So just last week there was another phenomenal Ministry of Testing event; TestBash 2016 and what a great event it was. Unfortunately I wasn’t able to attend the workshops day (next time Gadget; next time!) but the main conference day truly was spectacular.
I absolutely love that feeling of walking into the main bar area before the event starts and seeing wall-to-wall testers and people I’ve not seen for months wandering over to say hi and have a quick catch-up over a coffee. If there’s one thing I regret at this point it’s that our B&B only allow breakfast from 8am which means no Lean Coffee with people and not enough “catch up” time before the event.
So after a nice catch-up with people we’re ushered into the main auditorium for the festivities to begin. The main man TutuBoss Vern is in front of the stage fending off a bazillion hello’s and psyching himself up to be the voice of TestBash 2016; our very own compare. A quick hello, hug and good luck to him and off to find seats we go.
Then we’re off!
So on with the show.
Talk 1 – Emma Armstrong & Lisa Crispin – “Building the right thing”
On the stage are Emma Armstrong and Lisa Crispin to talk about “Building the right thing” and I have a sneaking suspicion that this talk might be the reason everyone has been given a piece of A4 paper. The talk starts with a challenge; “Build something that flies through the air within 2 minutes” and my gut is to scrunch the paper up and throw it – Minimum Viable Product! My brain though has other ideas; my brain remembers a plane design I created in school that won a distance contest and it’s definitely achievable within 2 minutes so I build it with time to spare; accomplishment!
The talk is then about the fact that across multiple facets of a team there’s often a disconnect between what the business *say* they want, what they *really* want and what’s *actually* delivered and as testers we’re ideally suited to help to piece together all of the disparate parts of the projects so that we ALL know what the plan should likely be. We can be information facilitators to create a shared understanding of the end product expected by the client.
The talk perfectly verbalised the reason why one of my recent projects went 100% smoothly from inception to delivery with minimal overspend and only a few days beyond the deadline (solely due to internal It resource limitations). It’s definitely an approach I like to take where possible and something I’ll push for more often, especially now I can verbalise it.
Talk 2 – Dan Billing – “Testing or Hacking? Effective Security Testing Strategies”
This talk I’ve been looking forward to for ages. I’ve met Dan on several occasions, seen some short talks and his knowledge is fantastic on security testing so to listen to a solid talk on the subject is great for me.
Dan’s advice on getting to know your system under test (your “stack”) is logical but sadly not done enough in testing. From my perspective it’s about the length of projects I work on so in reality I’d spend a good few days getting to know the environment and how to best use/abuse it but when the total time on a project is a couple of weeks tops that’s far too much overhead. I think to a certain extent a “cookie cutter” approach would be the only viable option on such short contracts *if* security testing was allowed and within the project scope.
Like systems armadillos are armoured on the outside to fend off attacks. Predators though have become more savvy and understand that the only attack possible is the soft underbelly so predators (hackers) have adapted accordingly.
Dan goes on to describe his “Model” for security testing. Great stuff!
- SCAN – Use Zed Attack Proxy (ZAP), Burpsuite etc
- VERIFY or CHALLENGE your scan results. Do they warrant further investigation?
- EXPLORE the verified security holes to see how they can be exploited.
- GO TO 1
Bug advocacy plays a HUGE role in security testing. Product sponsors often don’t pay attention to the impact specific issue could have on a system so it’s best to boil it down to specific, financially-related risks or consequences to get the message across.
Great stuff from Dan and I’m itching to start investigating the capabilities of ZAP, Burpsuite and BugMagnet more now.
Coffee break time!
… Continued in TestBash 2016 (part 2)