How to Setup an Automated Reminder in Tick Spot

Misplaced my timesheet

Timesheet is a mandatory implementation in every organization and implementation of timesheets definitely helps in reducing the frequency of disputes between employees and supervisors/employers. It is also a very effective way to track cost, making business accounting more accurate and error free.

Incomplete timesheets slow down our business. Employees spend longer trying to recall their jobs and hours, managers spend time chasing down incomplete timesheets, and accounting gets delayed. I understand your problems, and that is why I came up with this technique for setting up the automatic reminder feature in Tick Spot to complete timesheets on time. Follow some simple steps to set it up on your PC/Laptops.In one of my projects at Zen Test Labs, I implemented the automated timesheet reminder in Tick Spot. This helped not only the individuals working on the project, but also helped business in making correct effort calculations.

Setting up an Automated Reminder in Tick Spot:  

Every evening (you can specify your EOD), your browser opens up with the Tick Spot login screen.

Step 1

  • Create “timesheet.bat”
  • Open Notepad and type the following:
    • echo off
    • start /max iexplore.exe
  • Save the file as “timesheet.bat”

Step 2

Copy the file “timesheet.bat” to your preferred location

Step 3

Open the Run window and type “Task Scheduler”

Task Scheduler

Step 4: Add Batch Action

Select the Action tab, Click on “New”

Add Batch Action

Step 5: Add Batch File

To add the batch file, click “Browse” and select “timesheet.bat” from the stored location

Add Batch File

Step 6: Setup Trigger

To add Trigger tab and follow 5, 6, 7 & 8 actions

Click “New” –> Add the “Daily” radio button –> Add time –>Check “Enable” Check Box –> Click “OK”

Setup Trigger

Your automated reminder has been setup! The great thing about this feature is that it does not require any manual intervention and causes no overhead on system resources. You can extend this technique to other reminders too.

Mukund Wangikar | Zen Test Labs

OpenSTC, a CSR Initiative

OpenSTC..! What a memorable learning experience it was..! OpenSTC (Open Software Testing Course) is a CSR initiative by Zentest to train students in Software Testing regardless of their IT / Non-IT background. The course which is conducted free of cost is open to everyone who wishes to learn software testing. This three month course consists of a lot more than just theoretical training.

At OpenSTC, emphasis is placed on practical knowledge, which a candidate would require, not only to secure a good job, but throughout his/her career in the field of software testing.

The key technical areas covered in the course are:

  • Software Testing Life Cycle
  • Software Development Life Cycle Models
  • Principles of Software Testing
  • Test Case Design Techniques with a case study for designing Test Cases
  • How to Write Precise Test Cases (with ample case studies and examples to practice)
  • Writing End-to-End Scenarios
  • Decision Tables and Classification Tree
  • Defect Life Cycle and Defect Reporting

Trainers encourage students to extensively practice test case writing for multiple test scenarios, after which the team is introduced to the concept of Test Case Optimization. Identifying and logging defects is what excites testers most during the initial phase of learning. Defect Reporting and Writing End to End Scenarios are taught in such a manner that beginners would easily be able to write precise scenarios when they start working as software testers

The course teaches testers to be tactful explorers and to exercise good judgement. Memory and creativity based exercises are taught to improve thinking and analytical skills. After completion of the course, participants are offered a chance to work on live projects wherein they get to play the roles of Team Lead, Tester etc. and get an opportunity to apply their knowledge. The course also includes:

  • Seminars by senior members of the testing fraternity
  • Interview sessions with tips and mock interviews conducted by industry experts with feedback to participants
  • Improvement of communication skills
  • Self motivation exercises wherein participants learn about the deeper science of the mind, laws of attraction and how our thoughts shape our future. Participants are encouraged to channelize their thoughts, guided with ways to handle stress and live life with a positive attitude.

A crowd testing event was also hosted by Zentest which provided participants a chance to work on a real application in the testing environment. This day long activity was initiated by the team testing the application at Zentest and it comprised of understanding the application, exploring the application, testing and logging defects.

After completion of the course students can volunteer to be a part of the OpenSTC team. Volunteering at OpenSTC is another memorable experience wherein you can manage course activities and guide participants during live projects. Taking an initiative, communicating with the people at OpenSTC, co-ordinating and solving their queries helps one grow as a person and evolve as a leader.

Sonali Edake | Zen Test Labs

Test Automation is Not the Only Answer

I have worked on several test automation projects over the past few years. I also conduct test automation trainings as a part of our company’s CSR initiative and actively participate in online discussions about testing.  Since my work is centered on test automation, a lot of people frequently come to me with questions, some of which I would like to address in this blog post.

Question: “I recently graduated with a Bachelor’s in Computer Science. I am interested in pursuing software testing as a career. Can you recommend an automation tool that I can take up?”

Question: I am interested in software testing and have 3 years of experience in the BPO industry. I also underwent a 3 month QTP and Selenium training. Will this help me get a job as a tester?”

Question: “I have been working as a tester for the last 6 months. I want some growth in my career, so I am planning to move towards test automation. Which tools do you recommend I should learn?”

Question: “I have been working in manual software testing for over 4 years now. I think this has been a great mistake as far as my career is concerned. Most of my colleagues and friends are in test automation and it drives me up the wall .I also want to shift to automated testing; can you guide me as to how I should start?”

These and many similar questions have been asked frequently. All of these questions have a common line of thought: Test Automation. It makes me wonder if automated testing really is more important than manual testing!

Most testers I spoke to wanted to learn test automation only for the following reasons:

  • Knowledge of test automation tools can help their testing career and get them better job opportunities.
  • Some of them wanted to learn test automation just because their colleague was learning it!
  • Adding an extra point in their resume to make it stronger.
  • Highlight the fact that they learned automated testing in their performance appraisal meeting! :)

I am not against these testers but want them to realize that automated testing is not the only choice they can make to advance their testing career. Manual testing also offers a lot of growth. Knowledge of automated testing is definitely beneficial, but manual testing is also a very lucrative career path to pursue.

What I’m trying to say is that each of these roles – Manual Testing and Automated Testing have their own very unique challenges. Someone well versed with one role might not necessarily be well-acquainted with another. Treat yourself as a tester; not a manual or automation tester. Think of yourself as a tester with a set of skills, specialties, abilities and domain expertise.

Assuming that automated testing can replace manual testing and using automation tools without understanding testing & the underlying application can be very dangerous. Manual testing is not simple. It’s an art and requires high intelligence, creativity, judgment and skill with domain knowledge.

Finally, remember that human brains cannot be replaced by automated robots. :)

Any comments and suggestions are welcome.

Hemant Jadhav | Zen Test Labs

OWASP Testing 101 (Part 2)

In my previous post, I wrote about Broken Authentication, Session Management and Cross Site Scripting.  Today, I will continue talking about some more checkpoints to be kept in mind while performing OWASP testing.

Insecure Direct Object References
This involves modifying the URL parameter values and using them directly to retrieve a database record belonging to other users. If an ID or parameter in the URL is modified and refreshed, the application should not fetch a new record belonging to another user.This is the script we followed to test the vulnerability:

  1. Log into an application
  2. Navigate to the page where the value of a parameter is used directly to retrieve a database record, e.g. an invoice page with URL http://foo.bar/somepage?invoice=12345
  3. Modify the URL with a different invoice no. belonging to another user http://foo.bar/somepage?invoice=7985 and hit enter

Security Misconfiguration
Security Misconfiguration occurs due to poor configuration of an application (server or application level) which makes it vulnerable to malicious attacks. The application might be vulnerable to changes in website settings, unauthorized access or any other unintended actions on the application that divulge informative data or user details.This is how we tested the application for security misconfiguration:

Verify 404 Error message:

  1. Launch an application
  2. Manipulate the URL by deleting the directory structure and directly entering the page name
  3. Verify that “Server Error in ‘/’ Application” message displayed.The application should not return extra information related to the page or directory listings.

Intentionally crash the application using any of the following options where applicable and verify HTTP 404 Error:

  1. Change the DB configuration by providing invalid credentials OR
  2. Type only the domain name in the URL and hit enter
  3. Verify that error message is displayed

Sensitive Data Exposure
Even if an application is password protected, sensitive data such as credit card details, TAX ids and financial details etc should be encrypted or hashed in the database and masked while displaying at the front end. TLS/SSL should be used for transactions involving this type of data.This is how we tested the application for sensitive data exposure:

  1. Log into the application
  2. Navigate to My Profile / Password Reset page / My Account page
  3. Check the password field, Credit Card Number, SSN Number
  4. Launch the application with HTTP in the URL
  5. Check if the application is redirected to HTTPS
  6. The web application should be SSL Enabled and the URL should redirect to HTTPS

Make the following checks for sensitive data:

  • It should be masked in the application
  • It should not be cached
  • Auto complete should be disabled for forms containing sensitive data
  • CC/Account Number, Expiry/CVV Number etc., shouldn’t be exposed as clear text. Only the last four digits should be visible E.g. – **********1234
  • Account information (Account No., Routing No.) should be masked and stored in the database.  Account details should be masked on the receipt screen. E.g. – **********1234

Missing Function Level and Access Control
This is to verify user level access control of an application. Non-admin users should not be able to access screens that can only be accessed by admin users.

  1. Create two users, one with an admin role and another with a non-admin role
  2. Login as admin and verify that the application provides  functional and access privilege to  the admin user
  3. Login as a  non-admin user and verify if the restricted module is accessible

This project helped me experience a different flavor of testing and made me aware of the fact that applications are very vulnerable to malicious attacks and fraudulent users. If applications are not tested for security, then important user data and information is in danger of being compromised. Earlier, I used to test applications believing that functionality was the most important aspect, but now I have realized that for a robust and secure application, both functional as well as OWASP (security) testing are important.

Vasim Khan | Zen Test Labs

 

Automating the Business Analyst

Business Analysts (BA’s) play a pivotal role in the success of technology projects. BA’s are expected to assume roles that go well beyond just defining and tracking requirements. Some of these roles include Business Planners, Systems Analysts, Project Managers, Subject Matter Experts, Data Analysts, Application Analysts, Testers…well this list can go on! The biggest issue with these ever changing roles that BA’s play is that the attributes and dispositions of a Business Analyst are so wide that it doesn’t feel like roles that are being carried out by the same person

Given this dynamic, our experience has been that BA’s play a critical role in ensuring end quality of a product. However, the role of BA’s does not end here. Invariably they are the ones involved in ensuring that products work the way they should post implementation; i.e., in Business as Usual modes. Thus BA’s play a crucial role in designing test programs and managing them in the long run to ensure defects are caught in time and addressed.

At Zen Test Labs, we have long been an advocate of easing the lives of BA’s when it comes to their roles in testing. It is not desirable to have BA’s test but given that it inevitable, it makes sense to automate large parts of the process in a way that BA’s can seamlessly create and execute tests. We have put together a whitepaper that talks about marrying a Business Process Model Based Test approach to Scriptless Test Automation thus ensuring that testing is synchronized across business and technology operations.

Download the whitepaper today to learn more about how you can automate the business analyst!

How Big is Big Data?

There has been a lot of buzz around big data lately. The volume of data we’re handling is growing exponentially with the popularity of social media, digital pictures, videos, and data from sources like sensors, legacy documents, weather and traffic systems to name a few. Every day, we create 2.5 quintillion bytes of data — so much that 90% of the data in the world today has been created in the last two years alone, states a report from IBM. According to a report by analyst firm IDG, 70% of enterprises have either deployed or are planning to deploy big data projects and programs this year due to the increase in the amount of data they need to manage.

I’d like to ask you, what is the maximum database size you have seen so far? A professional in database and related subjects may be able to answer this question. But if you do not know anything about databases, it might not be possible for you to answer this.

Let us take the example of Aadhar Card. UIDIA (Unique Identification Authority of India) has issued about 25 Crore Aadhar Cards in India so far.  The size of each card is around 5MB (it includes photo, finger prints, scanning), so the existing database size could be

5*25, 00, 00,000 MB = 1250 TB = 1PB (1000 TB ~ 1Peta Byte)

On an average, UIDIA issues 1M Aadhar Cards each day. So the size of the database increases by 1 Tera Byte per day. The current population of India in 2014 is 1,270,272,105 (1.27 billion), so the minimum size of the database required to store Aadhar Card data would be around 5 Peta Bytes.  Is this database big enough? Probably not.

Facebook has 680 Million active users on a monthly basis. Is this big?

Google receives 6000 million searches per day.Is this big? May be.

Storing 6000 Million records is not a big thing; you can use conventional databases like Oracle to store these many records.  But it can be more interesting that. What if I ask you to store 6000 million search phrases that are searched in Google everyday for two years and at the end of it create a report on the 25 most searched keywords related to “cricket”? This might sound insane. 6000M * 365 * 2 = 4380 Billion Records! Even if you are able to store these many records, how can you perform analysis on this data and create reports?

That is where big data technologies will help you.  Big data does not use RDBMS, SQL queries or conventional databases. Instead, it uses tools like Hadoop, Hive, Map Reduce etc. Map Reduce is a programming paradigm that allows massive job execution scalability against thousands of servers or clusters of servers. Hadoop is by far the most popular implementation of MapReduce. It aggregates multiple sources of data in order to do large scale processing and also reads data from a database in order to run processor-intensive machine learning jobs. Hive is a SQL like bridge that lets conventional BI applications run queries against a Hadoop cluster. It has increased Hadoop’s reach by making it more familiar for BI users.

While Big Data represents all kinds of opportunities for businesses, collecting, cleaning and storing it can be a nightmare. Not only is it difficult to know whether the data is being transmitted properly, but also that the best possible data is being used. Here are some key points to keep in mind while testing big data:

  • Test every entry point in the system (feeds, database, internal messaging, and front end transactions) to provide rapid localization of data issues between entry points.
  • Compare source data with the data landed on Hadoop system to ensure they match.
  • Verify the right data is extracted and loaded into the correct HDFS location.
  • Verification of output data. Validate that processed data remains the same even when executed on a distributed environment.
  • Verify the batch processes designed for data transformation.
  • Verify more data faster.
  • Verification of output data. Validate that processed data remains the same even when executed on a distributed environment.
  • Verify the batch processes designed for data transformation.
  • Automate testing efforts.
  • You should be able to test across different platforms
  • Test data management is the key to effective testing.

The list above is not static and will keep growing as big data keeps getting bigger by the day. Big data amplifies testing concerns intrinsic to databases of any size as well as poses some new challenges. Therefore, a testing strategy is critical for success with big data. Companies that get this right will be able to realize the power of big data for business expansion and growth.

Manoj Pandey | Zen Test Labs

OWASP Testing 101 (Part 1)

I recently performed OWASP testing on an application and wanted to share my experience. The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. Their mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.

Before I talk about my project, here’s a brief description of security testing: It is a process intended to reveal flaws in the security mechanisms of an application that protect data and maintain functionality as intended. It is a type of non-functional testing.The main requirements for security testing are:

  • Confidentiality
  • Integrity
  • Authentication
  • Availability
  • Authorization
  • Non-repudiation

In our project, we used the following checkpoints while performing OWASP testing:

Broken Authentication
User Authentication confirms the identity of the user. But the authentication mechanism may be vulnerable due to flawed credential management functions such as password change, forgot password etc. We used the following checkpoints to safeguard against this:

  • Password Strength: Passwords should have restrictions including minimum size and use of minimum combinations of letters, numbers, alpha numeric characters etc.  E.g.  Abcd@#12
  • Password Use: No. of login attempts and no. of failed login attempts should be logged. E.g.  Users can enter invalid credentials for a maximum of 5 times before the account is locked
  • Password Storage: Passwords should be hashed while entering and stored in an encrypted format. E.g.  Passwords should be displayed as ‘*********’ , ‘#########’ , ‘adas^*da432%324fsdf#’

Session Management
Session IDs should not be exposed in the URL. They should be long, complicated and not easily guessable. The application URL may contain session IDs when a user is logged into the application. Other users should not be able to use these session IDs to log into the application. Also, other users should not able to copy and paste the URL in another browser and access the application without logging in.

A new session ID should always be created for every authentication. Logging out or clicking on the back button should not navigate the user to the application’s internal page which requires user authentication. The application can also be tested using session timeouts and session expiry details after closing the browser.

Cross-Site Scripting
Cross-Site scripting includes malicious scripts which are included in code or trusted websites. Once the end user executes the script by accessing the application, the malicious code can access user’s sensitive data, cookies or session ids.

Cross-Site Scripting (XSS) has three types:

  • Reflected Cross-Site Scripting: The user is tricked into clicking a malicious link, submitting a crafted form or browsing to a malicious site. This is by far the most common type of vulnerability.
  • Stored Cross-Site Scripting: This is a permanent type of attack since the malicious script is stored in the database. The script is retrieved when the user fetches the record from the database.
  • DOM based Cross-Site Scripting: In this attack, malicious code is based in the DOM environment. When the script executes, the client side code runs in an unexpected manner.

Here’s how we tested XSS for our project:

  1. Log into the application
  2. Navigate to a page with an input field that accepts a large number of characters e.g. Fields accepting custom messages
  3. Enter the following script and click on the save/submit button
    Ex.1 : <script>alert (“hacked”) </script>
    Ex.2 :< html> <body text=”green”>
    <script>alert (‘You just found an XSS vulnerability’) </script>
    </body>
    </html>
  4. The application should not display a pop up message. It should display a valid error message like “Enter valid string” etc.

I have more to say about the basic concepts of security testing. I will talk about Insecure Direct Object References , Security Misconfiguration, Sensitive Data Exposure, Missing Function Level and Access Control in my next blog.

Vasim Khan | Zen Test labs