Security testing questions

Questions from UK testing team . .

hi, yep we talked about this a while ago and I forgot to respond

And we’ve been wondering how many different device/platform combinations we need to test. But you may have done a good range of this in your testing to date.

as many as you can. We do what we can but a lot of testing is me and then we get device / platform feedback from users! The more you can do the better

We are also interested to know what security testing has been done already (for example on checking data visibility for ordinary and privileged user accounts, and on against HTML and SQL injection attacks).

again, we do what we can but we’re extremely under-resourced in this area, so the more you can do the better. We keep rails / spree security patches pretty up-to-date so that should be the bulk of protection against injection attacks.

Data visibility for ordinary and privileged user accounts is a high priority for you to look out for things. We keep a pretty close eye on this and it should be ok, but as we’re doing lots of work on permissions etc things are changing and the more eyes the better! That said, a lot of the way we’re working and building starts from “ok we’re dealing with this user, what are they doing / need to do and what should they see” so it’s pretty embedded in the way things are built and very top of mind. The place I’d like you to keep biggest look out for it is in the reports

To save us unnecessary work, could you let us have a copy of your relevant test scenarios?

I’m afraid they’re mostly in my head, so your work to write them up will be very useful. I did try to write out detailed cases a while ago but no one else ever used them so was more work for me to try to write and maintain than just to test as much as i can.

NB. This should also become clearer as the new information system gets settled and into play - because we should be aiming for clear specs on features here before they’re built, so that by the time it comes to testing there is already a very clear description of what should be happening!
@nick @lin_d_hop

If we go with the proposed Stroudco testing approach of Order Cycles 1,2,3, I think we can incorporate the device/browser/platform combo coverage in OC 3. And the security/privilege checking (especially reports) in OCs 2 & 3.

Point taken about the written test cases. They’re hard work and it’s a killer if no one uses them after all that. I think they’re helpful for us in Stroudco though, because the writing of them, and of the expected results, is really good for getting us to dig into the detail of OFN. That’s the plan anyway. We’ll see how it goes as the pace hots up!