What is Benchmarking?

Benchmarking:A continuous, systematic process of evaluating and comparing the capability of one organization with others normally recognized as industry leaders, for insights for optimizing the organizations processes.

General Guidelines for Security Testing:

Buffer overflow: Buffer overflow happens when something very large is placed in an input box far too small for it to fit in. Buffer overflows are used to crash the system, or to gain complete control over it by having it execute an attacker's malicious code.
Extraneous access to users: Application should restrict folder/files access to only authenticated users.
Error Message Risk: Most of the applications provide more information than required as part of the error message. The more the information given to the hacker the more hints we are providing for him to hack the application.
Extraneous ports/services: Hackers use the easiest and most convenient way to exploit well-known computer and Internet flaws. In most cases the fewer ports/services you have open/enabled, the fewer avenues an attacker can use to compromise your network.
SQL Injection: SQL Injection is simply a term describing the act of passing SQL code into an application to exploit web sites.
Authentication/Authorization: Improper validation of the user’s authentication, results in application being vulnerable for unauthorized access/bypass Logins.
Path Traversal Techniques:
a) Directory Enumeration: Directory enumeration is when a continual pattern of directories can be predicted. An example is a directory tree that uses time such as days, weeks, or even months to group data.
b) Reverse Directory Traversal: Reverse directory traversal is the process of editing the URL in your web browser to attempt to access areas of the web server that were not secured. By adding.../'s to existing URLs, and adjusting the amount of directories to traverse, an attacker might gain access to a system files.
c) Truncating Paths - Data Leakage: Truncating paths is a method to find directories that may not have been intended for users to browse, and also to possibly gain browser access where no direction from hyperlinks is available.
d) Renaming File Extensions: Network administrators and developers often leave backup files and scripts on the web server. These files commonly contain information that can be used to breach a site's security. Extension checking involves replacing extensions on files, and then looking for older or backup versions stored on the site.
Cross Site scripting: This issue occurs when dynamically generated web pages display input that is not properly validated. This allows an attacker to embed malicious script into the generated page, allowing the attacker to execute script on the machine of any user that views the malicious page. To avoid cross site scripting all important validations should be done on the server side rather than on the client.
Mail Relay risk: When an e-mail server is not configured to restrict how e-mail is routed, it is allowed to process a mail message where neither the sender nor the recipient is a local user. Then spammers or hackers can take advantage of this to do mass mailing or to slow your server down. Leaving mail capability open gives a potential attacker another means of delivering potential trojans, viruses, or simply launching a particularly nasty denial of service attack.
Hidden Fields: Hidden fields are fields that are used to store state information as data is passed back and forth between the client and server.
Sequential Numbering: Sequential numbering is when an application increments numbers for any of its key fields which, can be easily discovered and exploited by hackers.
Cookie Manipulation/ Encryption: Cookie manipulation is when a user changes the contents of a cookie on the client. These changes could allow the user access to areas on a website that were prohibited previously.
Debug information: Identification of modules that allow debug options in production environment.

What is the role of a bug tracking system?

A bug tracking system is used to report all errors at one central place for easy access and retrieval, both by developer as well as tester.
Since all the bugs are centrally filed, it becomes easy to update their status.
The tracking can be done across multiple projects and lastly, these details can be used by a QA manager for Metrics.

How to write a good testcase? Give example

A good test case should find more number of defects in that specified software. For example, if we have to test the Antivirus software, we have to load more number of virus as well as trojens into the system & then we have to test the software...

What are 5 common problems in the software development process?

•Poor requirements - if requirements are unclear, incomplete, too general, and not testable, there will be problems.
•Unrealistic schedule - if too much work is crammed in too little time, problems are inevitable.
•Inadequate testing - no one will know whether or not the program is any good until the customer complains or systems crash.
•Featuritis - requests to pile on new features after development is underway; extremely common.
•Miscommunication - if developers don't know what's needed or customer's have erroneous expectations, problems are guaranteed.

How is traceability of bug follow?

The traceability of bug can we followed in so many ways.
•Mapping the Functional requirements scenarios (FS Doc) - test cases(ID) -- Failed test cases (Bugs)
•Mapping between requirements (RS Doc) - test case (ID) - Failed Test Case
•Mapping between Test plan (TP Doc)- test case (ID) - Failed Test case
•Mapping between business requirements (BR Doc) - test Case (ID) - Failed Test case
•Mapping between High Level Design (Design doc) - Test Case (ID) - Failed test case.
Usually the traceability matrix is mapping between the requirements, client requirements, function specification, test plan and test cases.
Typically, in test situations, traceability matrices are used to trace requirements to test cases in order to ensure that there are test cases for all the requirements. Some easily available commercial tools like Rational Suite Enterprise will help testing engineer/ test lead to trace requirements and then to trace from the use cases and/or requirements to test cases.
Of course, usually many types of traceability matrices may be created a just simple concept of REVERSE ENGINEERING. For example, you may trace Bug--> identify that test cases-->use cases and vice versa. The default term likely applies to tracing requirements to test cases though.

What is AUT?

AUT is "Application under test”. After designing and coding phase of development cycle, when the application (build) comes under testing then at that time application state is under test, so at that time period that application (build) is called "Application Under test".

What is a show stopper?

Show Stopper is a condition (Bug) where a tester could not go for further testing unless and until that bug is fixed. In this case as a tester we send urgent request to development team to fix the bug.