testkeis

Over time, I’ve accumulated quite a lot of feeds in my Google reader. Some feeds haven’t released anything new in ages; some release content that I only tend to mark as unread which makes me wonder why I subscribed to them in the first place; and of course, there are some that I still continue to be keen on.

Sometimes I feel this compulsive need to declutter, and so I went on right ahead and unsubscribed from ALL of my feeds (I backed them up before unsubscribing), and have begun the process of adding stuff back in. So far, I’ve re-subscribed to the blogs of friends, to feeds of web comics I enjoy reading (Dilbert, xkcd, Savage Chickens, etc), and to a couple of Google Alerts. (But, of course, I re-added only the ones I still want to follow which is kind of the point of decluttering :p)

As for the testing-related feeds, it just so happens that the Software Testing Club had just revamped their testing feeds website. I was wondering why I couldn’t access the page early the other day and couldn’t retrieve any web clips from it through the rss reader on my google desktop either. It was back up when I went online after work, and just in time for my decluttering thing.

I referred to the 20 or so most recent posts in their Bloggers feed and (re)subscribed to those that I particularly liked. I figure I’ll just subscribe to the rest as I find them in the Bloggers feed. My recent (re)additions were:

• Agile Testing with Lisa Crispin (http://lisacrispin.com/wordpress/)
• All Things Quality (http://strazzere.blogspot.com) – This one’s actually by one of the first testing bloggers I subscribed to.
• Quick Testing Tips (http://www.quicktestingtips.com/tips/) – This reminded me of Daily Testing Tips so I added that right away even though there wasn’t no feed from it yet, lest I forget.
• Test Side Story (http://testsidestory.wordpress.com/) – I was lured in by his post on perverse incentives.
• Testy Redhead (http://blog.testyredhead.com/)
• Thoughts from the test eye (http://thetesteye.com/blog/)

Last Sunday afternoon, for the WTANZ session, we were asked to go through http://jarlsberg.appspot.com/part1 at our own pace and then trade notes afterwards. The site, through Jarlsberg (/yärlz’·bərg/) which is this cheesy app with known vulnerabilities, aims to show how to attack an app using common web vulnerabilities. On hindsight, part1 was only upto familiarizing yourself with Jarlsberg but most of us (i think) went on to the XSS topics. I think one or two even made it up to the next part on elevation of privilege.

Back where I used to work, some workmates and I used to tinker and find some bugs in the internal apps. We used to find the html we entered in some input field was rendered rather than escaped. And occasionally, there were alert messages and ruined layouts that were triggered. Previously, I thought they all fell under XSS. Through the Jarlsberg codelab, I found out some distinctions.

For instance, reflected XSS is when the hack is in the actual request e.g., when you create a link that points to some URL with a malicious script (although not really malicious) like this. A stored XSS is when you store the hack where it would be retrieved when the page gets requested e.g., when you post something like alert(1) in some input field, and the alert gets displayed when that post is retrieved. There’s also file upload XSS for apps that allow the upload and retrieval of file attachments. The uploaded file could contain some scripts that aren’t expected to be executed.

As for elevation of privilege, I guess I had stumbled on to something that could be categorized as that in an internal system that we used in a previous company. It was a forum and I was able to access a certain functionality that wasn’t supposed to be available to me. They may have hidden the button to access it, but that was all they did to keep me off of it. It was still possible to access the functionality by modifying the URLs and there were no validations when I submitted the request.

Anyway, this weekend’s session tells me something I’m well aware of and that is I know so little about web security testing. The upside is there’s this codelab that I could explore further. Through the session, I also found out about a couple of interesting sites. One’s another site for learning about web app security — Web Goat — through which I came across an XSS cheat sheet. Another site was Cornify which was suggested as a more colorful and humorous alternative (imagine unicorns and rainbows on load) to pesky alert messages.

My boss conducted a talk — jokingly dubbed as a brainwashing session — to us new hires on the team principles. It wasn’t much of a brainwash for me though since for most parts (if not all), I pretty much agreed with what he said. Either that, or I had been brainwashed. In this post I’ll just do a brain dump on three principles that were discussed: Responsibility, Integrity, and Contribution.

Responsibility - For me, this means taking ownership, doing what you’re supposed to do, and inversely, not doing what you aren’t supposed to do. A new phrase I picked up from the talk is “being cause in the matter”. I like how it goes against learned helplessness and the feeling of being victims of circumstances. Sure, you’re up to your knees in shit, you’ve cursed the world, you’ve vented. But don’t leave it at that. Do something about it. Don’t leave it all up to chance and wait till some deus ex machina gets you out of the mess that you’re in. You’re only as stressed (busy, troubled, etc) as you’d allow yourself to be.

During the talk, I was reminded of something my father told me when I got into a really bad situation in college. Pa advised: “Huwag ka magpadala sa problema. Dalhin mo yung problema.” Using Google Translate, that’s “Do you send the problem. Bring the problem.” which doesn’t quite capture it. Roughly it translates as you shouldn’t let your problems take control of you, and that you should take command of your problems or the situation instead.

Integrity - Two quotes always come into mind when this topic is brought up. First is say what you mean, mean what you say. Second is on how integrity is doing the right thing even when no one’s looking. With respect to being in a mess, this means no cover-ups and acknowledging your misses when you’re at fault.

Contribution - One of the bullet points listed was on helping vs. making a contribution. This then reminded me of a saying about a hungry man and some fish. I can’t remember the exact words but I thought that giving him fish was akin to helping whereas teaching him how to fish was the real contribution. Well, that wasn’t how it was discussed. It was more of instead of thinking of someone or something as flawed, regard it as “perfect” (this might be more challenging for a tester) and just think of how you could add more value to it.

Some related blog posts to these principles and on feedback (also discussed in the talk):

• On feedback
• Help yourself
• Good citizenship
• On whining
• The emperor’s new clothes
• Ultimate team player

Here’s a video I stumbled upon a couple of weeks ago. It’s a talk by Dan Pink with awesome art work and some interesting points. For one, it clarifies the notion that the carrot-and-stick approach only works for mechanical tasks. Include tasks that require even rudimentary cognitive skills and the rewards-and-punishment scheme just doesn’t work as well anymore. It also highlights what would be an effective use of money as a motivator: Pay people enough to take the issue of money off the table. This way they won’t be thinking about the money, they’ll be thinking about the work. The talk then moves on to discussing the three factors that science shows to lead to better performance and personal satisfaction:  Autonomy, Mastery, and Purpose.

The same guy had a very very similar TED talk (and it has an interactive transcript). A snippet from the said transcript (emphasis mine): “And the good news about all of this is that the scientists  who’ve been studying motivation have given us this new approach. It’s an approach built much more around intrinsic motivation. Around the desire to do things because they matter, because we like it, because they’re interesting, because they are part of something important. And to my mind, that new operating system for our businesses revolves around three elements:  autonomy, mastery and purpose. Autonomy, the urge to direct our own lives. Mastery, the desire to get better and better at something that matters. Purpose, the yearning to do what we do in the service of something larger than ourselves. These are the building blocks of an entirely new operating system for our businesses.”