06-09 Contents: Free Security resources, Test Automation, Model-Based testing, Excel Tests, Chart techniques
ISSN 1649-2374 This issue online at http://www.sysmod.com/praxis/prax0609.htm [Previous] [Index] [Next]
|Systems Modelling Ltd.: Managing reality in Information Systems - strategies for success|
IN THIS ISSUE
|1) Risk & Security
Controlled databases leak via spreadsheets
Free Security Engineering Textbook
BS 7799.2:2002 Audit Check List for SANS
Securing Microsoft Windows XP Home Edition
|2) Software Quality Assurance
Mark Fewster on Test Automation
Harry Robinson on Model-Based Testing
Online MS Office tests - different styles
Excel Charts - old and new techniques
Bonus materials for owners of 'Spreadsheet Check and Control'
|4) Off Topic
If Tech Companies Made Sudoku
O'Beirne's Cube and Its Origins
|18 Web links in this newsletter
About this newsletter and Archives
Subscribe and Unsubscribe information
Al Mac forwarded me this story which he found on the Berkeley daily security news update at http://socrates.berkeley.edu:7077/it-security/
Spreadsheets Seen As Security Hole "September 01, 2006 (Computerworld) -- In the wake of multiple high-profile laptop thefts and data breaches, some IT shops are launching new initiatives to ensure that sensitive corporate data stored in spreadsheets and business intelligence tools remains secure.
Several recent incidents — including the inadvertent exposure of sensitive data for about 5,000 customers by Verizon Wireless that was disclosed last week, and the theft of a laptop from the U.S. Department of Veterans Affairs that contained personal information from some 26 million veterans — involved unsecured spreadsheets.
Bill Hostmann, an analyst at Gartner Inc., said that while many organizations go to great lengths to secure transactional systems and Web applications, many more 'do almost nothing, or a very limited amount,' to protect data housed in BI applications and spreadsheets."
Ross Anderson, Cambridge University has persuaded his publisher to let him put his book "Security Engineering" online for free download. It comprises 26 PDF files totalling 43MB.
He says "My book draws on a lot of the experience shared in this list, and
has become a standard textbook in the field. The publishers thought for years
that it was too risky to let authors put books online but they are gradually
learning that this isn't so. Putting a book online often increases its sales;
more people read it and those who
find it useful often go buy a copy." The topics are:
"What is Security Engineering? Protocols Passwords Access Control Cryptography Distributed Systems Multilevel Security Multilateral Security Banking and Bookkeeping Monitoring Systems Nuclear Command and Control Security Printing and Seals Biometrics Physical Tamper Resistance Emission Security Electronic and Information Warfare Telecom System Security Network Attack and Defense Protecting E-Commerce Systems Copyright and Privacy Protection E-Policy Management Issues System Evaluation and Assurance Conclusions Bibliography. "
http://www.sans.org/score/checklists/ISO_17799_checklist.pdf 47 pages, 562K PDF
Author: Val Thiagarajan B.E., M.Comp, CCSE, MCSE, SPS (FW), IT Security Consultant.
Covers: Security Policy, Organisational Security, Asset classification and control, Personnel security, Physical and Environmental Security, Communications and Operations Management, Access Control, System development and maintenance, Business Continuity Management, Compliance.
The US National Institute of Standards and technology have published a draft Special Publication 800-69, Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist. "Home computers face many threats from people wanting to cause mischief and disruption, commit fraud, and perform identity theft. The publication explains the need to use a combination of security protections, such as antivirus software, antispyware software, a personal firewall, limited user accounts, and automatic software updates, to secure a computer against threats and maintain its security."
"CISSP All-in-One Certification Exam Guide, 3rd Ed.", Shon Harris, 2005, 1001 pages with CD-ROM.
http://www.SoftTest.ie Attendees gave very high ratings to these two talks to SoftTest Ireland on 5th Sept.
Mark Fewster, Grove Consultants, UK
Test automation has evolved in these stages:
1. Capture / replay
This is close to the metal. The keystrokes and mouse actions are recorded and played back exactly. Therefore it is tightly bound to the GUI of the application and the data is contained in the test script. Maintenance is a weakness because the structure is fragile and every script needs to be individually maintained with application changes, even superficial changes to the interface.
2. Structured scripting
Data is separate from the script, although still within the script tool environment. The tool uses components for commands to the software, in order to separate data from actions.
3. Data driven
This is the current de facto standard in practice. The data is kept in a database of test cases and is independent of the scripting tool.
4. Keyword driven
This is similar to Data Driven, plus the scripts themselves are in a higher level test definition language which is interpreted for the specific automated test tool. The keywords (by which he means what I would call commands or macros) in this language encapsulate behaviour which can be cleanly updated in one place so that the same high-level script could be used for different applications or components and the intermediate layer translates what eg 'AppClose NoSave' means in this specific case. This is similar to what a pre-processor or interpreter would do in conventional programming development.
Mark described an Integrated Test Environment framework which provides control, commands, parsing, reporting and testing. He considers that a measure of the success of test automation is the ratio of test cases to test scripts. At early stages of evolution, this is 1:1. Keyword-driven test automation allows for much higher ratios.
There are organisational implications for introducing this technique, and Mark suggests dividing team responsibilities to get a correct balance between creating and maintaining automation and actually doing the testing.
Mark Fewster offers an aptitude quiz for software testers with answers at:
Harry Robinson, Engineer in Test in Google, Washington.
Software has got too complicated and entwined. Hot-shot testers were useful in the days when bugs were easy to find by intuitive testing by people with inquiring minds. Now processes are better, bugs are harder to find, employing more testers is an expensive way to find defects. Testers can't simply stumble over the bugs by wandering around, they have to dig deeper into the functionality of the software, that takes a long time, and people are much more expensive than machines. The economics favour a few skilled testers managing arrays of inexpensive test computers.
What is Model-Based Testing?
'Model-based' is testing against the expected behaviour of the software expressed as a model using state transition diagrams (directed graphs), grammars, sets, or formal languages like Spec#.
Implications for managers
The management of testing teams will also have to go beyond simplistic metrics like bug count (rather than defect removal efficiency) and the number of test cases (which for automated systems can be millions). They will need to move to integrated or continuous testing along the entire life cycle. After all, it's better to prevent bugs than re-work till they're gone.
Implications for developers and testers
Future skill needs are more sophisticated than simply execution testing, testers will require script programming skills. Harry suggested studying Python which is taking over from Perl. Developers should be trained to think along testability lines. An astonishing fact is that the average book ownership in the testing industry is less than one per tester. What would you think of a lawyer whose shelves had only one book? Harry recommended 'Testing Object Oriented Systems' by Robert Binder.
The shortest test that could possibly show a bug
With automated random testing using tools like 'monkeys' (random typing and clicking to probe for possible crashes), some failures may be found after thousands of steps. Using graph theory, an algorithm can be applied to repeat the failing test (assuming it is reproducible), snipping redundant loops out of the path until the shortest path to the bug is found.
Harry gave some amusing examples from testing Google Maps that reminded me of the Microsoft MapPoint detour bugs.
Harry Robinson's website is http://model-based-testing.org
http://www.sysmod.com/az.php?a=0201331403&b=Software+Test+Automation Software Test Automation by Mark Fewster and Dorothy Graham
http://www.sysmod.com/az.php?a=0201809389&b=Testing+Object+Oriented+Systems Testing Object-Oriented Systems: Models, Patterns, and Tools by Robert V. Binder, 1999, 1248 pages.
The IRM Data Management and Information Quality Conference will be held from 30th October to 2nd November 2006 in the Victoria Park Plaza Hotel in London. I am presenting on 1st November on 'Minimizing risks in IQ spreadsheets'. You can get in for £100 less than the advertised price by just citing me as the reference.
http://www.sysmod.com/az.php?a=0471253839&b=Data+Information+Quality Improving Data Warehouse and Business Information Quality: Methods for Reducing Costs and Increasing Profits, by Larry P. English
John Stokdyk's ExcelZone on the UK AccountingWeb site quotes from the Wise Owl site:
"Online tests by training organisation Wise Owl have revealed a worrying level of user ignorance about Microsoft Office applications such as Excel, Word and PowerPoint. More than 5,000 people have completed Microsoft IQ tests, with the most frequent result being six correct answers out of 15 multiple choice questions."
I checked it for Excel and found that their multiple-choice questions certainly picked on areas I never had to pay much attention to - page breaks in Print Preview, and chart legends, for example. The more subtle questions offer choices between menu items that do and do not exist. So unless you had Excel in front of you at the same time, you would need to know off by heart every submenu of every command to be able to get 100%. Advanced Excel users have pointed out that the tests also refer to the Chart Wizard tool which they of course never use.
This rote-learning approach is like the fragile testing tools that work by scripting mouse-clicks. MS are completely changing the interface for Excel 2007, so all these menus and options will have new positions. The ECDL tests on the other hand, test the ability to solve problems. Here are links to the Basic and Advanced modules:
http://www.ecdl.com/main/syllabus.php Under Related Materials, click on 'Sample Part Tests ECDL/ICDL Version 4.0'. Click on 'Sample Part Tests Version 4.0'. In the file 'sample part tests v4.pdf' the spreadsheet tests are on pages 32-34.
http://www.ecdl.com/main/adv_modules.php Click on 'Sample Papers ECDL/ICDL Advanced' Click on 'Test AM4 Sample Paper'. The file AM4S.doc contains a sample test for ECDL Module AM4, Spreadsheets – Advanced Level, with 20 questions.
The Juice Analytics weblog has a few posts on in-cell bar charts which are an updated version of the old VisiCalc method of displaying a row of asterisks in a column to make a "poor man's" bar chart. They also discuss a new charting technique of using a special font to place mini-charts inline with text, to convey information at the point where the data is. A tool to create these is available free for non-commercial use from Bissantz in Germany:
http://www.bissantz.de/columns/trashboard/ 'Dashboard or Trashboard: Can we drive companies like we do cars?' by Dr. Nicolas Bissantz
Some examples of badly designed charts with suggested improvements are listed at Stephen Few's website:
Most of the horrible examples look depressingly familiar. When the chart junk is taken out and more appropriate forms chosen, the meaning is much clearer. While you're there, check out his extensive library of articles on chart design and visual data analysis at:
Show Me the Numbers: Designing Tables and Graphs to Enlighten by Stephen Few
As the first anniversary of my book is this month, I am making available some expanded material in response to requests for more detail:
1) A 303K 11 page PDF: Understanding the recalculation mode, Lookup and Transition Formula Evaluation, Pie charts with negative data, Using Excel Scenarios for test cases, Comparing worksheets.
2) An expanded chapter on Data Validation, 16 pages, 468K PDF..
3) Bonus material outside the scope of the ECDL syllabus. Mainly VBA examples,16 pages, 320K PDF.
To download, please have the book to hand in order to enter a password from a page and then visit:
http://sysmod.buy.ie/catalog/product_info.php?products_id=188 Our offer - free shipping to EU in August 2006.
http://www.sysmod.com/az.php?a=190540400X&b=Spreadsheet+Check+Control Available worldwide from Amazon.
http://www.sysmod.com/scanxls.htm SCANXLS is my Excel utility to scan directories and create an inventory of spreadsheets. It also builds a cross-reference of their dependencies, and helps assess their quality. Many programs will show the links IN (ie TO) a spreadsheet; SCANXLS is one of the very few tools in the marketplace that inspect entire directories and construct a list of XLS files that are found to have links FROM other files.
Simply send your comments to FEEDBACK (at) SYSMOD (dot) COM
Thank you! Patrick O'Beirne, Editor
Kathy Sierra writes: "Sudoku is perfect. But I can't help imagine what would happen if someone like, say, Microsoft had designed it. Or rather, if some developers (leaf-nodes) at Microsoft designed it--perfectly--and then upper management stepped in..."
Brian E. Butler writes "The cube that O'Beirne describes is a classic box-packing problem. There are six pieces, quite irregularly shaped, which can be packed into a cube or five other rectangular solids." Regretfully, Thomas Hay O'Beirne is no relation to myself, as far as I know!
Copyright 2006 Systems Modelling Limited,
Reproduction allowed provided the newsletter is copied in its entirety and with
this copyright notice.
We appreciate any feedback or suggestions for improvement. If you have received this newsletter from anybody else, we urge you to sign up for your personal copy by sending a blank email to EuroIS-subscribe (at) yahoogroups (dot) com - it's free!
For those who would like to do more than receive the monthly newsletter, the EuroIS list makes it easy for you to discuss issues raised, to share experiences with the rest of the group, and to contribute files to a common user community pool independent of the sysmod.com web site. I will be moderating posts to the EuroIS list, to screen out inappropriate material.
Patrick O'Beirne, Editor
ABOUT THIS NEWSLETTER
"Praxis" means model or example, from the Greek verb "to do". The name is chosen to reflect our focus on practical solutions to IS problems, avoiding hype. If you like acronyms, think of it as "Patrick's reports and analysis across Information Systems".
Please tell a friend about this newsletter.
We especially appreciate a link to www.sysmod.com from your web site!
To read previous issues of this newsletter please visit our web site at http://www.sysmod.com/praxis.htm
This newsletter is prepared in good faith and the information has been taken from observation and other sources believed to be reliable. Systems Modelling Ltd. (SML) does not represent expressly or by implication the accuracy, truthfulness or reliability of any information provided. It is a condition of use that users accept that SML has no liability for any errors, inaccuracies or omissions. The information is not intended to constitute legal or professional advice. You should consult a professional at Systems Modelling Ltd. directly for advice that is specifically tailored to your particular circumstances.
We guarantee not to sell, trade or give your e-mail address to anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers a moderated discussion list for readers and a free shared storage area for user-contributed files. The archives of this group are on YahooGroups website http://finance.groups.yahoo.com/group/EuroIS/