Salta al contenuto principale della pagina

FUNCTIONAL AND SECURITY TESTING TECHNIQUES

CODE 101808
ACADEMIC YEAR 2022/2023
CREDITS
  • 6 cfu during the 1st year of 10852 COMPUTER SCIENCE (LM-18) - GENOVA
  • SCIENTIFIC DISCIPLINARY SECTOR INF/01
    LANGUAGE English
    TEACHING LOCATION
  • GENOVA
  • SEMESTER 2° Semester
    TEACHING MATERIALS AULAWEB

    OVERVIEW

    This course aims at providing the foundations behind functional and security testing. Testing is the key activity for ensuring software quality during software development. To be effective both functional and security aspects should be considered.  Security testing is very different from functional testing since the goal is not detecting software defects (i.e., unexpected behaviors) but revealing flaws in the security mechanisms of the application under test.

     

    AIMS AND CONTENT

    LEARNING OUTCOMES

    Learning the fundamentals in functional and security testing of software systems, with special emphasis on challenges posed by Web and Mobile applications, and getting acquainted with automated tools used to practice testing techniques.

    AIMS AND LEARNING OUTCOMES

    Students will learn the fundamentals in functional and security testing of software systems, with special emphasis on challenges posed by Web and Mobile applications and using automated testing tools.

    Students will see the many facets of the problem and will learn methodologies, approaches and techniques to check the quality of complex software systems.

    After the completion of the course, the participants would be able to:

    • Understand and apply the differences between functionality and security testing
    • Understand fundamental concepts of software testing (e.g, manual vs automated testing)
    • Use established techniques/approaches/tools for designing and executing functional tests
    • Learn how attackers succeed in breaking applications
    • Understand the attack target possibilities of web apps (e.g., SQL injection)
    • Understand the ‘Top Ten’ vulnerabilities proposed by OWASP
    • Identifying a security risk and determining severity of a security risk
    • Get hands on Web and Mobile application testing techniques (both functional and security), using, e.g. Selenium framework, Burp suite and other automated testing tools
    • Incorporate software testing as a continuous process

    PREREQUISITES

    • Object Oriented and procedural programming fundamentals (in particular, basic knowledge of Java, Javascript, PHP and SQL languages)
    • basic knowledge of Web and Mobile applications

    TEACHING METHODS

    The teaching is a combination between presentation of theoretical concepts and exercises and discussions. It is dialogue-oriented and with a practical approach.

    Mandatory assignments which must be completed during the course will be provided to the students.

    SYLLABUS/CONTENT

    This course aims at providing the foundations behind functional and security testing. Current testing practices are quite effort intensive since they rely heavily on manual activities. Test automation aims at reducing the cost of testing by automating several of the involved activities.

    The laboratory, that constitutes an integral part of the course, will give the students a hands-on opportunity to see the analysis and testing techniques (both functional and security) applied to real case studies.

    Functional Testing:

    • Course introduction: fundamentals of functional and security testing
    • Manual vs automated testing
      • Software testing essential techniques
      • Introduction to continuous testing (DevOps)
        • Introduction to Jenkins
      • Data driven testing
      • Automation Tools for Unit testing (e.g., xUnit and TestNG)
    • Web app and Mobile testing
      • E2E testing approach
      • Difference between Web and Mobile testing
      • Approaches for generating E2E test cases
      • Cross-browser testing
      • Test automation best practices
        • Page Object Model
      • Testing tools
        • Capture/Replay vs. Programmable
        • DOM-based vs. Visual
    • API testing
      • Introduction to POSTMAN
    • Laboratory
      • Test suite development for selected Web apps
      • Selenium IDE, Selenium WebDriver, Appium, POSTMAN, Katalon, Jenkins (or other similar tools)

    Security Testing:

    • Background on security vulnerabilities
      • ‘Top Ten’ vulnerabilities proposed by OWASP
    • Server side vulnerabilities
      • OS Command Injection
      • SQL injection
      • Remediation/sanitization
    • Client side security
      • Cross-Site scripting
      • Cross-Site scripting mitigations
      • Cross-Site Request Forgery
    • Risk rating
      • OWASP Risk Rating methodology
      • OWASP Risk calculator
    • Laboratory
      • Security testing using WebGoat (or similar deliberately insecure web application)
      • Burp suite (or other similar tools)

    RECOMMENDED READING/BIBLIOGRAPHY

    • Web Application Security: Exploitation and Countermeasures for Modern Web Applications
      by Andrew Hoffman
    • Web Security Academy -https://portswigger.net/web-security/learning-path
    • Test Automation using Selenium WebDriver with Java: Step by Step Guide by Mr Navneesh Garg

    TEACHERS AND EXAM BOARD

    Exam Board

    FILIPPO RICCA (President)

    MAURIZIO LEOTTA

    MAURA CERIOLI (Substitute)

    DARIO OLIANAS (Substitute)

    LESSONS

    Class schedule

    All class schedules are posted on the EasyAcademy portal.

    EXAMS

    EXAM DESCRIPTION

    The exam is an oral discussion of the mandatory assignments. A mandatory assignment is a task which must be completed and approved before a student may appear for the final examination in a course. The assignment itself will be graded as passed or failed and will be the starting point of the oral.

    ASSESSMENT METHODS

    An oral examination will allow to verify that the student understood the issues concerning functional and security testing, and the foundational ideas of the proposed methods and techniques. The practical laboratory assignments and their discussion will allow to assess the student’s capability of applying in the best way the presented techniques and methods.

    Exam schedule

    Date Time Location Type Notes
    09/06/2023 09:00 GENOVA Esame su appuntamento
    15/09/2023 09:00 GENOVA Esame su appuntamento
    12/01/2024 09:00 GENOVA Esame su appuntamento