CODE 101808 ACADEMIC YEAR 2022/2023 CREDITS 6 cfu anno 1 COMPUTER SCIENCE 10852 (LM-18) - GENOVA SCIENTIFIC DISCIPLINARY SECTOR INF/01 LANGUAGE English TEACHING LOCATION GENOVA SEMESTER 2° Semester TEACHING MATERIALS AULAWEB OVERVIEW This course aims at providing the foundations behind functional and security testing. Testing is the key activity for ensuring software quality during software development. To be effective both functional and security aspects should be considered. Security testing is very different from functional testing since the goal is not detecting software defects (i.e., unexpected behaviors) but revealing flaws in the security mechanisms of the application under test. AIMS AND CONTENT LEARNING OUTCOMES Learning the fundamentals in functional and security testing of software systems, with special emphasis on challenges posed by Web and Mobile applications, and getting acquainted with automated tools used to practice testing techniques. AIMS AND LEARNING OUTCOMES Students will learn the fundamentals in functional and security testing of software systems, with special emphasis on challenges posed by Web and Mobile applications and using automated testing tools. Students will see the many facets of the problem and will learn methodologies, approaches and techniques to check the quality of complex software systems. After the completion of the course, the participants would be able to: Understand and apply the differences between functionality and security testing Understand fundamental concepts of software testing (e.g, manual vs automated testing) Use established techniques/approaches/tools for designing and executing functional tests Learn how attackers succeed in breaking applications Understand the attack target possibilities of web apps (e.g., SQL injection) Understand the ‘Top Ten’ vulnerabilities proposed by OWASP Identifying a security risk and determining severity of a security risk Get hands on Web and Mobile application testing techniques (both functional and security), using, e.g. Selenium framework, Burp suite and other automated testing tools Incorporate software testing as a continuous process PREREQUISITES Object Oriented and procedural programming fundamentals (in particular, basic knowledge of Java, Javascript, PHP and SQL languages) basic knowledge of Web and Mobile applications TEACHING METHODS The teaching is a combination between presentation of theoretical concepts and exercises and discussions. It is dialogue-oriented and with a practical approach. Mandatory assignments which must be completed during the course will be provided to the students. SYLLABUS/CONTENT This course aims at providing the foundations behind functional and security testing. Current testing practices are quite effort intensive since they rely heavily on manual activities. Test automation aims at reducing the cost of testing by automating several of the involved activities. The laboratory, that constitutes an integral part of the course, will give the students a hands-on opportunity to see the analysis and testing techniques (both functional and security) applied to real case studies. Functional Testing: Course introduction: fundamentals of functional and security testing Manual vs automated testing Software testing essential techniques Introduction to continuous testing (DevOps) Introduction to Jenkins Data driven testing Automation Tools for Unit testing (e.g., xUnit and TestNG) Web app and Mobile testing E2E testing approach Difference between Web and Mobile testing Approaches for generating E2E test cases Cross-browser testing Test automation best practices Page Object Model Testing tools Capture/Replay vs. Programmable DOM-based vs. Visual API testing Introduction to POSTMAN Laboratory Test suite development for selected Web apps Selenium IDE, Selenium WebDriver, Appium, POSTMAN, Katalon, Jenkins (or other similar tools) Security Testing: Background on security vulnerabilities ‘Top Ten’ vulnerabilities proposed by OWASP Server side vulnerabilities OS Command Injection SQL injection Remediation/sanitization Client side security Cross-Site scripting Cross-Site scripting mitigations Cross-Site Request Forgery Risk rating OWASP Risk Rating methodology OWASP Risk calculator Laboratory Security testing using WebGoat (or similar deliberately insecure web application) Burp suite (or other similar tools) RECOMMENDED READING/BIBLIOGRAPHY Web Application Security: Exploitation and Countermeasures for Modern Web Applications by Andrew Hoffman Web Security Academy -https://portswigger.net/web-security/learning-path Test Automation using Selenium WebDriver with Java: Step by Step Guide by Mr Navneesh Garg TEACHERS AND EXAM BOARD FILIPPO RICCA Ricevimento: Appointment by email ANDREA VALENZA Exam Board FILIPPO RICCA (President) MAURIZIO LEOTTA MAURA CERIOLI (Substitute) DARIO OLIANAS (Substitute) LESSONS Class schedule The timetable for this course is available here: Portale EasyAcademy EXAMS EXAM DESCRIPTION The exam is an oral discussion of the mandatory assignments. A mandatory assignment is a task which must be completed and approved before a student may appear for the final examination in a course. The assignment itself will be graded as passed or failed and will be the starting point of the oral. ASSESSMENT METHODS An oral examination will allow to verify that the student understood the issues concerning functional and security testing, and the foundational ideas of the proposed methods and techniques. The practical laboratory assignments and their discussion will allow to assess the student’s capability of applying in the best way the presented techniques and methods. Exam schedule Data appello Orario Luogo Degree type Note 09/06/2023 09:00 GENOVA Esame su appuntamento 15/09/2023 09:00 GENOVA Esame su appuntamento 16/02/2024 09:00 GENOVA Esame su appuntamento