Introducing…Ticket Magpie

Solving a problem of learning

I’d like to introduce you to a little project that David Hatanian and I have been working on. David is a member of the fantastic team at Codurance, and we first started working together on this project in February 2016.

Following my experiences at European Testing Conference in Bucharest, I realised the time had come for me to create and build my own vulnerable application. This was so that I would be able to run my own workshops on security testing, coach my colleagues and other testers aswell as demonstrating vulnerabilities; such as the OWASP Top 10.

My initial forays into learning security testing relied upon learning from a number of publicly available web applications. These include AltoroMutual, Gruyere from Google, and  Supercar Showdown by Troy Hunt.

I also worked closely with Bill Matthews, initially shadowing him, but then helping him to deliver workshops at international conferences. For these workshops, he built his own web application, Ace Encounters, which is a travel and wild adventure website.

Of course, using a real world application to practice these skills is highly illegal. So, students of security testing need a safe place to practice and learn. We aren’t hackers after all, we are testers. We aren’t there to steal, undermine or attack. We are there to explore and learn.

Pairing with David has been incredibly rewarding for us both. I’ve supported him with his understanding of security vulnerabilities, and he has supported me with my learning of object orientated programming (in this case Java).

A couple of months ago I ran a session using Ticket Magpie,  for the testers at NewVoiceMedia. The session was well received, and everyone appeared to have fun. The team there are really great at generating interesting test ideas, developing their skills, and following through with practical application of their learning. Taking this out into the wider community of testers was to be the next step, at Test Masters Academy.

i-love-shiny-things

Get Ticket Magpie

Ticket Magpie is easy to get, from David’s Github project. Check it out here and follow the instructions on the page. Here is some additional installation guidance.

Local Installation

  1. Install the components locally on your machine. You’ll need Maven, Java Development Kit and the Ticket Magpie project.
  2. Configure the JAVA_HOME and PATH environment variables, appropriate to your operating system. (Supports MacOS, Windows and Linux)
  3.  Run the application from the command line.
  4. You may choose to set up your own database, or run it in memory whilst the application is running.

Virtual Machine Installation

  1. Install Oracle VirtualBox or your favourite virtualisation tool on your machine
  2. Create a virtual machine using your OS of choice.
    • I like to use Linux Mint for this. It’s lightweight and easy to configure.
    • Remember to give your VM enough space, or make it dynamic. 8gb should more than suffice
  3. Follow the steps above and on the Github page for the project and you can’t go wrong.

Docker (this is by far the quickest and easiest way of getting things running)

  1. Install Docker on your machine
  2. Run the application from the Docker Hub image, using the provided command line:
    docker run -e "SPRING_PROFILES_ACTIVE=hsqldb" -p8080:8080 "dhatanian/ticketmagpie"

Running TicketMagpie

Once TicketMagpie is installed on your chosen environment, run the appropriate command line, then navigate your browser to:

http://localhost:8080

If you are successful, your browser should display the application, and it should look like this:

ticketmagpie-the-place-to-get-all-the-tickets

Ticket Magpie

Bug Hunt

I invite you to have a go at exploring Ticket Magpie. There are some fun features for you to take a look at. I’m not going to spoil things for you by listing everything here. You might also find some interesting problems.

Because the application runs on your local machine, docker or VM, you can use any technique, tool and gnarly hack you want, without harming anything or anyone else.

Take your time and let me know what you think. If you feel the need, you are welcome to use this form to provide feedback about the application: Ticket Magpie Survey. Alternatively, just message me on Twitter, or comment on this blog.

Good Luck, and Thanks!

game-over-man-game-over

 

Journeys – in time and space

We’re all on a continuum. Life will take you in all sorts of strange directions, be it professionally or personally. These are some reflections on some of the goings on I have experienced recently.

Goodbyeee

blackadder

Going over the top… Blackadder: Goodbyeee Copyright BBC (1989)

Up till the end of September, I had been working at NewVoiceMedia for nearly three years, initially as a contractor, and then latterly as a permanent member of the development team.

It was an incredible time. The opportunities that working at NVM afforded me were huge. Learning new skills, particularly in security testing, and working within strong, fast paced, agile (Agile) teams.

I thank everyone that I worked with at that time, especially Rob Lambert for giving me that chance, and enabling great testing and work in general.

I want to be a part of it…

New York. My first visit to this incredible city afforded me many great opportunities for learning, as much about being a citizen of the world (which Theresa May insists that I am not), than it was about anything else. Whilst the traffic, noise and hubbub are all consuming and sometimes overwhelming, especially in Manhattan, there is a sense of energy that I have felt that is unlike any other city.

I was there for Test Masters Academy, which was organised by Anna Royzman. Whilst I have presented workshops and talks on the subject of security testing before, this was my first time presenting in the United States. Also, this was the first time presenting using a tool that I had helped to build myself.

I came to a conclusion earlier in the year, following European Testing Conference in Bucharest. I needed to step up my game. The best workshops I had been to had been well planned, with great resources and learning opportunities. The course teacher had often created or supplied applications for the attendees to explore and test. I needed to do the same.

At ETC I met Franziska Sauerwien, of Codurance, who put me in touch with the Software Craftsmanship Slack group. There I paired up with Java developer David Hatanian, also of Codurance. Together, we created Ticket Magpie, a vulnerable web application written in Java. (More on Ticket Magpie in a future blog post)

ticketmagpie-the-place-to-get-all-the-tickets

Ticket Magpie

 

During the workshop, a few technical issues were to be had regarding deployment and hosting of the application on the attendees laptops. I wasn’t to be deterred, and adapted using a couple of publicly available web based vulnerable applications.

However, I quickly found that basing the content solely upon a list of well known application vulnerabilities was a mistake. It’s more important to understand the concepts of security testing rather than the vulnerabilities, without a framework in which to understand them, and the skills to explore them. This realisation was further clear to me after discussing them with Maaret Pyhäjärvi, and having a post mortem discussion with Jess Ingrassellino at the conference.

Future workshops will be supported by Ticket Magpie being deployable via a stable Docker Hub image, rather than relying on Virtual Box images, or attendees setting up the system themselves. Also there will be more of a focus on the techniques and skills of security testing, rather than just vulnerabilities.

New Pastures

This is now the beginning of my second week at Medidata. This is a new way forward for me in a number of ways. It’s my first time working in the medical and life sciences sector. Medidata build cloud platforms for their clients to manage clinical trials on new drugs and treatments. There is a lot of new domain knowledge to learn, people to meet and company culture to become a part of. It’s exciting.

Next, and this is often the tricky part…adapting to a new role. I have come from a role where I focussed predominantly on the security testing needs of the business. The objectives were to support the team with my security knowledge, plan and execute penetration testing against our services, as well as provide coaching and mentoring to my peers on the topic.

My new role has somewhat a broader remit. It’s not focussed solely on security for a start, which means I’ll get to re-explore other aspects of the testing craft. This is exciting to me. I’ll be working at a more strategic level, supporting the testers, test managers, senior management and other team members across the entire business, globally. They’ll be opportunities for training, coaching and mentoring too! I can’t wait to get my teeth stuck in to it!

Another great aspect of this, is my new commute. Now, I could complain about the cost of the British rail network. It’s one of the oldest in the world, but it does run, and usually gets me to London on time. My commute is usually between 90-120 mins each way, which affords me a great deal of time for reading, learning, and maybe catch up on some work. (Sure, I’ll probably sneak in an episode or two of my favourite TV show, or have a nap if I need one).

Time is a great resource. We shouldn’t waste it. If I’m going to spend up to four hours a day in a tin can, I’m not going to squander it.

MEWT5 – Reflections on moving from generalist to specialist testing

A change in focus

I was lucky enough to be invited to MEWT (Midlands Exploratory Workshop in Testing) last weekend (9/4/2016). The theme was professionalism, or professional testing. Unfortunately I was unable to give my presentation, due to a lack of votes and time. Fortunately however, many of the themes and issues I wanted to share did get exposed during the subsequent session discussions.  Whilst I won’t reel through a list of the talks, the content and the discussion I do want to present my thinking on my role, which has been changing from what could be termed a testing generalist towards more specialised testing.

At NewVoiceMedia we have recently formed a security team, of which I am the application security testing lead. This move has taken some time, as the corporate focus on security has matured and developed over the last few years. Whilst previously I was part of a feature team, creating products, testing features and functionality; I am now leading the charge on application security across this business.

Not only will I continue testing to a certain capacity, but also work alongside my colleagues to ensure that their features also have appropriate levels of discussion, learning and testing around the security of our products. I also need to work with the CTO, Security Officer and the other engineers on my team to raise the awareness of security matters, tailoring the content to each of the departments at NewVoiceMedia.

Professional or professional testing?

During the discussions at MEWT, we talked about what it meant to be professional testers, both with a small and big P. The focus shifted and flowed around roles and responsibilities, ethics, certification, communication, learning, models and skills. It was a challenging discussion with some deep thinking and debate throughout.

One aspect though stuck particularly with me. Abby Bangser led a discussion on what it meant for her to be a “Full Stack Tester”. This, and I am happy to be stand corrected if my interpretation is inaccurate, is Abby’s view on what it means to be a tester that is able to see and operate across not only the technical stack, but also across the business. Essentially being able to approach, think and help solve any problem that a tester might encounter. Abby herself aims to be “the worlds best rubber ducky”. (A reference to the technique by which a programmer explains their code line by line to another person, maybe a tester or programmer, or even an inanimate object: Wikipedia: Rubber Duck Debugging, Book: The Pragmatic Programmer: From Journeyman to Master; Andrew Hunt, David Thomas)

During this discussion, amongst many others, we hit upon what skills testers need to do their job.  The exploration and development of skills beyond that of testing appear to be essential for us to maintain our ability to be professional testers in a rapidly changing business and technical landscape.

It is also clear that whilst technical skills are, and should be, important, they aren’t the whole story. Testers, of whatever flavour, cannot work in isolation of their business context. We need skills that go beyond our technical knowledge and delve deeply into our business domains.

Bill Matthew’s reflected on Iain McCowatt’s statement that he prefers testing as an activity, rather than testers as a role or profession – as he see’s a problem with some of the dogma surfacing in the testing community.

Is there a problem with my T-Shape?

File 15-04-2016, 23 24 32

Which takes me to the issue I wanted to share with you here. You can find specialists in almost all walks to life, any profession, vocation, workplace and context. As I’ve previously mentioned, my main focus at work is both security testing and corporate security  awareness.

Outside work I am a Scout Leader, but I specialise in running activities for the Cub Scout section – children who are ages eight to ten and a half. I occasionally help out in other areas of Scouting also. I’ve planned and led multi activity sessions, camps and Scouting ceremonies for many children and other adult leaders.

My great-grandfather, who was a Church of Ireland and Church of England minister was also a head teacher at a school in Bath. One could argue that being a clergyman is both vocation and profession. Some might argue that teaching could be thought of in the same way.

Reverend John Willis Kearns

My maternal great-grandfather, Reverend John Willis Kearns. Headmaster of Monkton Combe School, Bath, 1900-1925

My maternal grandfather was also a clergyman, but also a community builder. One of his first parish assignments was in Lewisham, South East London, in 1943. This was of course during the World War Two, and the Blitz, one of the darkest times in the history of the United Kingdom. Alongside my grandmother, he helped keep his community together during a terribly difficult time.

My maternal grand-parents - Reverend James Hugh Jelly and Mrs Edith Mary Joyce Jelly

My maternal grand-parents getting married – Reverend James Hugh Jelly and Mrs Edith Mary Joyce Jelly in 1943

The T-shaped people in my family don’t stop there. My mother, Jocelyn, is not only a nurse, but is also an acute cancer care specialist. She is trained and practices specifically in caring for patients with urological cancers, as well as palliative care.

File 15-04-2016, 23 22 21

Jocelyn Jaun – specialist cancer care nurse, and my Mum!

So, what’s the problem here? Well, as I have deepened my skills in security testing and other matters around security, I have found that my career has shifted to focus on security almost entirely. That has presented some issues. Here is a summary of them:

The Positives:

  • Learn from great people
  • Deep skill development
  • Seen as an SME
  • Leader in the security space
  • Championing security across the business
  • Coaching other testers
  • More value to the community

The Negatives:

  • Bus factor of one – can create bottlenecks and issues around dependencies
  • Potential stagnation
  • Less time for learning as there are large demands on my time
  • Competing priorities – security isn’t at the top of everyone’s list
  • Concerned that I’m not developing other valuable skills
  • Worried that my t-shape is becoming unbalanced, or doesn’t always fit

All of these issues above are within my control to exploit, or challenge and manage. Let me focus on the specifics of this change in focus.

Firstly, It means that I’m no longer working with my previous feature team. I had developed a good working relationship with that team, and it was really difficult to transition from a close knit team who were co-located, to a more loosely formed team, who aren’t co-located, and where I’m almost autonomous. It means being more reliant on myself to get things done, rather than feeling able to support others or get support for myself when I need it. I know this isn’t strictly true, my colleagues are great and always willing to help a fellow team mate solve a problem. (Danny Dainton is a great example of this)

Secondly, becoming a bottleneck is and can be a problem. I’m still responsible for managing, planning and executing security testing across the whole business. People come to me if they need some security testing being done, but what we are working towards is each feature team taking responsibility for the security testing they need to do. Ultimately I am only one person. I can’t do everything, and sometimes I need a holiday. So to help with this I consult with each team, share ideas and knowledge, organise training, and pair with developers and testers to solve problems.

I’m one of many test engineers and development engineers, but I’m the only one of my team who has developed a deep focus in this area of testing. Many of my other colleagues have other interests and responsibilities – management and coaching, UX and design, automation, scrum-mastery, release co-ordination and regression testing, building tools and other useful things…the list goes on. It means that my t-shape can fit in with other peoples t-shape. If I don’t have the skills needed to complete a task, someone else will, and I can learn from them.

Take a look at what some folks have said about T-Shaped people, and specifically T-shaped testers.

Jurgen Apello – T-Shaped People

Rob Lambert: T-shaped testers and their role in a team

Adam Knight – guest writer on Robert Lambert’s blog – T-Shaped Tester, Square Shaped Team

Lisa Crispin – What skills should we learn & teach to build quality in?

Solving the problem

This last week has been Hackathon time at NewVoiceMedia. We get a good slice of time every few months to work on projects that are outside of our roadmaps, but that will add value to our teams, our processes and our business. It also helps with broadening and deepening your skills in all sorts of areas.

This week I’ve been involved in a coding workshop led by three of my development colleagues. Some of us were developing our C# skills, others were developing their Python or Ruby skills. I chose Python myself as it integrates well with one of the tools I use for security testing: Zed Attack Proxy from OWASP.

In the end I was able to run a ZAP scan, generate an XML report from ZAP, parse that report into JSON and then push it to a static HTML page. This is part of my aim to get security testing into our CI processes. I’ll write in more detail about this in a future post.

So whilst I might be doing less testing in future, I am still a tester. Whilst I am deepening existing skills, or adding new skills that can and will be useful. I will still have that broad range of skills that might identify me as a tester. It’s up to me to embrace the change that is happening and work with it, rather than focusing on the negative. That way I can remain relevant, valuable to my team, business and customers – and ultimately fulfill myself in my work.

I want to thank the MEWT 5 team and attendees for a great day of discussion and learning. Signing off!

mewt5

MEWT5: Organisers: Bill Matthews, Simon Knight, Vernon Richards. Attendees: James Thomas, Mohinder Khosla, Adam Knight, Danny Dainton, Dan Billing, Iain McCowatt, Christopher Chant, Dan Caseley, Tony Bruce, Doug Buck, Abby Bangser