Thursday, December 11, 2014

Back in business: Software testing, information security and computer forensics

The last 2 months I was very busy with a lot of things except blogging on this site:
I founded a new social network about the behaviour of birds and together with SocialQuant, a company founded by my friend Dr. Morten Middelfart, we increased the online social Twitter-traffic for TestingSaaS and BirdBehaviour. Lots of fun and a lot tested and learned.

But, it started to itch again and after following an event organized by Testnet yesterday I was in the blogging mood again.
Well, the event was about information security and privacy.
Although the things said were not new to me I realized information security (infosec) and computer forensics depend on each other.
With infosec you want to defend information from wrongful behaviour by a third party.
This can be criminal behaviour, for which the evidence can be pertained by computer forenics specialists to use in legal court.
Yesterday, the first speaker from EMCS IT Services was saying government organizations were exploring the internet for criminal cyberbehaviour, but he did not say the evidence found for this has to be secured for forensic investigation. Finding the evidence is one thing, securing it and reporting it is something else.
To learn more about this, just have a look at Eforensics Magazine .
It's the same with software testing, bugs in the code and flaws in the documentation can be found, but this work is not effective without a sound description and report.
That's why I like software testing, information security and computer forensics.
It's all about interdisciplinary (functional, technical and legal) analysis and the way to visualize it in a report.
You can say that you found a bug, breach or forensic proof, but without a good report (with argumentation to back it) do not expect a pat on the back.

Tuesday, July 29, 2014

Using forensics for mobile testing

In May 2014 I started a new job as the QA engineer at Onegini.
It is a software company, which develops access management solutions for online services for insurance companies, webshops and financial businesses

Who is familiar with my social network TestingSaaS will not be surprised hearing this, because of my fascination with online authentication.

One of the many challenges I now have is to develop a testing approach for their mobile solution.That involves developing a test strategy, knowledge training, test automation and tool/device training.The hardest part here is the knowledge and tool training.

Mind you, the company uses the agile methodology and that means every two weeks a delivery of workable software. No time for on-the-job reading.Fortunately, another hobby of mine (yeah, I see software testing as a paid hobby :) ), computer forensics (not paid yet :) ), provides me the knowledge necessary to be able to test the mobile application.
Both for software testing and computer forensics (read mobile forensics) you need analytical skills to know what you have to analyse. For software testing this is identifying, analysing and documenting bugs and for computer forensics it is identifying, preserving, recovering, analysing and presenting facts and opinions about the digital information.Both disciplines require a sound understanding of the object under analysis.

For a couple of years now I write for the online magazine Eforensics Magazine ,where I use my testing skills to study forensics software. A great way to learn forensics and practise my software testing skills.

Eforensics Magazine also has special issues on Mobile Forensics, with a load of reading material on forensics and mobile operating systems. I am not a die hard programmer, but a forensics enthusiast. 
So Eforensics Magazine is my prime supplier of enough material to enhance my knowledge on mobile operating systems to test the Onegini solutions optimally.

Android, Blackberry, Apple, Windows Phone, it's a jungle out there, but I am ready to explore!

Thursday, February 13, 2014

Made in Japan: Homomorphic encryption biometrics style!

The last weeks I am blogging, writing articles and social networking about homomorphic encryption.
This all started when reading the news Fujitsu Labs Ltd. wants to implement a DNA read- and processtechnology using homomorphic encryption where encrypted genetic data can be read without decrypting it.
Great news for a software tester with a bioinformatics background and privacy at heart!

Fujitsu Labs claims it can ensure privacy by encrypting the query , the data and the searchresults, so a possible third party (read pharmaceutical company etc.) can't see to which person the DNA data belongs to.
But, homomorphic encryption is a slow process, how does Fujitsu cope with this?
They have 2 solutions:
The first is that the searches are in batchmode (16K per second) and second is that the search already starts when encrypting the data.
Cool stuff, but still questions pop up in my mind: is the encryption undecryptable for hackers, is the performance really 16K strings per second (performance tes(t!)), are the search results correct and can the data be tampered with with for instance Man in the Middle Attacks?
Questions I like to see answered and I wait until more news emerges.
Implementation is set in 2015. Let's see what happens and how the competition will deal with this.

Feedback is very welcome by responding to this blog, through Tweeting to @TestingSaaS or through the TestingSaaS Facebook-page.

Tuesday, February 4, 2014

2014, year of encryption?

According to Unisys, 2014 will be the year of encryption.
Quite logical, regarding the protection of personal data needed after all those hacks the past years. Encrypting this data is not a bad option, but it has its drawbacks.
How can I search in encrypted data?
Is decrypting the data not necessary then? But this costs computer power and time diminishing the search efficiency. Is there a solution?
A possibility is homomorphic encryption, which is an encryption issue to tackle at different universities and companies like MIT, IBM, Fujitsu and Microsoft. What is it then? In cryptography, encryption is the process of encoding messages (or information) in such a way that only authorized parties can read it. With homomorphic encryption, encrypted data could be processed without decrypting it first. This makes it ideal for Cloud applications, enabling vendors to process encrypted personal data without decryption, ensuring privacy of the data owner. This would be great in the financial and medical sector. One disadvantage, homomorphic encryption is a slow process. Full encryption is still practically impossible, but partially there are possibilities.
Which ones are part of the next blogposts. This tester's adventure in encryption continues!

This blogpost is also posted in the Dutch online magazine for IT-professionals Computable:

Versleutelde data-verwerking in de cloud

Tuesday, January 7, 2014

New year, new softwaretesting adventures

It’s 2014, a new year!
What is it going to be?
Well, it’s predecessor, 2013, was awesome.
A new job at Eyefreight, a new journal to write for (eForensics Magazine) and expanding the TestingSaaS network through a conference in Denmark (Thank you Targit and Dr. Morton ). Not to mention the personal things that happened, which deeply broadened my life.
Strangely enough, this was all NOT planned, I just went with the flow.
And that’s exactly what I am going to continue in the coming year.

Believing the expectations of different visionaries it will be the year of Internet of Things, mobile, big data,  privacy and consumerization.
Regarding my blogs, tweets and articles this could be a continuation of 2013, but 2013 also gave me inspiration for testing computer forensics applications, which could be very well combined with big data and privacy. This will certainly continue in 2014.
Next to this, I should also make some time for helping the UMA-WG wih their interoperability tests, maybe even with some implementors?
By the way, these possible future efforts will be done in my free time.
My daily job will still be softwaretesting at Eyefreight where every day is a new fun(!) day with lots of challenges ranging from testing new applications, reviewing new documentation (it is promised) or devising new test strategies for regression (test automation) ,  load- and security testing. And maybe some international adventures, you never know.

Who dares wins!