JsTestDriver Another Testing Framework
Did you notice that there are a lot of JavaScript testing frameworks out there? Why has the JavaScript community not consolidated on a single JavaScript framework the way Java has on JUnit. My feeling is that all of these frameworks are good at something but none solve the complete package. Here is what I want out of JavaScript unit-test framework:I want to edit my JavaScript code in my favorite IDE, and when I hit Ctrl-S, I want all of the tests to execute across all browsers and return the results immediately.
I don’t know of any JavaScript framework out there which will let me do what I want. In order to achieve my goal I need a JavaScript framework with these three features:
Command Line Control
Most JavaScript test runners consist of JavaScript application which runs completely in the browser. What this means in practice is that I have to go to the browser and refresh the page to get my results. But browsers need an HTML file to display, which means that I have to write HTML file which loads all of my production code and my tests before I can run my tests. Now since browsers are sandboxes, the JavaScript tests runner can only report the result of the test run inside the browser window for human consumption only. This implies that 1) I cannot trigger running of the tests by hitting Ctrl-S in my IDE, I have to Alt-tab to Browser, hit refresh and Alt-tab back to the IDE and 2) I cannot display my test result in my IDE, the results are in the browser in human readable form only.
On my continuous build machine I need to be able to run the same tests and somehow get the failures out of the browser and on to the status page. Most JavaScript test runners have a very poor story here, which makes integrating them into a continuous build very difficult.
What we need, is the ability to control test execution from command line so that I can trigger it from my IDE, or my continuous build machine. And I need test failures to be reported on the command line (not inside the browser where they are unreachable) so that I can display them in IDE or in continuous build status page.
Parallel Execution
Since most JavaScript test runners run fully in the browser I can only run my test on one browser at a time during my development process. In practice this means that you don’t find out about failures in other browser until you have checked in the code to your continuous build machine (if you were able to set it up) and your code executes on all browsers. By that point you have completely forgotten about what you have written and debugging becomes a pain. When I run my test I want to run them on all browser platforms in parallel.
Instant Feedback in IDE
After I hit Ctrl-S on my IDE, my patience for test results is about two seconds before I start to get annoyed. What this means in practice is that you can not wait until the browser launches and runs the tests. The browser needs to be already running. Hitting refresh on your browser manually is very expensive since the browser needs to reload all of the JavaScript code an re-parse it. If you have one HTML file for each TestCase and you have hundred of these TestCases, The browser may be busy for several minutes until it reloads and re-parses the same exact production code once for each TestCase. There is no way you can fit that into the patience of average developer after hitting Ctrl-S.
Introducing JsTestDriver
Jeremie Lenfant-engelmann and I have set out to build a JavaScript test runner which solves exactly these issues so that Ctrl-S causes all of my JavaScript tests to execute in under a second on all browsers. Here is how Jeremie has made this seemingly impossible dream a reality. On startup JsTestDriver captures any number of browsers from any number of platforms and turns them into slaves. As slave the browser has your production code loaded along with all of your test code. As you edit your code and hit Ctrl-S the JsTestDriver reloads only the files which you have modified into the captured browsers slaves, this greatly reduces the amount of network traffic and amount of JavaScript re-parsing which the browser has to do and therefore greatly improves the test execution time. The JsTestDriver than runs all of your test in parallel on all captured browsers. Because JavaScript APIs are non-blocking it is almost impossible for your tests to run slow, since there is nothing to block on, no network traffic and no re-parsing of the JavaScript code. As a result JsTestDriver can easily run hundreds of TestCases per second. Once the tests execute the results are sent over the network to the command which executed the tests either on the command line ready to be show in you IDE or in your continuous build.
<object width=”425″ height=”344″><param name=”movie” value=”http://www.youtube.com/v/V4wYrR6t5gE&color1=0xb1b1b1&color2=0xcfcfcf&hl=en&feature=player_embedded&fs=1″></param><param name=”allowFullScreen” value=”true”></param><embed src=”http://www.youtube.com/v/V4wYrR6t5gE&color1=0xb1b1b1&color2=0xcfcfcf&hl=en&feature=player_embedded&fs=1″ type=”application/x-shockwave-flash” allowfullscreen=”true” width=”425″ height=”344″></embed></object>
SQL server query performance testing tool
SQLQueryStress is a free tool for SQL Server programmers. It is designed to assist with performance stress testing of T-SQL queries and routines. The tool automatically collects metrics to help you determine whether your queries will perform under load, and what kind of resource strain they put on your server.Many of the most commonly-discussed performance testing techniques focus on full-system testing using commercial tools. But sometimes it’s important to be able to run a quick performance test against a single query, in order to test ideas or validate changes.
SQLQueryStress is a simple, lightweight performance testing tool, designed to load test individual queries. It includes support for randomization of input parameters in order to test cache repeatability, and includes basic capabilities for reporting on consumed server resources.
You can download a free copy of the tool at DataManipulation.net and Quick Tutorial
Mykonos touts security in AJAX
A new AJAX company is implementing built-in security measures on the server, the transport layer and on the client for every application created.Executives of startup Mykonos said every that component within the company’s AJAX framework is built to filter user data in order to make AJAX development more secure. This is done, they said, by validating cross-site requests using encrypted tokens, and by using proprietary CAPTCHA codes and authentication screening techniques to prevent automated log-ins.
Mykonos is a framework for building enterprise-class Web applications, and it includes a feature called Visual Builder that allows developers to create screens and workflows. There is a set of components for data transfer that are already encrypted to prevent against SQL injections and other attacks.
The name Mykonos was adopted when company executives were sitting in their Rochester, N.Y. office on a cold, wintry day.
Protected only by office walls from the blistering, snowy weather, one employee looked at a framed picture of the Greek island Mykonos, a landmass known for its sandy beaches and exquisite nightlife. The employee proclaimed he’d much rather be there instead of Rochester. Hence, the idea came about for the company name.
The company is a subsidiary of BlueTie, a software-as-a-service e-mail and collaboration company. Mykonos was split off from BlueTie and launched as a separate unit in late April. It has offices in Rochester and Palo Alto, Calif. It currently has 15 employees.
CEO David Koretz called Mykonos a “framework coupled with a security service.”
He continued: “You’ve got a layer of secure components, you’ve got code around your RPC layer, and then you’ve got code around your logging and auditing engine and other things that exist on the client. Mykonos can actually use all this security to upgrade the code itself.”
For instance, if there is a security issue around Firefox, Mykonos can update its components in real time to defend against that, Koretz said.
Mykonos hired developers who didn’t have expertise in browser compatibility and Web application security, Koretz said. This helped create a framework that allows any developer with object-oriented development experience to create Web apps.
“We dramatically reduce the need for people to become JavaScript experts,” Koretz claimed. “Not all developers will become experts in JavaScript, and not all of them will become experts in browser compatibility, and certainly the vast majority of them won’t be experts in security. So we take those big issues off the table.”
Vi Labs uses Google Maps to keep an eye on piracy
Security provider Vi Labs is putting piracy on the map by mashing its database up with Google Maps.The company today released a new version of its CodeArmor Intelligence software anti-piracy platform. CodeArmor Intelligence can now report piracy by collecting data at a gateway server, according to company executives. Geographic information is then added to the platform, and users can view the location of the infringing party through Google Maps.
Users can see how many infringements are being reported from a regional perspective. Web services then add business profile information, an organization’s latitude and longitude from its IP address information. Users can zoom in all the way down to a street-level view of the area reporting pirated software, Vi Labs executives said.
“We present to the client an interface that says, ‘Click here to see where this falls within Google Maps,’ ” said Victor DeMarines, vice president of products for Vi Labs. “So all the data is coming from the infringements that we’re detecting in the field, and then we can augment that data with other Web services, and in the end, you’re going to see this non-compliant organization through a screenshot.”
US military shows off hack-by-numbers battlefield gadget
As the US military strives to boost its ability to wage cyber warfare, it’s looking for ways to make it easier for non-expert soldiers on the front lines to wreak havoc on enemy networks.Enter a new generation of attack devices that is packaged to be brought into the battlefield and used by non-specialists to penetrate satellites, voice over internet networks, and supervisory control and data acquisition systems. Aviation Week recently got a peek at one device and provided a rich description of its features.
The device is designed to allow US forces to test enemy networks for a wide range of vulnerabilities and then synthesize the results so they can be acted on quickly. It offers touch-screen dashboards and sliders to make enumeration and penetration more intuitive. One display shows a schematic of an enemy network and identifies its nodes. A sliding lever can be moved to increase an attack or dial it down to reduce collateral damage.
The device is designed to take a slew of algorithms for monitoring and penetrating networks and put them into an easy-to-use package. Think of it as a hack-by-numbers gadget for combat forces.
“Right now, all that information is in the head of a few guys that do computer network operations and there is no training system,” one researcher told Aviation Week.
There’s much more here.
Hacks and IT workers boozing themselves silly
It’s official: Media professionals are the UK’s heaviest boozers, followed by IT workers and “service-sector” operatives.That’s according to a Department of Health survey which found that hacks and the like are working their way through roughly 44 units a week - resolutely ignoring NHS recommended limits of 21 to 28 units for chaps and 14 to 21 for chapesses
Google News stumbles again
Google’s news aggregation and search site had another little lie down yesterday, for the second time this week.On Monday afternoon the news page was briefly unavailable from the UK and it went down for another 15 minutes yesterday. Google UK did not comment on Monday’s problems.
But Computerworld had more luck - Google said a small percentage of users got a 503 server error and apologised.
Last week Google suffered a far more serious outage, which meant users around the world lost access to most of Google’s applications, including Gmail, maps, Google Docs and AdSense.
Some services were still available but were unbearably slow. Google said a traffic routing problem caused the blip.
The annoyance caused to the average user shows how far the search company has inveigled its way into our working lives. For companies dependent on Google Apps, the outage was more than just annoying, of course.
Source TheRegister
Cybersecurity groups band together in malware fight
Three cybersecurity groups said Tuesday they plan to band together to combat the growing scourge of malware.The Anti-Spyware Coalition, National Cyber Security Alliance, and StopBadware.org said the Chain of Trust Initiative will link together vendors, researchers, government agencies, network providers, and other groups involved in internet security. The members said they want to establish a united front against malware suppliers in much the way groups coalesced to successfully fight providers of adware several years ago.
OWASP sheds light on its security standard
The mission of the Open Web Application Security Project (OWASP) is to make security more “visible,” but over the last few months, the organization itself is raising its profile.OWASP this year has spawned different committees that work on conferences, project and tool development, and industry outreach. The not-for-profit organization now has approximately 150 chapters around the world, producing software, documentation and videos, and several conferences to educate professionals on how to be more secure.
“Currently, when you buy a piece of software or use a website that’s driven by software that’s out in the cloud, you have no way of knowing if that software is secure,” said Jeff Williams, board member and chair of OWASP. “When you buy a car, you or your mechanic can open up the hood, look at it and figure out if it’s a decent car. But with software, it’s really almost impossible; they say software is a black box, and unless you have incredible software skills, it’s very difficult to open up that black box and figure out if that’s a piece of software that you want to trust your business to.”
There are several documentation projects taking place in OWASP, including the Application Security Verification Standard, the organization’s first attempt to create a specification, Williams said. The Application Security Verification Standard identifies four levels of application security verification: manual review, manual design review, manual test and review, and the use of defect trackers. The standard was first published in December 2008, with ongoing improvements discussed through workshops, mailing lists and input from outside developers.
“We saw a lot of people doing all kinds of testing of applications—[penetration] tests, automated scans, static analysis, code reviews—all sorts of different attempts to verify the security of an application,” Williams said. “So we thought there should be a standard around that. Frankly, there’s a lot of folks out there doing good application security work, and folks that aren’t doing such good work, and we want to have a way to tell the difference.”
OWASP is also creating the Application Security Desk Reference, a reference book with approximately 1,000 pages on common threats, vulnerabilities and risk factors.
Another notable project in OWASP is the Enterprise Security API (ESAPI), which focuses on giving developers the proper steps and metrics they’d need to build secure applications. Some of those steps include encrypting data, authenticating users and rotating session identifications. Instead of developers having to do these functions themselves, the ESAPI project hopes to provide all developers in all programming environments a simple set of security methods.
Williams estimated that OWASP has about 100 projects currently taking place to create software to help developers be more secure. Some of those are essentially a “testing ground” for software that has the potential to be commercialized.
“Some of the projects are pushing the envelope on new things that we’re experimenting with,” Williams said. “We try to experiment with things that might be effective; someone has to.”
Facebook users warned over renewed phishing assault
Facebook users are facing a new wave of phishing attacks following a previous barrage in April.Fraudulent messages from already compromised accounts on the social networking website attempt to trick users into handing over their login details to one of a series of fake sites. The assault follows the pattern of a previous similarly-focused attack last month.
The sites associated with the attack this time around include www.151.im, www.121.im and www.123.im.
Staff at the social networking website are removing messages that link to dangerous sites as well as helping to turn over control of compromised accounts to their rightful owners. Facebook’s FAQ on security can be found here.
Security watchers speculate that cybercrooks are interested in getting their hands on Facebook login details because many consumers share the same password across multiple sites. The theory runs that access to a profile on a medium-sensitivity site, such as Facebook, could be a stepping stone on the way to owning a more sensitive online banking account or similar tasty miscreant treat.
In other social networking security attack news, the Twitter profile of the New York Times fashion blog (The Moment) was briefly taken over on Thursday to punt links to a webcam smut site to its 510,000 followers. Control of the profile was quickly restored to its rightful owners, who have since apologised for the cock-up.