Ruby on Rails Security Vulnerability Throws Apps Off Track

150px-Ruby_on_Rails.svgOver the past several years, the web development community has been enthralled with Ruby on Rails. The combination of the Ruby language with the Rails framework has proven extremely powerful, and many of the web’s top sites are built using the two technologies. For example, sites like Twitter, 500px, Groupon and more were all built with Ruby on Rails as their framework. Both new and veteran developers have adopted the platform because of its ease of use, rich library of components, and outstanding tools.

Late last month, the gleam of Ruby on Rails dulled considerably as a new class of security attacks emerged targeting the framework. Like many security vulnerabilities, the attacks started out as academic exercises which were quickly spun into automated attack bots designed to knock over Rails servers en masse.

Today, anyone who runs a Ruby on Rails server who hasn’t applied an update is probably already compromised. Think that’s overstating things a bit? Patrick McKenzie sounds the alarm loudly in his blog post titled What The Rails Security Issue Means For Your Startup:

It is imperative that you understand that all Rails applications will eventually be targeted by this and similar attacks, and any vulnerable applications will be owned, regardless of absence of these risk factors.

Still think that’s overstating things? Continue Reading

Essential Guide to Mobile App Testing

8 Tips For Becoming a Dedicated Tester

Become a top software testerOur old friend James Bach recently fielded a question on his blog from a new tester seeking advice on what her daily routine should include so that she can grow in her new field. James seems impressed by the new tester’s discipline (she did willingly ask for daily testing “homework” after all) and dedication to the craft. He outlined five tasks he believes every tester should practice on a daily basis, here’s a quick summary of his tips:

Write every day
Whenever I find myself with a few moments, I make notes of my thoughts about testing and technical life.

Watch yourself think every day
While you are working, notice how you think. Notice where your ideas come from. Try to trace your thoughts.

Question something about how you work every day
Testers question things, of course. That’s what testing is. But too few testers questions how they work. Too few testers question why testing is the way it is.

Explain testing every day
Even if no one makes you explain your methodology, you can explain it to yourself.

I like these tips because they aren’t the typical recommendations you run across, like “test whenever you can,” “read an array of testing books” and “be open-minded when it comes to techniques.” Those are great tips too, just nothing special. Of course, James didn’t just give one sentence explanations for each of his pointers, so take a few minutes and read his complete blog post to get the full impact of these smart tips.

And as a little extra, here are a couple more tips James’ readers left in the comments section.

Continue Reading

Essential Guide to Mobile App Testing

Why Security Testing Is So Important

Voting BoothsYou can do just about anything online these, so much so that it feels like an inconvenience if you can’t complete a task online. But some things are just best left the old fashioned way.

Take, for example, the act of voting. I’m not talking about voting for American Idol (which you actually can do online now), I’m talking about voting in a major, official election. While paper absentee ballots may seem outdated, voting has proved to fragile and tamper-tempting to be shifted online. We wouldn’t know that though without some good, solid security testing.

A few years ago an e-voting system was created for Washington, D.C. and in 2010 its developers reached out to security testing experts to put the system through its paces. It failed miserably. The story is surfacing again now because the processes and results of the testing were recently officially published. The testers didn’t find some exceptionally complicated flaw only detectable with a lot of out-of-the-box thinking, they were able to completely infiltrate and manipulate the program. There’s The H with some details:

“Within 48 hours of the system going live, we had gained near complete control of the election server”, the researchers wrote in a paper that has now been released. “We successfully changed every vote and revealed almost every secret ballot.” The hack was only discovered after about two business days – and most likely only because the intruders left a visible trail on purpose. …

The security experts investigated common vulnerable points such as login fields, the virtual ballots’ content and file names, and session cookies – and found several exploitable weaknesses. Even the Linux kernel used in the project proved to have a well known vulnerability. They were also able to use the PDFs generated by the system to trick the encryption mechanism, while unsecured surveillance cameras provided additional insights into the infrastructure. While the open source nature of the code made their work somewhat easier, they believe that attackers would have been able to make quick headway even if the system had been proprietary.

Continue Reading

Essential Guide to Mobile App Testing

7 Tips for Stellar Test Management

Tips to excel at test managementWe all know what happens when you rush through testing and push a new product out to market too early (hint: crashing and burning comes to mind). In the spirit of not releasing software with major security flaws, functional defects or usability missteps Traq Software has highlighted “7 Important Principals for Test Management.” Full disclosure: Traq Software sells QA management software, but the tips are good too keep in mind non-the-less. (Numbers 4 and 5 are my favorites!)

1. Make sure you have a repeatable process. A good process helps you see where you are and where you are going.

2. Don’t cut corners prior to a release. When the delivery date is getting closer there is, naturally, a tendency to want to skip some low priority test management tasks. In doing so you hope to get the product out on time. Resist this temptation.

3. Know the metrics. Defect find rates, cases executed and lines of code changed. All these metrics help you argue the case for why the product may, or may not, be ready for release.

4. Listen to the testers. Software testers are your projects headlights. They light the road at night and help you read the map. They are trying to help you get to your destination in the shortest amount of time. Ignore their advice and you can be sure you’ll end up taking the longest route to your destination.

5. Employ a good QA manager. The QA manager is like the pilot of the plane guiding the product to touch down. … good QA manager has an eye for balancing the demands of time, quality and features. He or she is worth listening too carefully.

6. Get the customer involved. The sooner your customer starts giving you feedback the sooner you can correct issues.

Continue Reading

Essential Guide to Mobile App Testing

Announcing the 2011 uTester of the Year Awards

2011 uTester of the Year AwardsToday, we’re thrilled to announce the results of our third annual uTester of the Year Awards. Every year, we recognize uTesters who have consistently gone above and beyond their call of duty in their participation with uTest projects. This year’s winners were selected by our community and project management teams, who have had the privilege of working closely with such an extremely talented community of professional testers. From test automation to test team lead, these winners are truly experts in a variety of testing domains. The level of talent continues to impress, with each year’s accolades becoming more and more difficult to attain (and judge). So without further ado, let’s meet our 2011 winners!

Top honor for the 2011 award goes to David Honeyball from the United Kingdom!

David joined uTest in June of 2009. Since joining us, David has become a Gold rated tester in Functional, Load and Localization testing, as well as having achieved the silver rating in both Usability and Security testing. David also became our Top Test Team Lead in 2011, successfully leading nearly 200 projects alongside of uTest project managers. David had this to say about his experience with uTest during the past year:

I joined uTest back in the summer of 2009 and have to say I have never looked back. What started out as something extra in my spare time has taken up more and more of my time in a good way and has increased my confidence as a tester to levels I never thought possible. I have been a tester for nearly 15 years but can safely say that every day with uTest is a new experience and a new challenge.

I have met so many wonderful people including other testers, CMs, PMs and customers who are all committed to achieving their goals and creating a wonderful service. They have guided me and helped me in the last year and increased my communication skills as well.

TTL (Test Team Lead) Experience:

2011 has been a big success for me personally, as it has for uTest in regards to growth and development, in many ways due to my journey from tester to TTL. I started out as a TTL early in the year and felt at the time that it was a great way forward and would be of huge assistance and help to customers. Since then I have been involved in something nearing 100 cycles as TTL, but that could be more now!  I enjoy the TTL role immensely as I get to speak to the PMs and testers and help out others who are stuck. I hope if you have worked with me that you know that I take that side of things very seriously. One of the great rewards is helping someone who is stuck to complete a test case or test for example. Above all, I believe that with my experience I am a very fair TTL and have the best interests of customer and testers close at heart.

As time goes on I hope to grow more and more into this role and improve further as there is still so much to learn.

Special Projects 

Apart from testing and TTL work which does take up some time as you can imagine, I also help with test case writing for certain PMs which I enjoy and get value from. I was also heavily involved in the startup of the test case conversion to uTest which is the new system we see today. This side of things linked in with my testing and other roles forms a vital component of what I do as well and hope it adds value to the company as a whole.

So, just want to say a huge thanks to everyone involved with uTest for the opportunity and long may we continue to grow together and become invaluable to customers across the globe…

The complete list of winners is shown below:

Continue Reading

Essential Guide to Mobile App Testing