software Pentesters start by gathering information about the infrastructure and the software QA guys, usually relay on Devs, Documentation and Requirements for the same info QA guys, usually relay on Devs, Documentation and Requirements for the same info
  • 10. Pentesters define the expected successful result by running one real life test and writing down its result. Than every other response is considered failure Pentesters define the expected successful result by running one real life test and writing down its result. Than every other response is considered failure Every time a QA see an error in the logs of the app or the server, she is considering it, a failure Every time a QA see an error in the logs of the app or the server, she is considering it, a failure
  • 11. Pentesters try to find the places that are most likely to be vulnerable (common flaws and bugs) Pentesters try to find the places that are most likely to be vulnerable (common flaws and bugs) QAs tryies to test the whole applicationQAs tryies to test the whole application
  • 12. Pentesters always look for chain of events, that if triggered, will give them access (Design vulnerabilities) Pentesters always look for chain of events, that if triggered, will give them access (Design vulnerabilities) QAs usually focus on the current layer of the application and relay on the tests of the next level to cover the whole QAs usually focus on the current layer of the application and relay on the tests of the next level to cover the whole
  • 13. Pentesters try to use and abuse unspecified behavior in functions, and for that they try generate all impossible inputs Pentesters try to use and abuse unspecified behavior in functions, and for that they try generate all impossible inputs QAs usually limit their tests to a predefined set of inputs or limited number of generated inputs QAs usually limit their tests to a predefined set of inputs or limited number of generated inputs
  • 14. Every time a test fails, pentesters expand the search Every time a test fails, pentesters expand the search With QAs, every time a test fails, they return the code to the Dev team With QAs, every time a test fails, they return the code to the Dev team
  • 15. Pentesters have more time and they are working on the LIVE environment Pentesters have more time and they are working on the LIVE environment QAs do their tests on mockup/staging environments QAs do their tests on mockup/staging environments
  • 16. Pentesters use tools for generating wordlist and dictionaries Pentesters use tools for generating wordlist and dictionaries QAs should start doing the same...QAs should start doing the same...
  • 17. Sometimes pentesters get their hands on binaries and they do try to reverse them, to understand and break them Sometimes pentesters get their hands on binaries and they do try to reverse them, to understand and break them I'm yet to see a QA do some reversing...I'm yet to see a QA do some reversing...
  • 18. ❖❖ Decision table testingDecision table testing ❖❖ All-pairs testingAll-pairs testing ❖❖ Equivalence partitioningEquivalence partitioning ❖❖ Boundary value analysisBoundary value analysis ❖❖ Cause–effect graphCause–effect graph ❖❖ Error guessingError guessing ❖❖ State transition testingState transition testing ❖❖ Use case testingUse case testing ❖❖ User story testingUser story testing ❖❖ Domain analysisDomain analysis ❖❖ Combining techniqueCombining technique Black/Gray box testingBlack/Gray box testing
  • 19. Generally pentesters use more tools for a single test then QAs. They try to combine more then one completely valid use case, to construct one test, that will break the system. Generally pentesters use more tools for a single test then QAs. They try to combine more then one completely valid use case, to construct one test, that will break the system.
  • 20. And here is something from the bookAnd here is something from the book Exploiting SoftwareExploiting Software:: An attacker starts with breaking theAn attacker starts with breaking the rules and undermining assumptions.rules and undermining assumptions. One of the key assumptions to test isOne of the key assumptions to test is the "implicit trust" assumption.the "implicit trust" assumption. Attackers will always break any ruleAttackers will always break any rule relating to when, where, and what isrelating to when, where, and what is "allowed""allowed" Black/Gray box testingBlack/Gray box testing
  • 21. If you want to broaden your test case horizons... I advise you to read the specific techniques outlined in "Exploiting Software" If you want to broaden your test case horizons... I advise you to read the specific techniques outlined in "Exploiting Software"
  • 22. ❖❖ shell command injectionshell command injection * argument injection* argument injection * command delimiters* command delimiters * multiple parsers and double escapes* multiple parsers and double escapes ❖❖ Plumbing pipes, ports and permissionsPlumbing pipes, ports and permissions ❖❖ Exploiting the filesystemExploiting the filesystem * user-supplied variable passed to the filesystem calls* user-supplied variable passed to the filesystem calls * postfix null terminator* postfix null terminator * postfix null terminate and backslash* postfix null terminate and backslash * relative path traversal* relative path traversal ❖❖ Manipulating environment variablesManipulating environment variables ❖❖ Leveraging poor session authenticationLeveraging poor session authentication * Session ID, Resource ID and Blind trust* Session ID, Resource ID and Blind trust * Bruteforcing session IDs* Bruteforcing session IDs * Multiple paths of authentication* Multiple paths of authentication * Failure to check error codes* Failure to check error codes Specific techniquesSpecific techniques
  • 23. ❖❖ Every QA is doing exactly thisEvery QA is doing exactly this White box testingWhite box testing
  • 24. ❖❖ Every QA is doing exactly thisEvery QA is doing exactly this ❖❖ But let's look at the differencesBut let's look at the differences White box testingWhite box testing
  • 25. ❖❖ Pentesters do whitebox testingPentesters do whitebox testing * when they are testing opensource apps* when they are testing opensource apps * if they were given the code* if they were given the code ❖❖ Pentesters usually try to find bugs in thePentesters usually try to find bugs in the integration between the app they have theintegration between the app they have the source to and the app which source they don'tsource to and the app which source they don't ❖❖ Pentesters check, does the software complyPentesters check, does the software comply withwith allall the security guidelines for the specificthe security guidelines for the specific language or systemlanguage or system White box testingWhite box testing
  • 26. ❖❖ Pentesters use debuggersPentesters use debuggers * to inject code* to inject code * change memory* change memory * even change the flow of the application* even change the flow of the application ❖❖ Injecting code or otherwise influencing theInjecting code or otherwise influencing the application is considered by many, not possible.application is considered by many, not possible. * This is now a reality!* This is now a reality! ❖❖ Pentesters consider bug in one layer as anPentesters consider bug in one layer as an open door for your whole appopen door for your whole app White box testingWhite box testing
  • 27. ❖❖ Code coverageCode coverage * Control flow testing* Control flow testing * Data flow testing* Data flow testing * Branch testing* Branch testing * Statement coverage* Statement coverage * Decision coverage* Decision coverage * Modified condition/decision coverage* Modified condition/decision coverage * Prime path testing* Prime path testing * Path testing* Path testing White box testingWhite box testing QA
  • 28. ❖❖ Code static analysisCode static analysis ❖❖ Analysis ofAnalysis of * memory states, finding possible entry* memory states, finding possible entry points for malicious codepoints for malicious code * interaction between different parts of* interaction between different parts of the software(exchanging data betweenthe software(exchanging data between APIs and Frameworks)APIs and Frameworks) ❖❖ Forcing race conditions, filling buffersForcing race conditions, filling buffers and then examining the performance ofand then examining the performance of the app and its memory structuresthe app and its memory structures White box testingWhite box testing QA
  • 29. ❖❖ In order to be able to build moreIn order to be able to build more extensive tests, you have to be aware ofextensive tests, you have to be aware of the possible issues that may happenthe possible issues that may happen with:with: - your software- your software - the language(s) that you are using- the language(s) that you are using - the infrastructure that is hosting your- the infrastructure that is hosting your applicationsapplications Finally!Finally!
  • 30. We are hiring!We are hiring! THANK YOUTHANK YOU Marian HackMan Marinov <mm@siteground.com>
  • 31. Related booksRelated books Marian HackMan Marinov <mm@siteground.com>
  • 32. We are hiring!We are hiring! THANK YOUTHANK YOU Marian HackMan Marinov <mm@siteground.com>