No notes

I had no notes
No music came into my mind. Silence.
It was my turn.

I had no notes.
No melody, no bass line, and even no chords came into my mind.
The people in the room expected me to do something.

I had no notes. After I had looked in my subdirectories: no database scripts. No relevant test charters. Actually I was supposed to test, not to make music. Mind you.

Getting back on track

It was time for my first flashback. A week earlier I had to test the same application. The import function had not been implemented yet. So I used some code of the unit tests.

I told myself to write a short note in the knowledge management system. This hunt for the code should not be repeated every test session.

The first step was to open my IDE or Integrated Development Environment. This tool helps me to program, build, and use version control among other things.

It was simple to find the right repository: it was still in view as I left it.

Another flashback came in. I could not use the code and one of the devops replied that I did not use the latest version.

So after the flashback I did a pull request and got the last version of the code.

My purpose was to find code to fill the database. I went to the unit test. A unit test has several phases. First I focused on the setup and breakdown. I could easily copy the code to make a table and the code to throw the table away. There were more commands for the breakdown than expected, so I had a small chat with one of the devops.

The second step was to find a way to fill the table. No other database commands could be found in the file. I saw a method to put a record into a table, clicked on it and saw the code of the wanted database stuff.

Then I reformatted the code. Now I could make, fill, and destroy the table at my own convenience.

During the test session I opened a test charter for notetaking.

End of the track

Did I put my steps in the knowledge management system?
Nope.

Last flashback. I promise.
I was talking to a team member. He explained that he never bothered to make notes for these cases. Things changed continuously. His Best Friend was the IDE.

Tweaking My Website Security

WordPress is frequently used for websites and therefore attractive to some unfriendly people. So I reconfigured my WordPress security plugin.
And the mails of failed logins started coming in. It was not me, so someone else wanted to use this web site.

A short history about my tooling

For me web site security is something to review on a regular basis. It all started with an article in a magazine.  I put some elementary stuff in place: limited number of log ins and removed the login from the web site.

Over the months I added extra stuff like SSL. It encrypts the traffic between the browser and my web site. In other words my user name and password are unreadable for interested bad guys
Troy Hunt mentioned SSL in his free web course with the haunting name: Hack Yourself First.  Cheers mate.
In case you missed it SSL can be obtained for free at Let’s Encrypt.

At a regular basis I updated the software for my web site. I thought I was quite good until I changed the settings.

A short note about security

Some people might complain about the default security settings of their web site settings. Believe me things can be improved. If you do not set the WordPress settings right, then the user name is shown instead of your writer’s name on the blog post. Luckily there are plugins. (As a Dutchman I could not ignore the free ones.)

I thought about the default security and try to explain to you. If I buy a house, it has standard locks. If I want to keep the baddies out, I have to use the keys.
There are no special keys and locks involved. In case I need them I have to change them.
My new house has no vault or armed guards. If I need them, then I have to change something.

Shorten my list of security mails

So I had changed something and security mails came into my mail box. I noticed that there were mails with wrong user names and passwords. Not good.

After a few days I expected them to stop. You know: “Oops wrong web site. Sorry for that.” But the flow of failed login attempts did not stop. So I had to change something. Again.

I remembered a firewall in one of my WordPress plugins, so I had my first taste of a firewall. Dry, not shaken.
I had IP addresses of the sources of attack. Courtesy service of one of my WordPress iplugins.
An IP address consists of 4 numbers separated by a dot (.) like the invalid 345 345.345 345.

So I put the most offending IP addresses on the black list.

Three strikes and you are out.

The brute force attacks continued. The following combinations were used:

table with failed login attempts

The  user name is in the heading and the password is  shown in the first column. More details about this teaser will be added in the appendix.

My action did not change the flow. I used the asterix. 345 345.345.*. All people coming from IP addresses starting with 345.345.345 got blocked.

Wrong zone. Offsite. Stop the game.

It looked like I had put oil on fire. My normal mails were somewhere between the security mails.

I also noticed that black listed IP addresses still passed through. So there were apperently some smart guys pick locking the door of my web site. I’ll add some words to this assumption  at the end.

It was time for harsh measures. I was so focused on the mails, that I skipped my notetaking. In my logs other URLs were mentioned.  I clicked on one containing wp-admin and noticed that I saw my login page.
I changed a name somewhere and the security mails did not come in any more. Phew.

Brief briefing about red teaming

My list of WordPress plugins would be quite interesting for the people who really want to block out the intruders. The main reason I do not list them is red teaming. This military term is like give my plan to the red team, who will misuse this knowledge to my full disadvantage. Did you notice that “full” sounds like “fool”?

My steps for red teaming of my web site:

  1. Install the web site with all plugins.
  2. Configure the web site and the plugins.
  3. Look at www.cvedetails.com for any bugs.
  4. Misuse the listed CVE or Common Vulnearbilites  and Exposures.
  5. Go to the subdirectories and look for strange files.
  6. Look whether those files are accessible from the outside.

This reads like the plot of a bad B movie. But it works.

A short note about security

Some people might complain about their default website settings. Believe me things can be improved. If you do not set the WordPress settings right, then the user name is shown instead of your writer’s name on the blog post. Luckily there are plugin.

I thought about the default security and try to explain it to you. If I buy a house, it has standard locks. If I want to keep the baddies out, I have to use the keys.
There are no special keys and locks involved. In case I need them I have to change them.
My new house has no vault or armed guards. If I need them, then I have to change something.

Had a short glance

The days after the intentional reduction of my mail I had another look to my log files. My login page was requested several thousands times in a month. And I can assure you that I was not blogging so much.

There were other pages or URLs which led to my login page. So a check on the hits on my login page would give me the wrong impression of safety. There are people who do not like to use numbers or metrics. Some numbers can be really useful when pondered upon.

Somehow I had not paid attention. Too much focus on blogging. Obviously.

An article of Santosh Tuppad was quite helpful to increase the security. Thanks mate.

I even noticed that wp-content was open. So any pictures of draft blog posts could be viewed before publication. I even discovered a CSS file of a WordPress security plugin, which I could access without logging in. It was like finding a business card of a security team at the doorstep.

Wait a moment.

Let’s turn this into a multiple choice question.
What is the reaction of thieves on the business card?
A. Let’s skip this house.
B. I know how these guys operate. Piece of cake.
C. Look at the big bird and the shield of armor. That is pretty neat. We need 500 of those cards.

Definitely something for an action movie.

Some tips:

  • Read the reviews of the WordPress plugins.
  • Install WordPress plugins from the official site.
  • Write down, what works.
    Some plugins do not mix. This might be the cause of the strange behaviour of my firewall.
  • Make an offline copy of the website before tweaking.
  • Tweak the website security several times a year.
  • Go to your web site on a regular basis and install the updates.
  • Keep on an eye on Social Media.
    Troy and Santosh are great sources.
  • Basically, explore your web site security.

Appendix A bit of data crunching

For my first real life forensic investigation I wanted to use the gathered data. As in Data the Gathering. In order to process my e-mails I used baregrep, vim, Javascript, CSS, HTML.

People had attempted to break in my web site. I expected a concentrated set of failed attempts like
expected heat map

When I looked to the patterns I noticed this:
observed heat map
This is an example of a Blink Test. Lots of info processed in milliseconds and still getting useful info.

Facts:

  • Combinations were entered once.
  • Combinations where user name was the same as the password were frequently used.
  • The same for combination with user name equal to admin

Conclusions:

  • There is a high chance that a group tried to break in. There is a moderate chance that there were more groups which used different lists.
  • A popular user name is admin. See the first column.
  • Single words are favourite, followed by words and numbers.
  • Some user names and passwords were linked to my blog.
  • My blog posts are read.

Q & A Bits of performance testing

“Why are you writing this Q & A?”
“Because people have questions, which are unanswered about ‘Bits of performance testing’ . ”
“Like?”
“The use of drawings and perfornance test it self.”
“So I can send in questions?””
“Sure on this page. Why not?”

“Hey, I am the one who is supposed to ask questions.”

Plan

“You used a lot of pictures. Is this not a waste of time?”
“In my blog post I drew a picture about the customer journey. This led to the conclusion that the Wifi network should be split in a private and public ones. This is not a waste of time.”
“I agree. But there were other pictures, which did not have that big impact.”
“That is right. But the drawing of picture takes minutes. Implementing the wrong performance scripts takes days.”

“You used SFDIPOT instead of another heuristic., FIBLOTS”
I am aware that this heuristic exists. I also know that a performance tester made it. And I just forgot it.
The reason I chose to pick SFDIPOT is to use this heuristic in another context. I learn by taking small detours. What if I do it in another way? My main reason was that I wanted to write about performance test in another way.
This kept my spirit high and extended my Circle of Comfort. That is a comfortable thought.”

“Your story about the performance test is sometimes difficult to follow. Why did you write a nonlinear story?”
“Testing is an activity which is unpredictable. I can find bugs on the strangest moments. This can trigger other ideas.
In this blog post I tried to describe what is going on in my head.”
“How can you sell this to your boss?”
“Just ask her or him, whether business cases are also written in a linear way?”

“I miss disk storage That is an important resource to watch.”
“You are right. I missed that one.”
“How do you know that this is a good load profile?”
“Some data have to be gathered. Think about log files and analytic stuff. The challenge is not to confuse frequency with resource usage.”
“Would you please explain that?”
“If 1000 users look to a simple web page, then almost no resources are used. If 1 user asks all articles in stock, then a lot will happen. The database is bring queried and much data is moved over the network. So look for resource usage.”

“So I only have to focus on user actions with heavy resource usage?”
“That is only possible with a very simple web site. Sometimes web sites or programs on the backend do not remove their garbage.”
“What do you mean with garbage?”

“Suppose you have a cinema web site. The purchasing department wants to know what kind of drinks and snacks are ordered in advance. Suppose all the results of the queries are stored. It might be interesting for their department and it should be stored on one of their systems. But not in a module of the web site.

Another thing is to simulate the customer. Use the customer journey. A customer does not only buys cards, snacks and drinks. She or he will also collect them. This lead to click paths, how does the user maneuver through the system: which screens will be visited and which options are used?”

“So if you have a lot of data, what do you do?”
“The challenge is to find patterns. Joe Common is more like this:”
customer journey Joe Common
“Why did you not draw the payment page?”
“It is important. I left it out because of the page size. My plan was to sketch out a rough journey. Just wait a few pics.”

“I suppose you left out snacks out for the same reason. Smart ”
“Cheers”

“Why does he go one screen back?”
“That is hard to say. You can make some assumptions or hypotheses: the price was too high. Or the wrong movie was selected. You can always ask some questions to validate the assumptions.”

customer journey no deal

“Hey there is no deal. What’s wrong?”
“Most of the yearly cinema visitor is looking around or scouting. Were there any changes in the web site? Which movies can I see? ”

child birthday party
“What is going on here?”
“A children birthday party.”
“That looks like a lot of fun.”

noted bar graph

“What are you showing me?”
“This is the number of screens and locations which were visited, and their corresponding numbers.”
“The bars in the graph are getting lower. Is this not frustating for marketing? ”
“Actually this is normal. This is a sales funnel.”

extended sales funnel

*It is like commercials: not everyone buys what they see on the television. They do not buy everything they see in the shop. You actually want people to do things which bring profit. The Call To Action or CTA for this web site is buy tickets, drinks, and snacks.”

“Okay Mr. Monologue. I’ve got a few questions.
How did you make that funnel?*
*Like this.*

bar graph to funnel

*Why do you call this an extended sales funnel? Your CTA is buying tickets, drinks and snacks.*
*But there are two moments to buy drinks and snacks: in advance and on location.*

extended sales funnels with CTAs

“If I had put the CTA in the first funnel picture, it would be cut off right under. By delaying this action I got a better view on the situation.

The second CTA is successful, if the first CTA.is good. John Common is not willing to buy extra drinks and snacks after a slow performance of the web site.”

*Are you writing that models can confuse people?*
*Yes, they do. Let me give another example.*
*Be my writer.*
*if you go twice to a cinema, you go twice through the sales funnel.

two funnels in a row
*So you should take repeat customers in account. *

For some businesses good customer contact is vital. In ‘Delivering Happiness: A Path to Profits, Passion, and Purpose’ it is called creating a moment of Wow.”

“And if things go wrong?”
“Just watch social media. Several companies have web care teams who actively look on the internet and engage with grumpy customers.”

“I would be interested in the numbers. So how would it look like?”

draft breakdown numbers

“Wait. This concept looks better than the draft one.”

concept break down numbers

“Are these estimated numbers for all visitors?”
“That is a good question. It is only for the website visitors, who also ordered drinks or snacks in advance. So I have to add a another set of numbers for the website visitors, who did not order drinks or snacks in advance and the visitors who pass the web site.”

“What is no showup?”
“That is a situation, when a customer does not get, what she or he paid for. He or she is ill. She or he found another group of friends and skipped the cinema.”

“This is strange: there are people who go to the shop without the ticket.”
“This is a common group mistake. A group of people at the cinema asking each other: “Who bought the tickets?””

“Why did you show the draft version?”
“I do not jump to solutions. I want to share my way of thinking. My thoughts and my pictures.”

“But those reversed trees with numbers is not a good starting point for scripting, I assume.”

“You are completely right. All that number crunching can take the attention away. If we have 3525 visitors coming in, then this must be translated in scripts somehow. We have to look at the chances.”
“But this is a cinema web site. It is not a casino.”

“Just have a look.”

click paths

“What does 70 % at Movie mean?”
“This means, that there is a chance of 70 % that a visitor goes from the Select Movie Window to Select Ticket Movie. You can call them of parts of click paths.”

“You are basically stating that the software has to roll a dice to determine the next step.”
“Yes. There is no single ideal path through the system. I already showed pictures of customer journeys.”

“Wait a sec.”
“Waiting.”
“The web site can easily be tested using a standard performance test, but a shop with real people is difficult. Do we need to test them? ”
“What is the system under test?”
“The web site and the shop.”
“Can you explain it to me?”
“The software supporting the web site and the shop are connected.”

“What does hold you back?”
“How can you test it?”
“I have not much experience with this particular situation. My suggestions would be: make a special interface for the shop just for performance test, mock the users in the shop, or use actual human beings. The latter option I call hybrid testing.”

“”Do you have experience with hybrid testing?”
“Yes, I have. For a web site we had to do a performance test. The visitors were simulated by the software. The web masters were real people including your interviewee. The actions of the web masters were too complicated to script, so we did testing manually. For more info there is a Dutch presentation, A performance test with a tail.”

“What is a good way to determine whether the performance is good enough?”
“A lot of people want a fixed number like a certain response time. Like the application will respond within 6 seconds. I’ve got an example.
In a performance test percentile is used: at least 90 % of the users have a response time of 6 seconds or less, if they do a specific action. This reduces discussions like:
“40 % has a response time of 5.3 seconds. That is quite good.”
“50 percentile has a response time of 6 seconds and the limit is 80 percentile.

Another thing to consider is to determine the worst realistic conditions for the system under test.”

Preparation

“Can automated tests be used with performance tests?”
“I assume you are talking about automated functional tests.”
“Yes.”
“I once got this request and it does not solve the problem. Is your manager writing a business case, a roadmap, and items for the back log for the same release at the same moment? I guess not. Every artefact has his own purpose.
But I wrote a blog post about the combination of automated tests and performance test.”

“When can the scripting start?”
“It is good to have a testable version before the final one.”
“But performance issues might still be in there. Also the interface can still change.”
“Change is always a companion of a tester. What I mean is that a tester should focus on things which will not change on long term. The technical basic components will probably not change. Test data is always needed. Data about the usage of the system is quite stable. Etc. ”

“There are always discussions about the test environment:
“We just put a part of the database in the test environment. “”
“Yes, a copy of the production environment is very expensive.
And yes, a performance test on a reduced environment can give a false impression.
I have a blog post about a huge test environment: Do you really need it?”

Execution or performance

“What would you advise during a performance test?”
“Have a hot line. If things go out of control, make sure everyone knows who to call or mail. Or your favourite communication style.”

Report

“So what should a test report contain?”
“In the report it should be described whether the performance criteria have been met. Percentile graphs are really cool. It is all about a special point in the graph:”

special point

“I would like to see some real life graphs.”
“Sure be my guest. They are on slides 14 and 15 of  the  presentation, A performance test with a tail .”

“What about the resources?”
“That is a good question. This should be covered. A nice pic would be great, but that is something for another time.”

“Thanks for answering.”
“Thanks for questioning. And thanks for reading.”

Sharing knowledge about testing and other things on my mind