Monday, December 31, 2012

Common Security Terms - More terms

In the past, I have written about some important system security terms here. Below is the enhanced list which you may find useful. See my video, Cyber Security Basic Terms and Concepts or read on...
1. Allowed IP address list
It is a list of specific external IP addresses that are allowed to connect to and use the system. Generally speaking, the use of this list is more restrictive than allowing users from only specific time zones or only specific geographic locations.

2. Anti-spyware software
It is the software that searches and destroys spyware. Spyware is software that collects information from a system and transmits it to its server(s). Spyware  generally works silently without harming the resources of the host system. Anti-spyware software needs the latest engine and anti-spyware definitions to provide up-to-date protection to the system.

3. Anti-virus software
It is the software that detects and removes virus. Viruses are software that restrict, harm or render the host system resources unusable. Anti-virus software needs the latest engine and virus definitions to provide up-to-date protection to the system.

4. Authentication
It is the process of confirming the genuineness of an entity or data. For example, when a user logs into a website, the website tries to confirm if the user is genuine. That is, he is using the correct login name and password which are active in the site database. There can be other user data involved in authentication e.g. security token, Personal Identification Number (PIN) or finger prints/ retina print.

5. Authorization
It is the grant of permissions to do certain actions. For example on a website, a general user may view their transactions and modify their profile. But, if the general user is inactive, he may only activate his account and not even view his own profile. An admin user may view and modify the settings of the website, but may not view any user's data.

6. Cryptography
It is the use of techniques to assure secure communication. Such techniques include using encryption algorithms and digital signatures. For example, a website may require encrypted data sent from the server to the client browser. This data is decrypted in the client and then rendered to the user.

7. Environmental security
It is the provision of an optimum working environment to the system. Examples of environmental security include providing to the system the correct temperature range, a stable working platform and a dust-free and dehumidified environment.

8. Exploit
An exploit can be a wide range of items e.g. a set of commands, a set of data or even a particular system. It is possible to use an exploit against an insecure information system with the purpose of generating undesirable behavior in the system. Exploits always target a vulnerability (see below) in the system. For example, an attacker places exploit code on a trusted website. A user accesses the site from an insecure client machine which results in the user's browser executing the exploit code. The attacker then runs some attack using the user's machine with user credentials.

9. Firewall
A firewall is a software-based or hardware-based device that can be configured to allow genuine network traffic to go through and stop malicious traffic. For example, a firewall may intercept all network packets sent to an application, such as a browser. If the traffic originates from a known dangerous source, it may drop all the packets preventing harm to the client machine.

10. Identity
It is the set of data that is unique to a person. The digital identity of a person is the identity that is used on-line. For example, the identity of an employee may comprise of attributes such as Employee number, Date of joining, First name and Last name. The employee is then required to use this identity within the organization throughout their stay.

11. Internet security suite
It is the collection of various system security products (like anti-virus, anti-spyware, email spam protector, firewall and backup) all from the same software vendor.

12. Login name
This is the name by which the system identifies a user internally. It may or may not be the same as the user name which is the name displayed by the system and communicated to other users. For example, isingh followed by 30 is my Gmail login name but my user name is Inder P Singh which is displayed in my inbox and in my emails to others.

13. Penetration test
It is a test to check the security of a network while pretending to be an external attacker. It is also called a pentest. The goal of a pentest is to gain access and some level of control over a device within the network. Valuable information is discovered by a pentest e.g. vulnerabilities present in the network and the effectiveness of automatic network scanning software.

14. Physical security
It is the presence of physical barriers to information resources of an organization. Examples include gated access manned by security guards, access card swipes required to enter the premises and logged access to restricted areas within the premises. Physical security works in conjunction with operational security. For example, gated access needs dutiful logging by someone of the persons entering the restricted area.

15. (Web) Proxy server
It is a server through which a user may connect to a web site. The web site gets the user information (e.g. IP address, geographic location, operating system, browser) of the proxy server and not of the user system. Therefore, a proxy server makes the user anonymous to the web site. But, the proxy server may or may not itself log the user system information.

16. Site advisor
It is the software that works within the browser to ensure that the user visits only safe web sites. It warms the user whenever the user clicks on a link pointing to a suspect website (that may contain viruses, malware or spyware).

17. Threat
It is a danger to the information resources of an organization. It can be intentional e.g. an external attacker or accidental e.g. an earthquake. There are usually numerous threats to the information resources e.g. natural catastrophes, power outages, hardware/ software failures and malicious individuals/ organizations. Information resources of different organizations may face the same threats.

18. Updates
These are the new program versions, engine versions, definitions, databases and bug fixes etc. released by software vendors from time to time. Updates are available for software like operating systems, applications, anti-virus software and anti-spyware software. In order to keep a system secure, it is important to keep all software updated.

19. User name
This is the name which is displayed to the user and communicated to other users. See the example in Login name above.

20. Vulnerability
It is a weakness within the information system of an organization. For example, software vulnerability arising from insufficient testing, hardware vulnerability arising from its insecure storage and physical site vulnerability arising from its location within a natural disaster prone area.

Tuesday, September 18, 2012

Rapid Risk Identification

If you have read my earlier post on Risk Management in Software Testing , you would know that the risk management process includes Risk Identification, Risk Prioritization (or Risk Assessment) and Risk Treatment. You will now see how you can identify the relevant risks in your software testing project quickly. See my short video, How to Identify Risks? Risk Management Video or read on...

You may have seen some rapid risk identification in action already. During management reviews of projects. During my career, I have been positively surprised  many times when the management was able to identify potential problems (risks) after just listening to the project progress. In fact, risk management is a critical management skill. Other critical management skills being strategic planning, organizing and communication. If you are not management but want to identify risks in your project fast, here is what you can do.

Thursday, September 6, 2012

Data Quality and Data Quality Assurance

This post is on data quality and how to go about assuring high data quality. View my video on Data Quality (I have explained multiple examples in detail in it) or read on...

First, let us understand data quality. Put simply, data are of high quality if they do not suffer from data issues. There are many potential issues with data (see examples below). Now, data are used for a number of organizational functions such as on-going operations, dealing with customers, marketing and analysis and decision making. If the data are not of high quality, there are a number of problems. Users get incorrect reports. Time and money is wasted in miscommunication. Bad data can lead to poor decisions. It can frustrate employees and most importantly, it can frustrate customers.

Although data quality assurance is particularly useful for production databases, it can very well be used in software testing as software testers need to ensure high data quality in gold test databases. Now, let us see examples of data issues that bring down data quality. 

Thursday, August 30, 2012

Database Normalization: What to test for Third Normal Form?

In the last post, you saw the tests (based on the candidate key) that should be executed to check the second normal form (2NF). In this post, let us understand the third normal form (3NF) and the tests that should be executed to check it. View my video on Third Normal Form explained with examples or read on...

First, what is the 3NF? Just to recall, the purpose of normalization is to eliminate insertion, update and deletion anomalies. The tables in a normalized database are intuitive in design. They do not require extra query logic or application logic to query or filter the required data. Now, a table that is in 3NF is already in 2NF. Also, each non-key column depends on the candidate key and nothing else.
Now, let us understand why the following examples are not in 3NF and how to convert them to 3NF?

a. TokenAllocation (Token, Date, CustomerName, CustomerAddress)
This table stores data for tokens given out to customers after they walk in a place with a queue (e.g. bank branch, hospital OPD, ISP customer care center) and wait for their turn to be seen. The tokens always start from 1 each morning. The candidate key in this table is {Token, Date} because this pair is unique in each row. A specific token allocated on a particular date is associated with exactly one customer. So, CustomerName depends on the key. Likewise, a specific token on a particular date is associated with exactly one customer address. But, CustomerAddress also depends on CustomerName (which is not the key). Therefore, this table is not in 3NF.

To convert TokenAllocation table to 3NF, it needs to be broken into two tables:
TokenAllocation (Token, Date, CustomerID)
{Token, Date} is the only candidate key of this table. 
Customer (CustomerID, CustomerName, CustomerAddress)
CustomerID is the candidate key of this table. CustomerName and CustomerAddress depend on the CustomerID. Also, addition of CustomerID column ensures that customers with duplicate names can live in the same table.
Once TokenAllocation is taken to 3NF, the CustomerAddress values need not be updated in multiple rows in the TokenAllocation table. This is because CustomerAddress now lives only in the Customer table.

b. OrderDetails (OrderNumber, ProductNumber, Quantity, Total)
This table stores data of each line item of each order. The order information is stored in the Orders table. The product information including unit price is stored in the Products table. The candidate key in the OrderDetails table is {OrderNumber, ProductNumber}. Quantity depends on the specific order and the specific product. But the Total column contains a calculated value obtained by multiplying unit price for the specific product by the quantity. So, Total does not depend on the key but something else. Therefore, this table is not in 3NF. To convert it to 3NF, the Total column needs to be dropped: 
OrderDetails (OrderNumber, ProductNumber, Quantity)

Based on the understanding above, here the tests that should be applied to check 3NF on every table in the database:
1. Is each criterion of 1NF and 2NF satisfied?
2. What are the candidate keys in each table? For each candidate key, which columns are not a part of it? Does each such column depend on the candidate key and nothing else?

Want to learn more? See more explanation with example data in my video on Third Normal Form.