Mind of Bigyellow

Injection:  在输入中加入代码，直接进入系统 Broken Authentication and Session Management: 利用Session  管理的问题，比如登出，密码管理，超时，remember me等等里面的漏洞来进入其他用户的账户。 Cross Site Scripting：将恶意代码发给多个用户，一旦有一个用户疏忽，就会被侵入。之后此用户和网页之间的数据交换，cookie等就有可能被暴露。  Haker --> Create Page Victim --> Visit page   Victim --> Get inject script Hacker --> Do bad thing on victim behalf Insecure Direct Object References：没有权限的用户可能访问某些需要权限才能访问的对象。特别是某些文件目录，侵入者可以猜测目录结构，然后进入一个应该保护但是没有被保护的目录 Application Security Misconfiguration：某些不必要也不安全的组件被放在网页上面，比如一些内部用的调试组件，侵入者可以通过这些组件绕过认证的过程。  Sensitive Data Exposure: 需要被加密的数据没有被加密储存或者传递，或者使用低级别的加密技术 Missing Function Level Access Control：某些函数或者控件只能被认证用户使用，但是因缺少保护，侵入者可以找到这些漏洞。 Cross-Site Request Forgery：用户访问网页的时候，现访问侵入者的主机，此主机在用户的请求后面注入恶意代码在发给用户真正要访问的服务器。  Using Components with known vulnerabilities: 开发的时候没有注意使用的库可能是已知的有问题的。使用这种库，就容易出现问题。 Unvalidated Redirects and Forwards: 网站经常会将用户重新定向。 如果定向设计的有缺陷，侵入者可以加入一些参数，引诱用户点击以后被重定向到他们希望的网页。 

Functional test for new development: Divide to two stage: i) Early test: test in each team's isolated dev env. those envs are regularly sync.ed. Release test: each test analyst will be responsible for several test plan, which covered one or more new feature/requirement. So test analyst is a role, plan the test, design the test, execute the test, and report the test. ii) Automation test for regression test:  A lot of automation test (UI and Unit) as gate checking. Other test: Performance. Performance test. Problem or challenge: 1. Each team/test analyst works alone, find error in their own domain. Cross domain error sometimes not caught. 2. The strict release date and predefine feature(most likely are promised to customer)somehow restrict the Agile development. 1. script failure, hardware failure, network failed, and the dependencies, database failure, or system crash due to ...... etc 1. I should not only test the CR, also think the theory behind it. 2. Figu

Q: More Asset Management team seeking nontraditional investment in nowadays, what is the opportunity to me A: Instrument Type added, and the infomation of Insrument type will be added. Q: How to deal with the support to different version. A: After 5.6, install the agent in testtemp folder, and no need to remove the agent from default folder. . Q: Also think about test as service, what I should change my behaviour. A: Test as service is mainly to know what you custemer needs. Interview the stakehold what they want, and design the test for them. No quite same as the work we do here. Q: How to perform release test and cr test, figure out a good way to do that. Get project information -> Write strategy -> Script the test. Relase test should not only test the CR, also test the requirement, not only the functional, should I consider the non functional, or higher level test. Use script is good for simplify the labor work, but also make the test to always use the predifine s