donderdag 13 februari 2014

Made in Japan: Homomorphic encryption biometrics style!

The last weeks I am blogging, writing articles and social networking about homomorphic encryption.
This all started when reading the news Fujitsu Labs Ltd. wants to implement a DNA read- and processtechnology using homomorphic encryption where encrypted genetic data can be read without decrypting it.
Great news for a software tester with a bioinformatics background and privacy at heart!

Fujitsu Labs claims it can ensure privacy by encrypting the query , the data and the searchresults, so a possible third party (read pharmaceutical company etc.) can't see to which person the DNA data belongs to.
But, homomorphic encryption is a slow process, how does Fujitsu cope with this?
They have 2 solutions:
The first is that the searches are in batchmode (16K per second) and second is that the search already starts when encrypting the data.
Cool stuff, but still questions pop up in my mind: is the encryption undecryptable for hackers, is the performance really 16K strings per second (performance tes(t!)), are the search results correct and can the data be tampered with with for instance Man in the Middle Attacks?
Questions I like to see answered and I wait until more news emerges.
Implementation is set in 2015. Let's see what happens and how the competition will deal with this.

Feedback is very welcome by responding to this blog, through Tweeting to @TestingSaaS or through the TestingSaaS Facebook-page.

dinsdag 4 februari 2014

2014, year of encryption?



According to Unisys, 2014 will be the year of encryption.
Quite logical, regarding the protection of personal data needed after all those hacks the past years. Encrypting this data is not a bad option, but it has its drawbacks.
How can I search in encrypted data?
Is decrypting the data not necessary then? But this costs computer power and time diminishing the search efficiency. Is there a solution?
A possibility is homomorphic encryption, which is an encryption issue to tackle at different universities and companies like MIT, IBM, Fujitsu and Microsoft. What is it then? In cryptography, encryption is the process of encoding messages (or information) in such a way that only authorized parties can read it. With homomorphic encryption, encrypted data could be processed without decrypting it first. This makes it ideal for Cloud applications, enabling vendors to process encrypted personal data without decryption, ensuring privacy of the data owner. This would be great in the financial and medical sector. One disadvantage, homomorphic encryption is a slow process. Full encryption is still practically impossible, but partially there are possibilities.
Which ones are part of the next blogposts. This tester's adventure in encryption continues!


PS:
This blogpost is also posted in the Dutch online magazine for IT-professionals Computable:

Versleutelde data-verwerking in de cloud


dinsdag 7 januari 2014

New year, new softwaretesting adventures



It’s 2014, a new year!
What is it going to be?
Well, it’s predecessor, 2013, was awesome.
A new job at Eyefreight, a new journal to write for (eForensics Magazine) and expanding the TestingSaaS network through a conference in Denmark (Thank you Targit and Dr. Morton ). Not to mention the personal things that happened, which deeply broadened my life.
Strangely enough, this was all NOT planned, I just went with the flow.
And that’s exactly what I am going to continue in the coming year.

Believing the expectations of different visionaries it will be the year of Internet of Things, mobile, big data,  privacy and consumerization.
Regarding my blogs, tweets and articles this could be a continuation of 2013, but 2013 also gave me inspiration for testing computer forensics applications, which could be very well combined with big data and privacy. This will certainly continue in 2014.
Next to this, I should also make some time for helping the UMA-WG wih their interoperability tests, maybe even with some implementors?
By the way, these possible future efforts will be done in my free time.
My daily job will still be softwaretesting at Eyefreight where every day is a new fun(!) day with lots of challenges ranging from testing new applications, reviewing new documentation (it is promised) or devising new test strategies for regression (test automation) ,  load- and security testing. And maybe some international adventures, you never know.

Who dares wins!










donderdag 3 oktober 2013

Roaring with the Vikings


I plan to go every year on an adventure combined with a IT conference.
In 2010 I went to Belgium for EEMA and Colorado for the Cloud Identity Summit.
 2011 was the time for the Internet Identity WorkShop in San Francisco and Silicon Valley.
2012 was a year without conferences, but my trip to the Panama Canal got me interested in logistics.
And voila where do I work in 2013: Eyefreight, a kick-ass transport management software company with big multinational customers.
But that does not mean 2013 is only logistics for me.
Nope, this year Big Data caught my attention. And when looking for other enthusiasts I got in contact with a Danish daredevil named Morten Middelfart.
He is CTO of Targit, also a kick-ass company, specialized in business Intelligence solutions.

And when I heard they were giving a conference  in Copenhagen in September I knew it was time again to pack my bags: Four days Copenhagen: three days sightseeing and one day conference, mixing business with pleasure, Viking style!

And it did not disappoint me: Copenhagen is a vibrant capitol, with great history and amazing buildings.
The Conference was a combination of showing the new target product: the Targit 2013 Decision suite (link) and the new trends in IT like big data and analytics.
In the morning it started with some great keynotes (guarded by Lenny the Lion) and in the afternoon it was time for the parallel sessions where visitors could listen to people of their interest.
Oh, and did I tell you the King of KPIs, David Parmenter was invited as a keynote speaker?
By demystifying KPI he taught me valuable lessons in Business Performance, and all just in a few hours. Well, his books and recommendations are now on my wishlist and I am eager to see if I can use it in my daily work. 
The other parallel presentations taught me a lot about Social Analytics, airport logistics and the target products, valuable insights!

Then a few hours off (except for a lucky lady who went for a skydive with Morten).
Seven o'clock it was time for drinks and a good dinnerbuffet where the King of KPI entertained us with a story about Shackleton who did not succeed in reaching his goal but still learned us an important leadership lesson.
The evening ended with Kate Perry ‘roaring’her latest song , a recording of the skydive and a breathtaking show by the Copenhagen Drummers.

And then when I thought it was all over my friend Morten came to me and he said he had to do something he promised me some time ago: drinking a beer together. 
So, it was a good day Dr. Morten and I met new friends and new opportunities are in the horizon.
Thanks for giving me the opportunity to roar with the Vikings: AWESOME!!!





zaterdag 25 mei 2013

when exploring the cloud brings you to a new employer

In the beginning of 2013 it became clear to me I needed a change.
For almost five years I was in the contract business doing challenging projects for my employer.
But something nagged.
I noticed most projects were in finance and I knew there was more to test, especially in the cloud.
And I wanted to work for a company which was developing for interesting clients in the cloud.
So, I started to go walkabout.
My goal was to find a suitable project in 3 months or less.
Man, if I knew what I was getting myself into.
In 3 months time I saw more companies and organisations then in all my testing career.
Names I won't tell, but let me say this, every big player in finance, e-commerce, navigation, government, insurances etc etc got a call or letter from me.
A lot of telephone calls, emails and invites followed.
At the end of april I struck gold, and in an area which was known to me, but I never imagined to start working for in the cloud: a company in transport management software (see my personal details for more :) ).
Well, and it's completely out of my comfort zone finance.
I need all my knowledge on software testing, test automation, ERP, cloud and review techniques.
And not for only 1 client like I had in my previous projects. Nope, for more than 5, and these are still encounting, I love it.
It's gonna be a hot summer with new stuff to see and learn.
New areas to spread the softwaretesting word., all in the name of quality.

Stay tuned for updates, they certainly will come...

dinsdag 26 februari 2013

Transparancy at a SaaS company



For me, transparancy is one of the most important characteristics a SaaS company or other cloud company (IaaS, PaaS) must have to survive in the current world.
A customer relies 24/7 on the SaaS solution and when something goes wrong (server down, security breach etc.) a customer should be informed immediately so he can adapt to it and hopefully don't loose too much time and money when the SaaS solution is down.

So when I read the tweet by AFAS Software CEO Bas van der Veldt that transparancy is great when you have nothing to hide and AFAS likes transparancy, I made a bold move.
I tweeted back that I want to test that. Promptly I got a tweet back with an invitation to do just that.
But as a SaaS software tester I was really interested in how AFAS deals with traceability, which was also interesting for Mr van der Veldt, so he invited me to come over.
Within a few days arrangements were made and I was invited on Friday 15 February to see how Testing&Development was done at AFAS in a transparant way.

After a nice drive through the Dutch 'hills' (Utrechtse Heuvelrug) I arrived at AFAS.
At arrival in the reception it became clear to me automation was a key process here.
The AFAS reception welcomed me and guided me to a registration unit where I could register myself. Pretty fancy stuff with an automated photocamera to take mugshots (not so fancy :-) ) and a SMS-service telling my host I arrived.
Within minutes my host arrived: Martijn Wouter, teamlead test.
After a brief introduction I was given an elaborate tour through the AFAS building seeing the different departments development, test and support and the inhouse server room. A nice thing to see was the AFAS Usability Lab where it explores through cameras and special software how customers realtime use its software and register the results for future use.
Martijn introduced me to his team and explained the different roles the team members have.
As a professionally educated tester it struck me most testers came from other divisions of AFAS ready to use their knowledge and also eager to learn testing by certifying and visiting workshops.
I see it as a way of exploratory testing, using your skills as a domain tester testing new software, doing testspecification and execution at the same time. The last is not simultaneously at AFAS, which
is no problem, software is rated high by its clients.
Another thing intrigued me: most SaaS-companies work via the agile methodology in small interdisciplinary teams. Martijn explained to me AFAS still uses the waterfall method, but because of the short line development&testing is still moving in a fast pace with the documentation department. Also with the client because of the direct incident system (including automated dashboards).
Next to this, inhouse developed test automation tools speed up tests and ensure test coverage.
Clients are very important to AFAS and AFAS sees to it they are satisfied through the already mentioned Usability lab, the AFAS Theater product and knowledge presentations (SEPA!), an online transparant annual report and special online client and partner dossiers. Traceability meets automation!
Employees are also important for AFAS: during breaks they can play table soccer, spent time in the gym or eat lunch/dinner at the company restaurant.

It was a great Friday afternoon at AFAS. I hereby want to thank AFAS for the opportunity they gave me to have a look into the kitchen of a successfull SaaS company.


woensdag 16 januari 2013

Protocol of the Month


In my previous blogpost I said I am going to explore OAuth 2.0 more in detail.

Bluntly said, OAuth 2.0 is an open source framework for online datasharing without using a username/password, but by means of access tokens.
This simplifies data sharing for a user and is also more secure, because you do not have to enter your password in a third-party site.
UMA,my pet identity protocol to test of the last two years, is build uponOAuth2.0, making it a OAuth 2.0 profile.

To understand UMA, you have to understand OAuth2.0 first.
This can get quickly technical, demotivating nontechnical users tounderstand OAuth.
This is a pity.
That's why I will discuss OAuth 2.0 and its different authorization flows in a series of blogposts.
Told in a functional way, illustrated with daily used examples like social networks.
If you want to have more technical details I recommend the IETF OAuth2.0 draft.

First,let's have a look at OAuth 2.0 and its roles.
There are four roles:

resourceowner
An entity capable of granting access to a protected resource.
When the resource owner is a person, it is referred to as an enduser.

resourceserver
The server hosting the protected resources, capable of accepting
and responding to protected resource requests using access tokens.

client
An application making protected resource requests on behalf of the
resourceowner and with its authorization. 
The term client does not imply any particular implementation characteristics (e.g.whether the application executes on a server, a desktop, or other
devices).

authorizationserver
The server issuing access tokens to the client after successfully
authenticating the resource owner and obtaining authorization.

This can be visualized like in this diagram:


OAuth 2.0 roles as defined in the specification.


Obtaining access tokens is an important part of the OAuth2.0 protocol.
This differs per interaction the OAuth2.0 roles can undertake.
An access token is an example of an authorisation grant, a credential which represents the resource owner's authorization (to access itsprotected resources) used by the client to obtain an access token.
For granting authorization in OAuth2.0 there are four grant types:authorization code, implicit, resource owner password credentials,and client credentials, as well as an extensibility mechanism for deining additional types.

The next blog series will discuss the OAuth grant types

Stay tuned for my online adventures to unravel OAuth2.0 and interact with me through my blog, Twitter and Facebook.