This is a nice summary of web application security related technologies, processes, and development patterns: Design Guidelines for Secure Web Applications. A little .NET heavy, but most stuff is generally applicable.

If you read and like the above information, you should not miss the OWASP web security guidelines. This is a must read for every tester and developer. OWASP Guide Project:

Web application security is an essential component of any successful project, whether open source PHP applications, web services such as straight through processing, or proprietary business web sites. Hosters (rightly) shun insecure code, and users shun insecure services that lead to fraud. The aim of this Development Guide is to allow businesses, developers, designers and solution architects to produce secure web applications. If done from the earliest stages, secure applications cost about the same to develop as insecure applications, but are far more cost effective in the long run.

Unlike other forms of security (such as firewalls and secure lockdowns), web applications have the ability to make a skilled attacker rich, or make the life of a victim a complete misery. At this highest level of the OSI software map, traditional firewalls and other controls simply do not help. The application itself must be self-defending. The Development Guide can help you get there. The Development Guide has been written to cover all forms of web application security issues, from old hoary chestnuts such as SQL Injection, through modern concerns such as AJAX, phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues…

Smashing Magazine lists a couple of free and commercial tools to cover cross-browser testing:

Good news: very powerful free testing tools are available for Web designers today. Some are more user-friendly than others, and some have significantly better user interfaces. Don’t expect much (if any) support with these tools. But if you’d rather not spend extra money on testing, some great options are here as well.

Read the full article…

By the way, our own tool Xceptance LoadTest (XLT) offers a way to run cross-browser functional tests. XLT leverages WebDriver, a multi-browser API for automation. WebDriver does not support all browser and does not equally support all browser well, but we tried to iron out as much as possible. On top of it, you can use the XLT Script Developer to easily create automation scripts and run them either using our own scripting language or export them to Java to directly run them on the WebDriver-API.

You can download Xceptance LoadTest for free with no strings attached from our web site: www.xceptance-loadtest.com.

Nice article about the advantages of CSS3 in terms of coding as well as download speed: CSS3 vs. CSS: A Speed Benchmark.

I believe in the power, speed and “update-ability” of CSS3. Not having to load background images as structural enhancements (such as PNGs for rounded corners and gradients) can save time in production (i.e. billable hours) and loading (i.e. page speed). At our company, we’ve happily been using CSS3 on client websites for over a year now, and I find that implementing many of these properties right now is the most sensible way to build websites.

Until today, all of that was based on an assumption: that I can produce a pixel-perfect Web page with CSS3 quicker than I can with older image-based CSS methods, and that the CSS3 page will load faster, with a smaller overall file size and fewer HTTP requests. As a single use case experiment, I decided to design and code a Web page and add visual enhancements twice: once with CSS3, and a second time using background images sliced directly from the PSD. I timed myself each round that I added the enhancements, and when finished, I used Pingdom to measure the loading times.

More…

Enjoy reading.

Just found two nice blog entries by Chaotic Java which explain nicely how Java Garbage Collection works. Might be still too much if you have never dealt with the topic before, but good reading for the others.

• Parallel and concurrent garbage collectors
• How does garbage collection work?

Enjoy reading.

When you talk about code styleguides, you often talk about basic formatting. This means you probably already fought the holy war over the curly brackets {} and where to put them.

Of course, the next line is the only right place. A curly bracket is a hermit and does not like to be put next to any other character… 

What is your opinion?

Cartoon courtesy of Geek and Poke under CC-BY-ND-2.0

A database error caused several ATMs of the Commonwealth Bank to give away money for free in Australia. Read more at ZDNet. There is another short article about that failure in this news.

Up to 40 Commonwealth Bank Automatic Teller Machines are spewing cash across NSW just hours after suffering a computer error this morning.

Steve collected a very nice list of QA and testing blogs. 100 + 4 different blogs to take a look at. Check it out: Top 100 Software Testing Blogs.

We just published four brand-new screencasts about XLT 4.0, its features, and how to work with them. This is our first attempt to use screencasts as a way of documenting our software. They do not replace the written documentation, of course, but they do provide a quick and easy way to become familiar with XLT.

You might be especially interested in the new Script Developer. Our main feature of XLT 4.0.

The script developer is our approach to write and execute scripts efficiently within Firefox. It is a tool to quickly automate web application, share scripts without the hassle of complicated installations, while maintaining full control over possible other ways to execute scripts. The script developer lays the foundation to run test within the browser, execute scripts during builds, create and run test-driven tests, and, if required, export scripts into Java to unleash the power of a modern programming language.

Enjoy the screencasts and of course feedback is always welcome.

Today, I rediscovered this nice article about browser cache usage: Performance Research, Part 2: Browser Cache Usage – Exposed!. It gives you a pretty good idea about the average cache usage. Bottom line: Optimize your site for no cache hits at all and you are good.

40-60% of Yahoo!’s users have an empty cache experience and ~20% of all page views are done with an empty cache. … It says that even if your assets are optimized for maximum caching, there are a significant number of users that will always have an empty cache. …reducing the number of HTTP requests has the biggest impact on reducing response time. The percentage of users with an empty cache for different web pages may vary, especially for pages with a high number of active (daily) users. However, we found in our study that regardless of usage patterns, the percentage of page views with an empty cache is always ~20%.

I got a pretty nice link today. Check out that short article about the usual obstacles when trying or applying test automation: Why Test Automation Costs Too Much. Elisabeth covers the aspects of disconnected teams and the often practiced sharp distinction between programmers and testers pretty well.

Bottom line: the reason test automation costs so much is that it’s done in a silo far removed from the development effort.

Buffered from the consequences of design decisions that decrease testability, the developers continue to create software that’s nigh onto impossible to automate.

And isolated from the technical expertise of how the software was constructed, the test automation specialists are in a situation where they cannot help but be both inefficient and ineffective.

Enjoy reading!