QA Hates You

An ASQ mailing I just received:

Click for full size

 It’s not a children’s book preparing a child for a life of quality assurance.  It’s a children’s book about learning.

You know what makes a good children’s book for preparing children for a life in QA?  Grimm’s Fairy Tales, particularly the one where the children really do get eaten at the end of the story.  Or a good primer on Norse mythology, where the good guys lose in the end anyway.

What do you think would make a good children’s book for QAlings?

This is the third book in the trilogy (How to Break Software, How to Break Software Security, and this book).  This book, as you could guess by its title, focuses on applications written for the World Wide Web.

As with previous books, this one uses an enumerated list of “attacks” you can perform on the software you’re testing.  However, the “attacks” motif is a little misapplied, as the last chapters of the book are broadly constructed, including a chapter on “Privacy” and another broad overview of Web Services.

However, by focusing on differences between Web applications and regular applications (the stateless nature of the Web as well as exposed underlying technologies in the Web server and database server) that can help you transition if you’re used to working on desktop applications to the Web.  Heck, even if you’re already testing Web applications, you might find something in here to add to your repertoire.

However, read the book and apply the “attacks” in a triage fashion.  Sure, your pages’ source code might reveal something, but brothers and sisters, reviewing page code is the first attack (“Panning for Gold”) presented in the book.  It is not the first thing in my test plans.  As a matter of fact, given the projects I’ve worked on, reviewing source code has been spotty at best and falls in the test plan somewhere beyond spraying the Web server with a hose.  But if you have timeline enough and time, it is a good idea.

I bought these books for my team, so can expect I’d recommend them to you.  Go forth, buy them, and learn from them.

After I read How to Break Software (which a quick Google check indicates I have not reviewed, gentle reader, but most of you wouldn’t have read it anyway), I bought the companion volumes. This book, which I bought off of Amazon.com at its retail price, disappointed me where How to Break Software did not.

Both books run off of a quick list of fault-model testing (a term I learned from the first book). I had a ball with the first book, laughing at seeing some of my favorite dirty tricks encapsulated in someone definitive’s book. This book, however, didn’t hold the same glee for me.

The first book dealt with a broad subject and offered some very concrete things to try to attack software. This second book deals with a similarly broad subject (security testing), but is more abstract. The attacks it discusses aren’t as narrow and easy to recreate; they’re more methods and abstract ideas to try rather than concrete shortcuts to finding issues. I know, there’s something to be said for a broad, ranging methodology, but the first book wasn’t that way, and I didn’t expect this one to be that way. Additionally, the book is sized similarly to the first, which doesn’t allow it to go into a lot of detail for each of the abstract things it talks about.

Finally, I don’t know that the book focuses enough on actual security attacks; rather, it focuses on attacks that could be construed as security breaches. However, in many cases, they’re not specifically security attacks, but rather regular tests that could, if applied to applications needing security, be security attacks.

Maybe that’s all security testing is, but this book wasn’t different enough from the first book to make me wonder if it wasn’t really a sequel given a better title.

On the other hand, it does come with a CD and a tool which looks to be pretty cool, if I could get some professional time to play with it.

So buy the first book, How to Break Software, and apply its attacks to secure software. Buy this book if you’re really into it or if the company is buying it for you.