OVERVIEW

This course aims at providing the foundations behind functional and security testing. Testing is the key activity for ensuring software quality during software development.

To be effective both functional and security aspects should be considered.  Security testing is very different from functional testing since the goal is not detecting software defects (i.e., unexpected behaviors) but revealing flaws in the security mechanisms of the application under test.

AIMS AND CONTENT

LEARNING OUTCOMES

Learning the fundamentals in functional and security testing of software systems, with special emphasis on challenges posed by Web and Mobile applications, and getting acquainted with automated tools used to practice testing techniques.

AIMS AND LEARNING OUTCOMES

Students will learn the fundamentals in functional and security testing of software systems, with special emphasis on challenges posed by Web applications and using automated testing tools.

Students will see the many facets of the problem and will learn methodologies, approaches and techniques to check the quality of complex software systems.

At the end of the couse, students will be able to:

• Understand and apply the differences between functionality and security testing
• Understand fundamental concepts of software testing (e.g, manual vs automated testing)
• Use established techniques/approaches/tools for designing and executing functional tests
• Learn how attackers succeed in breaking applications
• Learn how to protect a web application from known threats
• Understand the attack target possibilities of web apps
• Understand the ‘Top Ten’ vulnerabilities proposed by OWASP
• Understand network protocols functioning and related security aspects
• Get hands on Web application testing techniques (both functional and security), using, e.g., selenium, burp suite, wpscan, sqlmap and other automated tools
• Incorporate software testing as a continuous process

PREREQUISITES

The course has the following prerequisites:

• Object Oriented and procedural/imperative programming fundamentals (in particular, basic knowledge of Java, Javascript, PHP,  Node.js, and SQL languages)
• Basic knowledge of Web applications
• Basic knowledge of Bash
• Basic knowledge of Docker and containerized environments

TEACHING METHODS

The teaching is a combination between presentation of theoretical concepts and exercises and discussions. It is dialogue-oriented and with a practical approach. The course includes laboratory activities that can also be carried out in groups.

Mandatory assignments which must be completed during the course will be provided to the students.

SYLLABUS/CONTENT

This course aims at providing the foundations behind functional and security testing. Current testing practices are quite effort intensive since they rely heavily on manual activities. Test automation aims at reducing the cost of testing by automating several of the involved activities.

The laboratory, that constitutes an integral part of the course, will give the students a hands-on opportunity to see the analysis and testing techniques (both functional and security) applied to real case studies.

Functional Testing:

• Course introduction: fundamentals of functional and security testing
• Manual vs automated testing
  • Software testing essential techniques
  • Introduction to continuous testing (DevOps)
    • Introduction to a continuous integration and continuous delivery (CI/CD) platform (e.g., GitHub Actions)
  • Data driven testing
  • Automation Tools for Unit testing (e.g., xUnit or TestNG)
• Web application testing
  • E2E testing approach
  • Approaches for generating E2E test cases
  • Introduction to Selenium IDE and Selenium WebDriver
  • Cross-browser testing
  • Test automation best practices
    • Page Object Model
  • Testing tools
    • Capture/Replay vs. Programmable
    • DOM-based vs. Visual

Security Testing:

• Introduction to cybersecurity
• Automated security tools
  • Burp suite, wpscan, sqlmap
• The HTTP protocol
• Command injection
• Client-side vulnerabilities
• Denial of Service attacks

RECOMMENDED READING/BIBLIOGRAPHY

• Web Application Security: Exploitation and Countermeasures for Modern Web Applications
  by Andrew Hoffman
• Web Security Academy - https://portswigger.net/web-security/learning-path
• Hands-On Selenium WebDriver with Java by Boni Garcia

TEACHERS AND EXAM BOARD

Exam Board

FILIPPO RICCA (President)

MAURIZIO LEOTTA (President Substitute)

ENRICO CAMBIASO (Substitute)

LESSONS

LESSONS START

In agreement with the calendar approved by the Degree Program Board of Computer Science.

Class schedule

The timetable for this course is available here: Portale EasyAcademy

EXAMS

EXAM DESCRIPTION

The objective of the verification procedure is to quantify, for each student, the level of achievement of the educational objectives. The verification procedure consists of evaluating certain guided laboratories and a written test.

EXAMINATION

The exam consists of the following activities:

·       Laboratory activities

·       Written test

Laboratory activities

The course includes laboratory activities to be carried out. For some of these activities, the submission of the work done will be required. For others, students' participation will simply be monitored. Alternative activities to be submitted via AulaWeb will be proposed for those (e.g., working students) who are unable to attend laboratory activities.

Written test

The written test will consist of multiple-choice questions. The questions will be both theoretical and practical and will focus on the topics/tools covered in class. During the lessons, some examples of possible questions and exercises for each topic will be discussed so that the type of test is clear at the end of the course.

Students with certification of Specific Learning Disabilities (SLD), disabilities, or other special educational needs must contact the instructor at the beginning of the course to agree on teaching and examination methods that, while respecting the course objectives, take into account individual learning styles and provide appropriate compensatory tools. It is reminded that the request for compensatory/dispensatory measures for exams must be sent to the course instructor, the School representative, and the “Settore servizi per l'inclusione degli studenti con disabilità e con DSA”

ASSESSMENT METHODS

The laboratory activities aim to assess the understanding of the proposed tools and techniques. The written test has the dual objective of verifying the knowledge of the fundamental aspects of the discipline and assessing the students' participation in the guided laboratories.

Exam schedule