OVERVIEW

This course aims at providing the foundations behind functional and security testing. Testing is the key activity for ensuring software quality during software development. To be effective both functional and security aspects should be considered.  Security testing is very different from functional testing since the goal is not detecting software defects (i.e., unexpected behaviors) but revealing flaws in the security mechanisms of the application under test.

AIMS AND CONTENT

LEARNING OUTCOMES

Learning the fundamentals in functional and security testing of software systems, with special emphasis on challenges posed by Web and Mobile applications, and getting acquainted with automated tools used to practice testing techniques.

AIMS AND LEARNING OUTCOMES

Students will learn the fundamentals in functional and security testing of software systems, with special emphasis on challenges posed by Web and Mobile applications and using automated testing tools.

Students will see the many facets of the problem and will learn methodologies, approaches and techniques to check the quality of complex software systems.

After the completion of the course, the participants would be able to:

• Understand and apply the differences between functionality and security testing
• Understand fundamental concepts of software testing (e.g, manual vs automated testing)
• Use established techniques/approaches/tools for designing and executing functional tests
• Learn how attackers succeed in breaking applications
• Understand the attack target possibilities of web apps (e.g., SQL injection)
• Understand the ‘Top Ten’ vulnerabilities proposed by OWASP
• Identifying a security risk and determining severity of a security risk
• Get hands on Web and Mobile application testing techniques (both functional and security), using, e.g. Selenium framework, Burp suite and other automated testing tools
• Incorporate software testing as a continuous process

PREREQUISITES

• Object Oriented and procedural programming fundamentals (in particular, basic knowledge of Java, Javascript, PHP and SQL languages)
• basic knowledge of Web and Mobile applications

TEACHING METHODS

The teaching is a combination between presentation of theoretical concepts and exercises and discussions. It is dialogue-oriented and with a practical approach.

Mandatory assignments which must be completed during the course will be provided to the students.

SYLLABUS/CONTENT

This course aims at providing the foundations behind functional and security testing. Current testing practices are quite effort intensive since they rely heavily on manual activities. Test automation aims at reducing the cost of testing by automating several of the involved activities.

The laboratory, that constitutes an integral part of the course, will give the students a hands-on opportunity to see the analysis and testing techniques (both functional and security) applied to real case studies.

Functional Testing:

• Course introduction: fundamentals of functional and security testing
• Manual vs automated testing
  • Software testing essential techniques
  • Introduction to continuous testing (DevOps)
    • Introduction to Jenkins
  • Data driven testing
  • Automation Tools for Unit testing (e.g., xUnit and TestNG)
• Web app and Mobile testing
  • E2E testing approach
  • Difference between Web and Mobile testing
  • Approaches for generating E2E test cases
  • Cross-browser testing
  • Test automation best practices
    • Page Object Model
  • Testing tools
    • Capture/Replay vs. Programmable
    • DOM-based vs. Visual
• API testing
  • Introduction to POSTMAN
• Laboratory
  • Test suite development for selected Web apps
  • Selenium IDE, Selenium WebDriver, Appium, POSTMAN, Katalon, Jenkins (or other similar tools)

Security Testing:

• Background on security vulnerabilities
  • ‘Top Ten’ vulnerabilities proposed by OWASP
• Server side vulnerabilities
  • OS Command Injection
  • SQL injection
  • Remediation/sanitization
• Client side security
  • Cross-Site scripting
  • Cross-Site scripting mitigations
  • Cross-Site Request Forgery
• Risk rating
  • OWASP Risk Rating methodology
  • OWASP Risk calculator
• Laboratory
  • Security testing using WebGoat (or similar deliberately insecure web application)
  • Burp suite (or other similar tools)

RECOMMENDED READING/BIBLIOGRAPHY

• Web Application Security: Exploitation and Countermeasures for Modern Web Applications
  by Andrew Hoffman
• Web Security Academy -https://portswigger.net/web-security/learning-path
• Test Automation using Selenium WebDriver with Java: Step by Step Guide by Mr Navneesh Garg

TEACHERS AND EXAM BOARD

Exam Board

FILIPPO RICCA (President)

MAURIZIO LEOTTA

MAURA CERIOLI (Substitute)

DARIO OLIANAS (Substitute)

LESSONS

Class schedule

The timetable for this course is available here: Portale EasyAcademy

EXAMS

EXAM DESCRIPTION

The exam is an oral discussion of the mandatory assignments. A mandatory assignment is a task which must be completed and approved before a student may appear for the final examination in a course. The assignment itself will be graded as passed or failed and will be the starting point of the oral.

ASSESSMENT METHODS

An oral examination will allow to verify that the student understood the issues concerning functional and security testing, and the foundational ideas of the proposed methods and techniques. The practical laboratory assignments and their discussion will allow to assess the student’s capability of applying in the best way the presented techniques and methods.

Exam schedule