Thursday, 5 March 2015

An Approach to Test Reporting

Dear Readers,
Formulated and shared here is a *template which can be used to prepare a Test Report.
*template - modifiable based on the context it is put to use.




A sample Test Report created using the above template is shared below.

My thoughts on this approach to test reporting:
  • It brought clarity to what I performed during the test preparation and test execution phase.
  • Helped me capture the testing activities inclusive of test environment, testing scope and out of scope, test deliverable's, note the risks and mitigation, tools used, systems tested and teams involved.
  • In the context of it's first use, found it to be hassle-free when compared to a standard template introduced earlier to.
  • Values the effort rather than provide a count of the test ideas and the reported bugs.
--------------------------------------------------------------------------------------------------------------
Readers,
With an intent to learn from you all, have prepared this questionnaire. Please do care to answer them.
  • Would this approach to test reporting appeal to you, your client, the business and the involved?
  • Would you use this approach to test reporting to address any (one) of it's consumer/s? 
  • Would you personally, detest or embrace this approach to test reporting?
  • Would you change anything in this template if you learn that this report will be audited?
  • Does adding any missing elements and removing an existing element from this template, help? 
Mention the context when phrasing your answer/s to the above question/s. Do share your thoughts when actually tried and implemented for a domain / system you are working on.

Wednesday, 4 March 2015

InfoSec Workshop @hasgeek

Venue - HasGeek
Date - 17th January 2015


Apoorva Giri and Shruthi Kamath, two Information security enthusiasts conducted a workshop on Web Application Security and Network Security at the HasGeek house recently.

It was a woman only event held as an initiative to introduce more women to the InfoSec arena. This event was held in association with HasGeek, at the HasGeek house, Bengaluru.

The workshop covered basics of Web App Security and Network Security. The participants worked along with the instructors in the hands-on session alongside Apoorva and Shruthi.

Normally the webinars and the talks that I had attended earlier dived right into hacking, ransack a web app and put the network team to shame in public by showcasing the vulnerabilities. The experience at this workshop was refreshingly different.
And how?
The organizers guided the participants in the following activities:
→ downloading and installing Kali Linux and metasploitable on Oracle VM VirtualBox
→ trouble shooting issues encountered when installing the above softwares on different Operating Systems.

This in itself was an enriching experience to the participants who had come from different backgrounds. The participants ranged from - newbies, learners with technical background, software engineers, managers, hackers and a few business owners with no technical background.

The participants were introduced to a plethora of topics in a day’s workshop. The presentation covered topics mentioned below:
  1. OWASP top ten project
  2. Nmap Network Scanning Tool
  3. Metasploit Framework
  4. Hacking challenges for the participants at the end of the workshop

Other topics which were spoken about at this workshop were:
  • Getting started in InfoSec, the education qualifications required for a career and different career options.
  • The importance of having such women centric events and the need for it.
  • The need to be safe online
  • Short descriptions for the different job roles - Computer Forensics Investigator, Malware Analyst, Security Researcher, Security Auditor, Exploit Developer, Secure Developer, CISO

is.png

Statistics on Women in Infosec - It was interesting to learn first hand from both about the growth curve we have had in the recent past about women entering the Infosec arena and the audience attendance at HasGeek event was a reflection of this slow but steady growth.

In the technical session, the participants were introduced to important concepts of Network Security using Nmap as a tool. This learning session was followed by a practical DEMO on Metasploit framework to exploit a vulnerable system.
NS.png

The second half of the workshop covered the OWASP Top Ten Web Vulnerabilities.
The participants used the Vulnerable testing app for hands-on purpose.

The workshop ended by having the participants to put their web app security knowledge to use by solving small hacking challenges. The participants enthusiastically went on to solve exercises presented to them. Solving and having cheered for every solution, helped the participants to proceed with vigour.
Acknowledgements to the host and the co-founder of HasGeek Zainab Bawa for hosting us all with good cheer, the InfoSec girls Apoorva and Shruthi for conducting the workshop which helped the participants to take a step forward in the direction of learning about software security.

HasGeek Hasjob
HasGeek has a job board of their own hasjob - look out for openings that suit your requirements and matches with that of the recruiter’s here.

hasjob.png

HasGeek house provides space for hackathon events, hosts presenters and creates discussion spaces for geeks.  To know more about hasgeek, follow them on Twitter.

hasgeek.png
Their twitter handler @HasGeek  
Tweets by @jackerhack, @zainabbawa and the crew.

Links to the photos taken at the event

About the presenters

Apoorva Giri

Apoorva works as a Security Analyst with iViZ Security (a Cigital company).She has presented a workshop on "Cyber Security and Ethical Hacking for Women" at c0c0n 2014at Kochi, Kerala. Her interests lie in Web Application Security and Mobile Security. She's an active member of null/OWASP Bangalore Chapter. She has been listed on the Barracuda Hall of Fame for finding vulnerabilities on their application. During her free time, she likes to catch up on her reading and travel to new places.

Shruthi Kamath

Shruthi works as a Security Analyst at Infosys. She is a Certified Ethical Hacker from EC Council .She has presented a workshop on "Cyber Security and Ethical Hacking for Women" at c0c0n 2014.She has conducted a one day workshop on "OWASP TOP 10" at Null Bangalore chapter. She has presented a paper titled "Secure SDLC" at c0c0n 2013.She has participated at Jailbreak NULLCON 2014. She presented a talk on "Cyber Crimes in India and its Mitigation" at the National Conference for Women Police held at Trivandrum. She's an active member of Null/OWASP Bangalore Chapter. Her area of interest is Web Application Security.
Contact the InfoSec girls for a workshop
Apoorva Giri is @cedricfanapoo on Twitter
Shruthi Kamath is @ShruthiKamath30 on Twitter
You can also visit their website https://infosecgirls.in

Sunday, 1 March 2015

Enriching Employee Experience

In the recent past, I was in a conversation with a colleague whose work is in progress in building a portal for employee experience. I lost sleep over the ideas which were gushing to me and personal experiences on how modern employee experience solutions had failed me and my colleagues in the earlier assignments that we were a part off.
Here, I have penned down a few pointers which can enrich employee experience - if implemented.


ENGAGE - your audience actively.

  • Having a portal is one thing. Getting the employees to actively engage and utilize it is what makes all the effort worth it.
  • Having a banner posted on every wall can attract the users. But does it also engage all the users?
Here's what we can do:

a) Build a survey to learn to build a survey! Yes.
  • Encourage teams across the organization to build surveys. Gather ideas for organization level surveys using the surveys conducted at the team level as a base.
  • Actual concerns and applauded areas can come out during the team level survey. Use this and build upon it. 
  • Keep it confidential, for right reasons.
  • Mull over over the thoughts of your employees and then generate a survey which can really help the organization gather ideas to enrich their experience.

b) Have a Q and A session arranged between the employer and the employee.

  • Regularly.
  • Read this Q and A.
  • Review the systemic errors and build upon it.
c) Have a discussion forum.
  • Embed elements into the system to engage the employee. A simple and effective way of engaging the employee could be - Was this helpful? Would you like to add to this? And provide a comment / message box to gather inputs and feedback from the employee.
  • Provide opportunities for them to express joy, gratitude and concern about the pressing issues faced by employees at all levels.
d) Appoint leaders
  • Who will actually check these surveys, derives sense out of it and works on the concerns expressed.
  • Dear Leaders, (within the closed doors) - Your employees are a witness of the closed room being aired once in a while when the appointed chief 'visits' it. Come out yourself and talk, that's one way to engage your employees. If you are later going to evaluate them, then start by gathering points on which you will base your praise and critic on. Use these engagements, to make room for ideas and opportunities and to fill up the empty talks with as much sense.


TRANSPARENCY - in true sense


Organizations which consists of permanent and contract work force needs to reach both the category. Being a witness and a victim of step motherly treatment at such organizations had turned me into a rebel in that context. Personally, I refuse to attend meetings which reserves seat based on such discrimination.

Plus - Organizations pay and provide additional benefits to the contract work force.
Minus - But keeps them away from meetings which celebrates and critiques the work done.
What is it that we are trying to achieve by using this strategy? 

It is wise to:
  • Not disclose confidential matters specific to the organization during such meetings. 
  • Invite all your work force who have contributed to the project without a bias to: i) Gather inputs and feedback from the team as a whole and ii) To applaud and to accommodate changes suggested.
Management which fails to be transparent can lose the trust of the employees and vice versa. Despite the consequences, I personally would skip meetings which is not impartial to all the contributors.


REACH - everyone

  • Having engaged and being transparent to the employees is what meets the requirements. 
  • If the aim is to exceed expectations of the employees, then the policies and the standards set by and within the organization needs to reach the true audience.
Any organization which has every role filled and responsibilities assigned but lacks lustre in the outreach is agonizing to the work force.
Case - A parent who wishes to go on parental leave, an employee who wishes to report any .discomfort but has no access to the benefits because they worked away from office during that period or were on a contract mode of employment having no access to the links can cripple the system. 
Solved - Base the solution on the context - Open the ports when and wherever it is required. Block if there is a suspicious activity.

Concluding thoughts

  • Work places with policies for the benefit of employees is just not enough. When the time comes for actual implementation - it has to perform.
  • Having a strict policy, impartial and a transparent system but lacking in the outreach can fail all those who are involved. Rather than fail the employee during a performance meet - try not to fail yourself as an organization.
  • Don't yet try to sign off a product / template built to serve the employee. For example: A template created in 2009, has not much implication in 2015.
  • Having a purpose to what we do - is what helps simplify the (software) solution. Without a purpose and vision try not to start new projects to simply fill in roles without effective responsibilities assigned to the roles.

'Be kinetic and have a kaizen mindset when building solutions'