Black Box Testing
Black box testing refers to testing of the application without taking into account the internal structure of the program. As long as the program returns correct results based on the input parameters, the testing is considered to be valid.
Advantages:-
1. It mimics end user behavior.
2. It can uncover missing specifications.
3. It allows to test portions of the applications that are not currently implemented
4. As tester is independent of developer, it allows for uncompromised testing
5. Tester need not have knowledge about the internal structure of the program
6. For large systems, it simplifies the testing by ensuring all the inputs and outputs are tested
Disadvantages:-
1. All possible scenarios may not be covered
2. It does not allows for structural testing of the system
3. Test cases need to be redesigned with change in input methods or user interface
Common Black Box testing methodologies:-
1. Decision table testing
2. Pair wise testing
3. State transition tables
4. Use case testing
5. Cross-functional testing
White Box testing
White box testing refers to testing of the application taking into account the internal structure of the program. It is also referred to as structural, glass box or transparent box testing. It requires understanding of the coding language and underlying architecture of the program.
Advantages:-
1. It ensures that all possible execution paths are traversed at least once.
2. It offers greater stability and reusability if the basic components of the application does not change
3. It ensures complete testing of all possible input and output parameters
Disadvantages:-
1. It does not mimics end user behavior
2. The tester needs to know the workings of the code and language used in application design.
3. Test cases are complex and difficult to execute than black box testing
Common white box testing methodologies:-
1. Control flow testing
2. Data flow testing
3. Branch testing
4. Path testing
Tuesday, April 6, 2010
Sunday, April 4, 2010
Risk Control Strategies
The four basic risk strategies for risk control resulting from vulnerabilities are:-
1. Avoidance which includes placing controls in place to prevent or reduce the occurrence of risk. This is the most preferred approach as it deals with avoiding the risk rather than methods to deal with it. This is accomplished using technology safeguards and controls that minimize risk to an acceptable level, use of sound policies to remove vulnerabilities in assets, and educating, training and creating awareness amongst employees on all aspects of information security.
This is adopted to reduce the risks to an acceptable level within the organization and for vulnerabilities that which if exploited threat to impact the business continuity and day to day operations of the organization. It is very important to avoid those vulnerabilities that impact the culture and foundation of the organization like risk of personal and credit card data in online warehouses like Amazon.
2. Mitigation involves measures to reduce the impact of risk. This involves creating policies and procedures for responding to incidents, and plan for restoring operations of the company in case of disasters and the action the company would take should an attack or breach occurs. The three main mitigation plans are:
Incident response plan: This includes procedures for responding to any security incident. Includes reporting structure and escalation procedures for critical incidents
Business continuity plan: This includes plan for restoring business normal modes of operating incurring minimum costs and disruption to business activities following a disaster event.
Disaster recovery plan: This includes plans and procedures for locating lost data and restoring lost services due to attack or disruption
These controls are adapted to when an incident has already taken place. Mitigations involves controls that aim to reduce losses to a minimum level and steps to restore business operations in case of interruption and disaster
3. Transference involves transferring or shifting risk to another entity, process or organization. The most common transference strategies involve outsourcing and purchasing controls. It may also include alternate deployment of controls, using different applications etc
This is involved where the cost of implementing or developing risk control within organization exceeds the cost by which benefits can be procured through outsourcing or insurance. This is used when organization do not have enough resources in house proficient in risk management and is accomplished by hiring firms\individuals as third party contractors proficient in risk management implementation and control and transfer management of complex systems to them
4. Acceptance refers to making no attempts to protect the assets and accept loss if it occurs. It is the absence of any control in place to safeguard the business and the organization from the exploitation of vulnerabilities
This should be resorted to only after a thorough feasibility analysis of risk level, probability of occurrence and potential impact on the assets ensures that the cost and benefit of implementing a control far exceeds the cost of placing any control in place.
1. Avoidance which includes placing controls in place to prevent or reduce the occurrence of risk. This is the most preferred approach as it deals with avoiding the risk rather than methods to deal with it. This is accomplished using technology safeguards and controls that minimize risk to an acceptable level, use of sound policies to remove vulnerabilities in assets, and educating, training and creating awareness amongst employees on all aspects of information security.
This is adopted to reduce the risks to an acceptable level within the organization and for vulnerabilities that which if exploited threat to impact the business continuity and day to day operations of the organization. It is very important to avoid those vulnerabilities that impact the culture and foundation of the organization like risk of personal and credit card data in online warehouses like Amazon.
2. Mitigation involves measures to reduce the impact of risk. This involves creating policies and procedures for responding to incidents, and plan for restoring operations of the company in case of disasters and the action the company would take should an attack or breach occurs. The three main mitigation plans are:
Incident response plan: This includes procedures for responding to any security incident. Includes reporting structure and escalation procedures for critical incidents
Business continuity plan: This includes plan for restoring business normal modes of operating incurring minimum costs and disruption to business activities following a disaster event.
Disaster recovery plan: This includes plans and procedures for locating lost data and restoring lost services due to attack or disruption
These controls are adapted to when an incident has already taken place. Mitigations involves controls that aim to reduce losses to a minimum level and steps to restore business operations in case of interruption and disaster
3. Transference involves transferring or shifting risk to another entity, process or organization. The most common transference strategies involve outsourcing and purchasing controls. It may also include alternate deployment of controls, using different applications etc
This is involved where the cost of implementing or developing risk control within organization exceeds the cost by which benefits can be procured through outsourcing or insurance. This is used when organization do not have enough resources in house proficient in risk management and is accomplished by hiring firms\individuals as third party contractors proficient in risk management implementation and control and transfer management of complex systems to them
4. Acceptance refers to making no attempts to protect the assets and accept loss if it occurs. It is the absence of any control in place to safeguard the business and the organization from the exploitation of vulnerabilities
This should be resorted to only after a thorough feasibility analysis of risk level, probability of occurrence and potential impact on the assets ensures that the cost and benefit of implementing a control far exceeds the cost of placing any control in place.
Thursday, April 1, 2010
Information Security Controls
The security of information has become the most prevalent problem on Web today. NIST publication “NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems lists and defines this control
Management Controls deals with security project management and deals with design and implementation of policies, procedures and standards throughout the organization. These include provisions for risk management including assessing and identifying risk, evaluating risk controls, summarizing findings and then selecting a cost effective control and installing and implementing it within the organization. It also includes periodic and systematic review and evaluation of security policy within organization or with independent reviewers and policies for revision and approval of any changes as a result of those reviews. Major Management Controls are
1. Risk Management
2. Review of Security Controls
3. Life Cycle Maintenance
4. Authorization of Processing
5. System Security Plan
Operational Controls covers planning for incident response, disaster recovery and business continuity. These includes policies on reporting and escalating security incidents, preparing proper line of response, incident classification and evidence collection and reporting for knowledge sharing. It also includes procedures to ensure continuity of operation and restoration of company operations in the event of interruption or failure. The recovery plans needs to be constantly evaluated, updated and tested to keep up with the latest in business operations of the company. Provisions for physical security including access cards, gates etc, securing server and office rooms and facilities, security of media information when in transit, equipment protection and maintenance, cable security, disposal of equipments and information , removal of equipment from premises and public access to company’s information and assets are included in operational controls. Other important area it covers is security of company employees of protection of production and input output controls. Operational controls also ensure that all employees be trained and educated on information security and are aware of their responsibility in complying, maintaining and reporting any security breaches or incidents.
Major Operational Controls are
1. Personnel Security
2. Physical Security
3. Production, Input/Output Controls
4. Contingency Planning
5. Hardware and Systems Software
6. Data Integrity
7. Documentation
8. Security Awareness, Training, and Education
9. Incident Response Capability
Technical controls involve researching and selecting technology necessary to develop and implement security controls in an organization. These include technology for physical access (cards or password or combination of both), technology for remote access, policy for third party software, email and internet policies. These also include policy for remote monitoring, audit trails and automated audits for any information security incidents
Major Technical Controls are
1. Identification and Authentication
2. Logical Access Controls
3. Audit Trails
Management Controls deals with security project management and deals with design and implementation of policies, procedures and standards throughout the organization. These include provisions for risk management including assessing and identifying risk, evaluating risk controls, summarizing findings and then selecting a cost effective control and installing and implementing it within the organization. It also includes periodic and systematic review and evaluation of security policy within organization or with independent reviewers and policies for revision and approval of any changes as a result of those reviews. Major Management Controls are
1. Risk Management
2. Review of Security Controls
3. Life Cycle Maintenance
4. Authorization of Processing
5. System Security Plan
Operational Controls covers planning for incident response, disaster recovery and business continuity. These includes policies on reporting and escalating security incidents, preparing proper line of response, incident classification and evidence collection and reporting for knowledge sharing. It also includes procedures to ensure continuity of operation and restoration of company operations in the event of interruption or failure. The recovery plans needs to be constantly evaluated, updated and tested to keep up with the latest in business operations of the company. Provisions for physical security including access cards, gates etc, securing server and office rooms and facilities, security of media information when in transit, equipment protection and maintenance, cable security, disposal of equipments and information , removal of equipment from premises and public access to company’s information and assets are included in operational controls. Other important area it covers is security of company employees of protection of production and input output controls. Operational controls also ensure that all employees be trained and educated on information security and are aware of their responsibility in complying, maintaining and reporting any security breaches or incidents.
Major Operational Controls are
1. Personnel Security
2. Physical Security
3. Production, Input/Output Controls
4. Contingency Planning
5. Hardware and Systems Software
6. Data Integrity
7. Documentation
8. Security Awareness, Training, and Education
9. Incident Response Capability
Technical controls involve researching and selecting technology necessary to develop and implement security controls in an organization. These include technology for physical access (cards or password or combination of both), technology for remote access, policy for third party software, email and internet policies. These also include policy for remote monitoring, audit trails and automated audits for any information security incidents
Major Technical Controls are
1. Identification and Authentication
2. Logical Access Controls
3. Audit Trails
Saturday, March 27, 2010
Information Security Certification Programs
Three major information security certification programs are:-
1. (ISC)2 International Information Systems Security Certification Consortium, Inc certifications. These include
a. Certified Information Systems Security Professional (CISSP),
b. Systems Security Certified Practitioner (SSCP) and
c. Certification and Accreditation Professional (CAP)
2. Global Information Assurance Certification (GIAC) , a series of technical security certifications offered by SANS. These certificates have three levels, silver, gold and platinum. Platinum are combined certificated with an additional exam
3. Information Systems Audit and Control Association certifications: Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM)
Similarities between SSCP, GIAC and CISA
1. All three are for auditing, networking and security professionals dealing with auditing and security planning and implementations.
2. All three are certifications that combine technical knowledge with understanding of vulnerabilities, risks and business best practices.
3. They all are widely acceptable certifications in the IS industry and command respect and are recognized widely within the organizations and businesses.
4. They all require successful completion of an exam to be awarded and adherence to code of ethics and security standards.
5. They all require recertification or Continuing Professional Education (CPE) to maintain the certification
Difference between SSCP, GIAC and CISA
1. Experience Level
a. SSCP Must have at least 1 year of cumulative work experience in one or more of the seven test domains (CBK) in information systems security.
b. GIAC requires no verifiable work experience
c. CISA requires five years of verifiable experience in IS auditing, control or obtained in the 10 years preceding taking of the exam.
2. Recertification period and process
a. SSCP: Recertification required every 3 years by earning 60 CPE and an annual maintenance fee.
b. GIAC: Requires recertification every 2 to 4 years on interval determined by the certification.
c. CISA: No exam required but to maintain certification pay annual maintenance fee and complete 20 CPE annually.
3. Pattern of Examination
a. SSCP: 125 multiple choice questions in 3 hours covering seven test domains described below in common body of knowledge
i. Access Controls
ii. Administration
iii. Audit and Monitoring
iv. Risk, Response and Recovery
v. Cryptography
vi. Data Communications
vii. Malicious Code/Malware
b. GIAC: To obtain GIAC certification candidates must complete a practical, hands-on exam in addition to one or more technical exams.
c. CISA: Exam offered only twice a year and required completion of 200 multiple choice question in 4 hours.
References and More Information:
CISA - Certified Information Systems Auditor. Retrieved December 10, 2009 from the World Wide Web: http://certification.about.com/od/certifications/p/CISA.htm
Systems Security Certified Practitioner (SSCP). Retrieved December 10, 2009 from the World Wide Web http://certification.about.com/od/certifications/p/sscp.htm
GIAC Certifications Retrieved December 10, 2009 from the World Wide Web http://certification.about.com/cs/profiles/p/sansgiac.htm
1. (ISC)2 International Information Systems Security Certification Consortium, Inc certifications. These include
a. Certified Information Systems Security Professional (CISSP),
b. Systems Security Certified Practitioner (SSCP) and
c. Certification and Accreditation Professional (CAP)
2. Global Information Assurance Certification (GIAC) , a series of technical security certifications offered by SANS. These certificates have three levels, silver, gold and platinum. Platinum are combined certificated with an additional exam
3. Information Systems Audit and Control Association certifications: Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM)
Similarities between SSCP, GIAC and CISA
1. All three are for auditing, networking and security professionals dealing with auditing and security planning and implementations.
2. All three are certifications that combine technical knowledge with understanding of vulnerabilities, risks and business best practices.
3. They all are widely acceptable certifications in the IS industry and command respect and are recognized widely within the organizations and businesses.
4. They all require successful completion of an exam to be awarded and adherence to code of ethics and security standards.
5. They all require recertification or Continuing Professional Education (CPE) to maintain the certification
Difference between SSCP, GIAC and CISA
1. Experience Level
a. SSCP Must have at least 1 year of cumulative work experience in one or more of the seven test domains (CBK) in information systems security.
b. GIAC requires no verifiable work experience
c. CISA requires five years of verifiable experience in IS auditing, control or obtained in the 10 years preceding taking of the exam.
2. Recertification period and process
a. SSCP: Recertification required every 3 years by earning 60 CPE and an annual maintenance fee.
b. GIAC: Requires recertification every 2 to 4 years on interval determined by the certification.
c. CISA: No exam required but to maintain certification pay annual maintenance fee and complete 20 CPE annually.
3. Pattern of Examination
a. SSCP: 125 multiple choice questions in 3 hours covering seven test domains described below in common body of knowledge
i. Access Controls
ii. Administration
iii. Audit and Monitoring
iv. Risk, Response and Recovery
v. Cryptography
vi. Data Communications
vii. Malicious Code/Malware
b. GIAC: To obtain GIAC certification candidates must complete a practical, hands-on exam in addition to one or more technical exams.
c. CISA: Exam offered only twice a year and required completion of 200 multiple choice question in 4 hours.
References and More Information:
CISA - Certified Information Systems Auditor. Retrieved December 10, 2009 from the World Wide Web: http://certification.about.com/od/certifications/p/CISA.htm
Systems Security Certified Practitioner (SSCP). Retrieved December 10, 2009 from the World Wide Web http://certification.about.com/od/certifications/p/sscp.htm
GIAC Certifications Retrieved December 10, 2009 from the World Wide Web http://certification.about.com/cs/profiles/p/sansgiac.htm
Thursday, March 25, 2010
Component based development:
This development methodology helps improve the development process by reducing risk and increasing the time to market thus reducing prices. However use of predesigned components may lead to a compromise in requirements. Another disadvantage is the reliability on an external party for support. This may create issue if immediate escalation is needed in case of time sensitive business requirements.
Advantages
1. Reduction in development time
2. Increase productivity
3. Reduced risk as pre tested components are used
4. Confirmation with Standards
5. Improved product quality
6. Shorter time to market.
7. Components may become obsolete. If the 3rd party decides to discontinue the product, no support remains in case some problem occurs in development.
8. They can be used when no in house expertise is available on a particular technology
Disadvantages
1. Compromise in requirements
2. Reliability of components and sensitivity to change
3. Problems customizing component to product use
Advantages
1. Reduction in development time
2. Increase productivity
3. Reduced risk as pre tested components are used
4. Confirmation with Standards
5. Improved product quality
6. Shorter time to market.
7. Components may become obsolete. If the 3rd party decides to discontinue the product, no support remains in case some problem occurs in development.
8. They can be used when no in house expertise is available on a particular technology
Disadvantages
1. Compromise in requirements
2. Reliability of components and sensitivity to change
3. Problems customizing component to product use
Wednesday, March 24, 2010
Skill sets for an IT Executive
While leadership styles may vary, following is a time honored skill set for an IT Executive
1. S\He should be knowledgeable about all aspects of business; logistics and operations, finance cash flow and budgeting that would enable him to take time sensitive decisions that would impact all sides of the business.
2. S\He should be a quick decision maker but at the same time should be flexible enough to take decisions with changing requirements and circumstances
3. S\He should be firm with deadlines but at the same time compassionate enough to account for any personal emergencies
4. S\He should be a good negotiator and should show strength and decisiveness in his dealings
5. S\He should have excellent oral and written communication skills
6. Should have long range vision and goal settings requiring techniques of forecasting, anticipating and strategic decision making.
7. S\He should be a good leader and should have the potential of creating faith in himself and the organization.
1. S\He should be knowledgeable about all aspects of business; logistics and operations, finance cash flow and budgeting that would enable him to take time sensitive decisions that would impact all sides of the business.
2. S\He should be a quick decision maker but at the same time should be flexible enough to take decisions with changing requirements and circumstances
3. S\He should be firm with deadlines but at the same time compassionate enough to account for any personal emergencies
4. S\He should be a good negotiator and should show strength and decisiveness in his dealings
5. S\He should have excellent oral and written communication skills
6. Should have long range vision and goal settings requiring techniques of forecasting, anticipating and strategic decision making.
7. S\He should be a good leader and should have the potential of creating faith in himself and the organization.
Monday, March 22, 2010
UML Class Diagrams
UML class design techniques make it an effective methodology when developing new release features. UML Class diagrams are static diagrams that are representative of the entire structure of the new feature by showing the different classes used for developing the new feature, various class attributes and also the relationship that exist between various classes. Thus you get a clear picture of the functionality of the new feature by representing is using class diagrams.
UML class diagrams prove to be an extremely effective methodology while developing new features as it provides following information:
1.You get detailed information about all the class members, their visibility whether they are public private or protected and also details about their attributes and methods
2. Help in finding logical relationship between objects and classes which makes coding easier for the developer. Following relationships can be reflected by class diagrams:
a. Instance level relationships like external links, aggregation, association and composition
b. Class level relationships like generalization and realization
c. General relationships of dependency and multiplicity
3. During the technical analysis phase of new feature development these class diagrams can be used for creating conceptualized model of the expected system
Hence class diagrams prove useful for both software developers as they get a clear view of the system that needs to be developed and also to the business analyst that can use class diagrams to create system models from business view point.
UML class diagrams prove to be an extremely effective methodology while developing new features as it provides following information:
1.You get detailed information about all the class members, their visibility whether they are public private or protected and also details about their attributes and methods
2. Help in finding logical relationship between objects and classes which makes coding easier for the developer. Following relationships can be reflected by class diagrams:
a. Instance level relationships like external links, aggregation, association and composition
b. Class level relationships like generalization and realization
c. General relationships of dependency and multiplicity
3. During the technical analysis phase of new feature development these class diagrams can be used for creating conceptualized model of the expected system
Hence class diagrams prove useful for both software developers as they get a clear view of the system that needs to be developed and also to the business analyst that can use class diagrams to create system models from business view point.
Subscribe to:
Posts (Atom)
