Thursday, February 09, 2017

Webinar Slides and Recording - Security Testing: The Missing Link in Information Security

Thanks to everyone who participated in today's webinar. I really enjoyed the time together, even if I did experience a complete system failure and restart in the latter part of the webinar. Just to let you know how the rest of today went, I was checking out this evening at Wal-mart (not self-checkout) and after I scanned my debit card, the pin pad displayed a message, "System shutdown in progress". I don't know what it is about me, but I swear, systems fail in my presence. It has been that way for over 20 years now! Oh, the joys of being a tester!

OK, here we go...

Here is the recording link. I have edited the video so that all slides are shown and discussed.

Here is a PDF with the slides in 2-up format.

Here is a PDF with the slides in full color format.

I hope you find the information helpful. Feel free to share it. I hope it can help you build the awareness of the need for security testing in your organization.

Thanks!

Randy

Monday, January 30, 2017

ISTQB Advanced Security Tester Certification Training - March 7 - 10, Irving, TX

I am excited to announce the first public course in the USA (and perhaps the world) for the ISTQB Advanced Security Tester Certification. This course will be held March 7 - 10, 2017 in Irving, Texas.

With cyber attacks occurring daily, most businesses and government agencies are under constant cyber attack. Unfortunately, many organizations are not doing enough to defend their physical and digital assets. Even more concerning is that while some organizations have firewalls, intrusion detection systems and other defenses, few of those organizations regularly test their defenses to determine their effectiveness.

In this course, you will learn a complete framework for testing security, regardless of the technology involved. This course and certification covers much more than just penetration testing. Certainly, penetration testing is an important part of security testing, but there are many other threats and vulnerabilities that require other security testing approaches.

Who Should Attend?

This course is for:
  • Software testers that hold the ISTQB Certified Tester, Foundation Level (CTFL) and want to expand their knowledge of security testing, 
  • Security testers who hold the CTFL and wish to obtain an advanced certification to solidify their knowledge, 
  • Security administrators who want to learn more about how to test the security defenses in their organization, and 
  • Anyone who wants to learn more about security testing but do not necessarily want to take the CTAL-SEC exam.

What You Need to Know:

1. This course follows the ISTQB Advanced Security Tester Syllabus and is written and presented by Randall W. Rice, chair of the ISTQB Advanced Security Tester Syllabus Working Group and holder of the CTAL-SEC, as well as all three ISTQB Core Advanced Certifications.

2. Anyone may attend this training, but to sit for the ISTQB Advanced Security Tester exam, you must hold the ISTQB Certified Tester, Foundation Level (CTFL) designation (or equivalent) and have 3+ years of software testing and related experience. Basic security and security testing concepts are assumed knowledge.

3. The course is four full days in length. No exam will be administered during the class, but attendees that meet pre-requisites will receive a voucher to take the exam at a Kryterion Exam Center. http://www.kryteriononline.com/Locate-Test-Center

4. This is an intense, advanced level course with 28 exercises that cover all K3 and K4 learning objectives.

5. The venue is the Holiday Inn Express in Irving, Texas. The hotel is very close to the DFW airport for those who plan to travel to the course. The address is 4235 W. Airport Freeway, Irving, TX 75062. It is your responsibility to book your own hotel room.

6. Light breakfast and lunches are included.

7. A remote attendee option is available.

8. The cost is $2,795 (exam included) for in-person attendees and $2,295 for remote attendees. There is a 10% discount for groups of 3 or more people.

9. The course program and details can be seen here: http://www.riceconsulting.com/home/index.php/ISTQB-Training-for-Software-Tester-Certification/istqb-advanced-security-tester-course.html

10. To register, please visit https://www.mysoftwaretesting.com/ISTQB_Adv_Security_Tester_Certification_Course_p/secdfw.htm

If you have any questions, please contact me at 405-691-8075 or from the contact form at http://www.riceconsulting.com.

I hope to see you at this event!

Thanks,

Randy

Tuesday, December 06, 2016

Ten Ways to Build Your Software Testing Skills

As a software testing and QA consultant over the past 27 years, I have worked with hundreds of organizations and tens of thousands of testers. Over that time, I have observed two types of people – those that see software testing as a job and those that see software testing as a career.

Those that see testing as a career typically advance in their jobs and have a higher level of self-esteem. Those that see testing as only as a job, often get bored and complain about the lack of opportunities. The “job only” perspective also indicates that someone is only in the testing role for a limited time. Therefore, there is little incentive to invest in personal improvement.

Of course, not everyone is cut out for software testing. The role can be frustrating at times, especially when the tester is blamed for the defects they report. I jokingly say that software testing conferences are like mass group therapy for software testers and test managers. It is interesting to see the realization of people when they see that they are not the only ones with unrealistic project managers, difficult end-users, technologies that are difficult to test, and oh, that automation stuff looks so easy but it can be so difficult to implement.

I know that I am around professional testers when vigorous (not vicious) debate breaks out over seemingly minor differences in test philosophies, approaches and techniques. It shows that people have thought a lot about the ideas they are defending or opposing.

If you see software testing as a profession instead of a job, then it’s up to you to grow. The greatest mistake you can make is to stop learning and growing. For those that see software testing and QA (yes, there is a difference) as a professional career choice, here are some ways to grow your career.

1. Set growth goals for the coming year. These don’t have to be huge goals, but without these goals it’s easy to lose focus. Goals also paint the target. You know when you have hit them. Here are some examples:

Learn how to apply a test technique that is unfamiliar to you
Develop a specialty area of security testing
Learn how to use a particular test tool
Read three books about testing or some related (or even unrelated) topic
Obtain a certification in testing or a related field
Speak at a conference
Write an article

2. Read one or more books on software testing or related topics. It is amazing to me how few people read books that relate to the testing and software development professions. You have more choices than ever before with hundreds of testing books on the market. Perhaps the greater challenge is to find the books that are worthy of your time. By the way, some of the best books are also the oldest books that are available for $5 - $10 from online used booksellers such as www.abebooks.com. Two of my top recommendations are “The Art of Software Testing, 1st Ed.” By Glenford Myers and “Software Testing Techniques, 2nd Ed.” by Boris Beizer. These are foundational books in software testing, written over 30 years. However, don’t dismiss them due to age. These books are good for any tester to read. The Beizer book has a technical focus that would serve any tester well in today’s world of testing.

3. Take a training course that aligns with your goals. Even an online course is an easy reach in terms of time and cost. It is amazing what a little training can do. While good training typically will cost money, there are free and inexpensive online courses available. I have over twenty-three e-Learning courses at www.mysofwaretesting.com.

4. Create content. If you really want to learn and grow, then develop a small course, write a major article or start a blog. This not only stretches your abilities, but provides exposure as well. I never thought back in 1989 when I wrote my first testing course (unit testing) that one day I would be able to say I’ve personally written over 70 courses! I never thought I would write two books (and working on five others). And… I’m not saying that is where you will arrive. But the thing I can say is that I learn ten times more creating a class than attending a class. As the saying goes, “The best way to learn is to teach.”

5. Find a coach or mentor. Then, meet with them often enough to glean their wisdom. I know it’s hard sometimes to find the right person to mentor you, but they are out there. Look for people with lots of experience in what you want to do. Ask questions and listen. The trick on this one is that you must take the initiative to seek out the mentoring relationship.

6. Coach or mentor someone yourself. This is where you get to repay your coach or mentor. You learn by listening to the person you are mentoring. I have mentored many people and I learn by dealing with the tough questions they bring me. Admittedly, some people are difficult and are not worthy of your time. However, I have found it to be rare that a mentoring relationship has not been beneficial, both to me, and the person I am mentoring.

7. Test something totally different than you have ever tested before. Yes, this is on your own time and at your own effort, but you can learn a lot and come away with a new marketable skill. Interested in mobile testing? Find a mobile app you find interesting and challenging and test it. A way to make this profitable is to become a crowd tester. I can recommend www.mycrowd.com as a place to learn more about getting started as a crowdtester.

8. Read or watch something totally unrelated to software testing and find lessons in it for testing. Once you start looking for analogies of testing, they are everywhere. One of my favorite TV shows for testing lessons is Mythbusters, but I have also learned from Kitchen Nightmares, Hotel Impossible, Undercover Boss and many others. Novels such as Jurassic Park have some great testing lessons in them. Take notes, then write about what you learn.

9. Speak at a conference. The trends are in your favor. Smaller conferences are becoming more popular, as is finding speakers who are not well-known names in the field. Get a great topic, a case study and develop it into a conference presentation. No takers on your idea? Fine. Create a YouTube video and you will have more views in a few weeks than you would have at a physical conference! The skill you develop in speaking is that of oral communication - a skill that can really propel your success in any field.

10. Contribute to forum discussions. I’m not talking about short, one-sentence responses, but respectful, well-reasoned responses to people’s questions and/or opinions. LinkedIn groups are a great place to start. The growth comes in the articulation and sharing of your feedback and ideas. Especially on LinkedIn, group contributors gain a stronger profile and presence.

You will notice that most of the items I list are active in nature. You grow by doing.

Consider the idea that each of the above actions might have a 5% or more increase in your value to your team, your career or to your company. The combined effect of doing all of these would be phenomenal. The combined effect is not an addition function, but a multiplier function. Doing all ten items would not be a 50% value addition, but more like a 200% or more addition of value to your career and to your role in your company. I can attest to this in my own career.

This is important because in today’s marketplace, you are paid for the value you bring to a project. Low-value activities are often the first to go when companies decide to cut-back. The same holds true for people. The people that are more likely to be retained are those that add value to a project and to a company.

It’s better to build skills today for tomorrow than to realize one day you need skills that will take time to acquire and build.

Friday, November 04, 2016

Online Study Group Forming for the ISTQB Advanced Security Tester Certification

I am forming an online virtual study group for people who wish to prepare for and take the new ISTQB Advanced Security Tester Certification. The exam has been in place since March of 2016, but the missing piece has been training courses.

I am working hard to finish my course in both live and e-learning formats. My plan is to have a beta version of the e-Learning course available in mid-November. This beta version will not be accredited because that process takes several weeks. However, the official release version will be accredited.

I know there are people that would like to start studying for this certification now. For that reason, I am forming this online virtual study group that also includes access to the e-Learning content as it is completed.

The cost of the exam ($200) is not included in the price of the course.


Also, please note there are two pre-requisites to sit for the exam:

1. You must hold the CTFL or equivalent
2. You must have 3 or greater years experience in software testing or a related field.

Security testing experience is not required.

Here’s How it Works:

We will meet weekly for one hour in a web meeting format. I will lead the meeting, but the purpose is to answer your questions and provide additional insights to the topics. We will cover sample exam questions. The exact day and time of the meetings may vary, but my plan is to hold the meetings on Wednesday around noon, Central time. There may be times when I either must reschedule or have a fill-in facilitator.

There are 11 sessions, including the kick-off session. Tentative start date is Thursday, Nov. 17th, with a goal end date of January 25th. That may sound like a long time, but with e-Learning courses, most people take several months to complete the advanced courses.

If you can’t attend a meeting, that’s fine. We will record each meeting so you will be able to watch and listen later if you like. You can also send me your questions and feedback by e-mail and I will be happy to respond. You also have phone access to me to ask questions.

If you join after the official start date, that’s fine too. Each chapter of the syllabus stands on its own. While it is optimal to start at Chapter 1, you can either catch-up with the recorded modules, or “wrap around” in the next study group (provided there is enough interest in a second group.)

You will have access to all the e-Learning content I have produced to date. This includes narrated slide shows, course notes, exercises and solutions, as well as the ISTQB sample exam questions.

As I continue to add new content, you will have first access to it. However, I expect that all the content will be in place by the second week of the study group.

Each week, we will focus on a chapter in the syllabus. In two chapters, there will be two weeks each, due to the amount of materials. The time required to view the pre-recorded lessons will be about 2 hours per week. The exercises will require another 1.5 to 2 hours.

You will have access to other attendees to get their thoughts as well. The group and course are housed in my e-Learning Management System with forums so you can freely post ideas and questions.

You will get personal attention and mentoring from me. I expect this group will be 12 – 15 people or fewer people in size.

After the group ends, you still have access to the e-Learning course. This is helpful for review before you sit for the exam.

You have direct access to the person who chaired the development of the syllabus. I can provide context and input that is not in the syllabus or the course. And I can answer your “why” questions.

At any time you feel the group is too much for you to handle time-wise, you always have the option to continue on your own through the e-Learning modules. You still have access to me to ask any questions. In fact, you can still attend the weekly sessions. However, without doing with weekly preparation, you may feel a little disconnected.

Financial Details

The price for the full 11-week study group is $795. The cost of the exam ($200) is not included in the price of the study group.

Payment is in advance and can be made by major credit cards (Visa, MasterCard, Amex and Discover). We also accept PayPal and company checks.

How to Get Started
br /> You can register and pay at https://www.mysoftwaretesting.com/ISTQB_Advanced_Security_Tester_Study_Group_p/advsecgrp.htm

Access instructions will be sent in advance of the first session.

le="font-family: "arial" , "helvetica" , sans-serif;">Questions?

Just contact me here
Tentative Schedule and Topics


1. Thursday, Nov. 17, 12:00 p.m. - 1:00 CST - Kick-off
2. Wednesday, Nov. 23, 12:00 p.m. - 1:00 CST - Review and Discussion of Module 1 (Basis of Security Testing)
3. Thursday, Dec 1, 12:00 p.m. - 1:00 CST - Review and Discussion of Module 2 (Security Testing Purposes, Goals and Strategies)
4. Thursday, Dec 8, 12:00 p.m. - 1:00 CST - Review and Discussion of Module 3 (Security Testing Processes)
5. Thursday, Dec 15, 12:00 p.m. - 1:00 CST - Review and Discussion of Module 4 (Security Testing Through the Lifecycle, Part 1)
6. Thursday, Dec 22, 12:00 p.m. - 1:00 CST - Review and Discussion of Module 4 (Security Testing Through the Lifecycle, Part 2)
7. Thursday, Dec 29, 12:00 p.m. - 1:00 CST - Review and Discussion of Module 5 (Testing Security Mechanisms, Part 1)
8. Wednesday, Jan 4, 12:00 p.m. - 1:00 CST - Review and Discussion of Module 5 (Testing Security Mechanisms, Part 2)
9. Thursday, Jan 12, 12:00 p.m. - 1:00 CST - Review and Discussion of Module 6 (Human Factors in Security Testing)
10. Thursday, Jan 19, 12:00 p.m. - 1:00 CST - Review and Discussion of Modules 7 and 8 (Security Test Reporting, Security Test Tools)
11. Thursday, Dec 26, 12:00 p.m. - 1:00 CST - Review and Discussion of Module 9 (Standards and Industry Trends), Summary and Final Exam Tips

Thursday, November 03, 2016

ISTQB Advanced Security Tester Course Coming Soon!

A question I am asked often by people interested in the new ISTQB Advanced Security Tester certification is "When will courses be ready?"

I am excited to announce my course will be available soon in beta format - both live in-house and e-learning formats. I do not have an exact date at this time for the beta release, but I am looking at mid-November.

Since this is a beta version, the course will not be accredited initially. The plans are to have accreditation by the end of 2016. However, as chair of the ISTQB Advanced Security Tester Syllabus working party, I think I have a pretty good grip on the material.

The live course is 4 days in length and is a 50/50 mix of presentation and exercises. The e-learning course has the same content and exercises as the live course.

Here is the link to the course description: http://www.riceconsulting.com/home/index.php/Security-Testing/istqb-advanced-security-tester-course.html

If you are interested in the course or have any questions, either as an individual or as a company, please contact me through the contact form on my website: http://www.riceconsulting.com/home/index.php/component/com_formmaker/Itemid,453/id,1/view,formmaker/

I am taking course bookings for December and forward into 2017. I expect this to be a popular course, so act early to get your spot on my calendar. I will be the main instructor for the course.

Thursday, September 01, 2016

Happy Labor Day and The Software Quality Perspective

I hope you are having a great week. Me? I'm looking forward to a weekend Labor Day holiday with family and friends. To kick it off, I'm getting a cavity filled tomorrow!

For those of us in the USA, the Labor Day holiday is to commemorate the contributions of working people and labor unions. Since I have worked in IT most of my working years, I have never belonged to a union, so I'll just speak briefly here to the work ethic in software quality. However, I think much of this could apply to other fields as well.

Like you, perhaps, I have been on projects that required extreme effort and commitment to complete. Even then, some of the projects failed.

Over my 25+ years in software testing consulting, I have heard people complain about how difficult some tasks can become. My reply is something along the lines of, "Yes, that why we call it work."

I have also worked for managers that were totally clueless when it came to how to treat people. These managers expected 100% availability, no allowance for sickness or family emergencies, provided no training or encouragement to the team, and generally created a work environment that was de-motivating in nature. That is the dark side of work, in my opinion.

If I had to capsulize what a person should bring to a project, they would include:
  • Motivation - Passion for the job
  • Skills - Knowing how to do the job, and continuously learning new skills
  • Creativity - Being able to do things differently and better
  • Problem solving - So that the team lead doesn't have to do everything
  • Integrity - Doing the right thing when no one is looking
  • Caring - For the quality of work performed, and for the welfare of others
  • Vision - To see the big picture of what they are doing
  • Calling - To know why they are doing what they are doing
  • Respect - For others, for other people's ideas, for leaders

You might have other things that would fit well on the list. By the way, my two favorite books on this topic are "Peopleware" by DeMarco and Lister, and "The Mythical Man-Month" by Fred Brooks.

So, relax this weekend and enjoy the fruit of your labor. Ironically, some people will not be able to do that. They will be working. This normally includes law enforcement, military, medical professionals, broadcasters, and people working tech support, food service and retail. I salute those fine people and wish them safety in what they do.

Thursday, August 11, 2016

Recording and Slides From Today's Webinar on Decision Tables

Thanks to everyone that attended today's webinar on decision tables. For those that could not get in
due to capacity limits, I apologize.

However, here are the slides:
http://www.riceconsulting.com/public_pdf/Webinar_Decision_Tables.pdf

And here is the recording:
https://youtu.be/z5RlCBKxfF4

I am happy to answer any questions by e-mail, phone or Skype. If you want to arrange a session, my contact info is on the final slide.

Thanks again,

Randy