AUDIENCE:   The course is designed for software testers and test managers. PREREQUISITES:   A basic knowledge of the Internet and software testing. Attendance on the Structured Approach to Software Testing course would be an ideal prerequisite. DURATION:   5 days. Lecture presentations are supported by a realistic case study, based on a fictitious Web site, which allows reinforcement of learning and enhances the understanding process. In addition, various testing tools will be demonstrated. OBJECTIVES:   While many of the traditional concepts of software testing still hold true, Web sites and Web applications have a different risk profile to other, more mature environments. A typical Web tester now has to deal with shorter release cycles, changing technology, complex hardware and software platforms and an anticipated user base which is uncontrolled and may run into millions. Many testers and test managers are being asked to make the transition from testing traditional client/server, PC, and/or mainframe environments to testing Web sites and applications. The scope of this course covers Web technology, Web architecture and communications, the testing of functional and non-functional requirements such as usability, performance and security. At the end of the course attendees will be able to: - Understand the different technologies used in Web environments. - Communicate adequately with appropriate technical personnel to ensure that the correct test environments are set up. - Perform a simple risk analysis to identify and prioritise tests. - Create appropriate tests, test cases and test scripts. - Execute tests in a controlled manner using the correct setup conditions and inputs. - Understand the nature, availability and limitations of Web testing tools. - Examine performance requirements and ensure that the requirements are realistic and achievable. - Understand how to test a site’s reliability and scalability prior to release. - Examine a security policy and specify the types of tests necessary to ensure that the requirements contained in the policy are being met. COURSE CONTENT:   Web Basics Internet and Web History, Basic Internet Architecture, Network Protocols, IP Addresses, URLs and DNS, Intranets, Extranets. Code Quality Assurance Quality Control and Quality Assurance, Unit Testing, Mark-Up Languages, Hypertext Markup Language (HTML), HTML Validation, Images, Fonts, Cascading Style Sheets (CSS), Client-side Scripting, Extensible Markup Language (XML), Document Type Definitions (DTD), XML Namespaces, XML Schema, Displaying XML with CSS, Extensible Stylesheet Language (XSL). Compatibility Client Hardware, Client Software, Different Browsers, Server Software, Choosing the Test Environment, Market Research, Tiers of Support, Software Combinations, Software Configuration Tools, Installability and Serviceability. Navigation Links, Static and Dynamic Links, Framesets, Inline Frames, Navigational Aids, Internal Search Engines, Site Maps, Navigational Efficiency, Link Checking Tools. Risk Based Testing Test Identification, Non-Functional Attributes, Business Impact, Failure Likelihood, Test Prioritisation. Client-side Functionality Forms, Client-side and Server-side Validation, Dynamic HTML, Scripting, Document Object Model, AJAX, Client-side Pop-ups, Client-side Objects, Java and the Java Virtual Machine. Server-side Functionality Server-Side Includes, Dynamic Page Generation (ASP, PHP, Python, Ruby, etc.), Common Gateway Interface (CGI), Database Interaction, Database Middleware, Interfacing to Back-Office Systems, Personalisation, RSS. Sessions Maintaining a Session, Cookies, Shopping Carts, Multi-Page Transactions, State Transition Diagrams. Usability and Accessibility Importance of User Interface, Workflows, Usability Testing, Colours, Screen Size and Resolution, Readability, Printer Friendly Pages, Help Systems, Usability Guidelines, Performing Usability Tests, Accessibility, Guidelines, Globalisation, International Environment, Legal Considerations. Web Architecture and Communications Client Internet Access (fixed), Wired Local Area Networks, Ethernet, Wireless Local Area Networks, Client Internet Access (mobile). Performance Test Specification Performance Degradation, Prerequisites to Performance Testing, the General Process, When to Start Performance Testing, Categories of Performance Tests, Single-Shot/Smoke Testing, Load and Scalability Testing, Stress and Hot Spot Testing, Spike and Bounce Testing, Integrity Testing, Defining and Selecting Test Objectives, Response Time Requirements, Defining the Workload, Think Times, Site Arrival and Abandonment, Usage Patterns, Client Platforms, Client Internet Access Speeds – Fixed and Mobile, ISP Tiers, User Geographic Locations, Background Load. Preparation Acquiring the Test Scripts and Data, Identifying Data Requirements, Identifying the Sources of Data, Specifying the Test Environment, Selecting the Loads to Run, Sampling Errors, Concurrency, Load Generation Options, Manual Load Testing, Home-grown Load Testing Software, Open Source Tools, Integrated Development Environments, Web-only Load Testing Tools, Hosted Load Testing Services, Enterprise-class Load Testing Solutions, Network Considerations, Load Generator Calibration. Execution Running the Tests, Specifying the Number of Runs, Measuring the Load, White-Box and Black-Box Measurements, Full-Blown and Focused Testing, Phased Load Testing, Component Level Stress Tests, Infrastructure Load Tests, Architectural Load Tests, End to End Load Tests. Analysis Statistics Available from Testing Tools, Response Time Graphs, Margins of Error, Diagnosing Performance Problems, Troubleshooting Strategies, Improving Performance. Scalability Scalability Factors, Scalability Testing Objectives, Server Scalability, Web Server Scalability, Application Server Scalability, Database Server Scalability, Server Farms and Load Balancing, Web Site Mirroring, Web Site Caching. Reliability and Availability Testing Objectives, Categories Of Tests, Low Resource Testing, Endurance Testing, Volume Testing, Peak Loading, Network Quality Of Service, Web Site Failover Testing, Server Failover Testing, Parallel and Serial Dependencies. Testing Security How Big is the Problem, Where is the Problem, Security Policies, Building a Policy, BS7799, ITSEC, Common Criteria, Hackers and Crackers, Security Testing Techniques, Manual Inspections & Reviews - Gap Analysis, Threat Modelling - Attack Trees, A Framework for Testing. Security Architecture IP v4 and v6, Transmission Control Protocol, Three-Way Handshake, IP Spoofing, Secure Sockets Layer, Encryption, Public Key Infrastructure, SSL Sessions, Wireless Encryption. Firewalls What Firewalls Can and Can’t Do, Packet Filtering, Screening Routers, Proxy Servers, Network Address Translation, Virtual Private Networks, Sacrificial Lamb Configuration, Dual-homed Host, Screened Host Firewall System, Screened Subnet Firewall System. Information Gathering Mapping Out the Network Topology, Scope of the Testing Effort, IP Address Inventory, Ping Sweeps, Service/Socket Inventory, Port Scanning, Hardening the System Software, Web Application Fingerprinting, Testing for Error Code, Testing for Weak Cipher Levels, Testing SSL Certificate Validity, Application Code, Server Logs, Evaluating Intruder Detection, Intruder Detection Systems. Authentication Testing Default or Guessable User Accounts, Brute Force, Direct Page Requests, Parameter Modification, Session ID Prediction, File and Directory Privileges, Password Remember and Reset, Social Engineering and Insiders, Logout Testing, Cached Pages. Session Management Analysis of Session Management, Cookie Reverse Engineering, Cookie Manipulation by Guessing, Cookie Manipulation using Brute Force, Overflow, Exposed Session Tokens. Data Validation Testing Cross Site Scripting, HTTP Methods and Cross Site Tracing, SQL Injection, Relational Databases, Structured Query Language, Testing for SQL Injection, Testing for Authorisation Bypass Attacks, Testing for SELECT Statement Attacks, Testing for INSERT Statement Attacks, SSI Injection, XPath Injection, Dynamic Code, Buffer Overflows. Appendices Testing Tools. JJ07/01