I am currently looking for a proprietary Breach and Attack Simulation (BAS) solutions or open-source threat simulators to automatically test a wide range of attacks and malicious activities, perform security audits and find security gaps in a company to strengthen its defense.
I planned to make a market research about the existing attack and breach simulation solutions by comparing their features to know which one will best fit the requirements of the company.
I managed to make a comparison of open source threat simulators because there are scientific articles (such as Zilberman P., Puzis R., Bruskin S., Shwarz S. and Elovici Y., SoK: A Survey of Open-Source Threat Emulators, Polina Zilberman, 3 March 2020). The articles make useful comparison between the open-source threat simulators and explain the procedure and steps to make the right choice among the existing open-source threat simulator according to the company's environment, objectives, operations, etc.
However, when it comes to proprietary BAS solutions, it is more difficult to make a meaningful comparison as they are highly expensive, close source and do not provide detailed documentation. I have found a few websites that rank the best BAS platforms such as the following sites:
https://roi4cio.com/catalog/en/products?categories=895
https://www.comparitech.com/net-admin/best-bas-tools/
https://www.esecurityplanet.com/products/breach-and-attack-simulation-bas-vendors/
https://www.peerspot.com/categories/breach-and-attack-simulation-bas
https://sourceforge.net/software/breach-and-attack-simulation-bas/
Based on these sites, I chose the following BAS vendors: SafeBreach, Picus Security, Cymulate, XM Cyber, AttackIQ, CyCognito. For each of them, a demo has been requested by putting in the user information like email address. Normally, I will get the demos for the next few days. Based on the demos, I hope it will be possible to compare the features of the different proprietary BAS products.
Does anyone know of any useful papers, articles, websites, posts or books that provide a detailed comparison or explanation of existing proprietary BAS solutions? Can anyone help me or advise me on how to obtain and search information about existing proprietary BAS solutions? In this way, it will be possible to choose the BAS solution that best suits the needs of the company.
Thank you very much,
Nicolas Gennart.
You can check the SANS whitepaper in the link. Advantages of Going Purple
Below is a link to an article from SafeBreach that may help. We have a wealth of resources on our website and I am more than glad to have a discussion with you about BAS solutions. Also, Gartner has invaluable resources that I can offer you. My email is ann.chesbrough#safebreach.com.Four Pillars of BAS
Related
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I am going to look for a job as a software tester (a SDET maybe), especially for website test. I have some vague impression of this area and got a couple of specific questions as below:
Among so many documents, such as functional spec, design spec, which should I pay more attention to? How to view them in a tester's view?
Any good suggestions about writing test spec?
Any attention should be paid to website test?
These are just some questions I got now, I'll update with more shortly.
I'd like to hear your voice very much. Many thanks.
Credentials: I'm an SDET with 5 years of experience, 2 of those years testing web applications.
1- I'd say testerab has a pretty good answer. There is no single document that you can invariably rely upon across companies or even teams within a single company. Pay attention to whichever document has information.
I'd augment that answer with this advice: Don't be surprised if the documentation is insufficient. Strike up strong relationships with people who help define the product (the dev, the business owner, the program manager, etc.). You will nearly always be relying on them for some of your specifications, since it is difficult to cover everything on paper (and, as you gain expertise as a tester, you will learn to see things that others don't notice). Try to write down any "verbal specs" as you hear them, and ideally get any requests for specification clarification in writing or email. Gathering them all in a public document is wise, and may help to uncover if two people have very different ideas about what the spec "ought" to be.
2- Testerab has a good answer to this question, also, here: How Do You Keep Automated Tests in Synch With Test Plans
"1) Who reads it? 2) Who should probably read it, but currently you suspect they don't bother? (Do you know why they don't bother?) 3) What information do they need to get from it? Does it give them that info? 4) How do you currently present that information? Does that work for your readers/non-readers? 5) What sort of feedback do you need to get from the readers of your test plan? 6) Do you have any regulatory requirements that you need to satisfy with your test planning? "
Test plans, like product specs, will vary greatly depending on the needs of your group. If you are in an Agile group you may spend very little time on your test plan, doing little more than outlining the areas you need to cover - or you might not even have a test plan at all, but just a conversation with the team about what will be sufficient testing for everyone to feel confident about making decisions about the product. Other companies will have very specific guidelines you will need to follow.
Cem Kaner's classic book "Testing Computer Software" is slightly outdated, but still a good place to start and discusses test planning. I'd recommend you buy a copy quite strongly, unless someone can recommend something as authoritative that is more current. Last I heard, this was still the software testing book.
3- I'm having a little trouble understanding this question, but will do my best. Do you mean, what specifically will you need to know to test websites? First, what do you mean by websites? Do you mean web applications? If so, you will probably need to understand server / client architecture, web services, databases and basic SQL, at least rudimentary security testing, integration testing, functional testing, and will benefit from an understanding or specialization in performance testing, load testing, more security testing, and familiarity with web GUI testing with Selenium or Watir.
Some helpful things for us to know to help you get started:
How much experience do you have, both as a developer and as a tester? If you are just getting started in your career, what is your educational background?
How much experience do you have working with web applications, and in what roles (dev, test, PM, etc.)?
And, you might want to try asking some of these questions over at http://www.softwaretestingclub.com - this is a site for software testers to build community. You will get a lot of good advice and support there, so long as you are active in the community, and many of the most influential software test writers hang out there. If you do stop by there, feel free to look me up!
Hope this helps!
Edit: Added some info to answer q. #2 and to mention Cem Kaner's book.
I'm a developer with 2 years .NET experience and 1.5 years previous testing experience and an ISTQB/ISEB Foundation qualification.
To answer your questions:
1: A test manager will (typically) have a test plan and awareness of the specification documents to be tested against. Using what a developer is using is a good start. If the development methodology is agile this will probably be "user story".
A good way to look at the documents is to go through and look at where individual elements of functionality are specified and create steps to exercise them (see some of the functional techniques below).
2: What do you mean by "test spec"?
You will need to prioritise the areas of the application that need testing and understand the coverage needed. A "Test case spec". (or test script) will fit into higher level documents (like Test Plans, and Test Strategies) can be efficiently and effectively written using some Black box (Functional) techniques including:
Equivalence Partitioning,
Boundary Value Analysis,
Decision Tables,
State Transition analysis,
Use Case analysis (which could be based on a user story)
to come up with scripts that contain test cases. These techniques can be looked up online.
White box (Structural) testing involves an awareness of the code and includes:
Statement Coverage,
Decision coverage
If you're are looking at a website, this may involve JavaScript; QUnit is a testing framework for automating JavaScript testing and would be useful to research. NUnit is a commonly used test framework for .NET applications (including web applications) - NUnit was ported from its Java equivanlent JUnit and has been expanded (most probably owing to the popularity of .NET).
3: I don't understand what you mean by this? A web application will need to be tested in many different ways, and contains server and client functionality that will be tested using different techniques and the testing needs will need to be analysed. It will depend on the project.
As mentioned in other answers there are also other types of testing:
Unit - modular testing of functions at the lowest possible levels
Integration - testing functionality between different functional areas
Regression - testing to ensure that previously working functionality hasn't been broken by changes
System testing (Functional) - ensuring that the code/system under test is working as specified
System testing (Non-functional) - ensuring that aspects of the system that may not be specified are appropriate e.g. performance, load, stress, interoperability, maintainability, reliability, portability, usability
Acceptance (something called User Acceptance Testing or UAT) - ensuring that the system under test is fit for use
As mentioned in other answers, you will be retesting existing defects and inclusion of these to your test scripts is a good idea.
Hopefully this answer has given you a lot of food for thought and a good base for research. Testing qualifications or a role as a Junior Tester in an established team to build your understanding and experience could prove to be very useful.
"Among so many documents, such as functional spec, design spec, which should I pay more attention to? How to view them in a tester's view?"
Being able to extract useful information from many different sources of documentation is a critical skill for a tester, so you're right to identify that as an area you need to look at. The documents you need to look at will vary from project to project, and from company to company, so there isn't one good answer about what document you need to look at - but having good specification analysis skills will mean you'll be able to cope with whatever you're given.
For that, I'd strongly recommend this BBST course on specification based testing - it will show you how to analyse specifications, applying the Satisfice Heuristic Test Strategy model. That should also help you with your second question about writing a test spec.
http://www.testingeducation.org/BBST/BBSTSpecificationTesting.html
I'd recommend the BBST courses in general - the course materials are all available freely online, at the website above.
If you're really serious about testing, you should also consider taking the online course from the Association of Software Testing. The Foundations course is free to members, and you'll get the opportunity to practice your skills online, gain really valuable feedback on how you present yourself and your ideas, and you'll also meet a lot of outstanding testers, both as fellow pupils and as instructors. It's hard work - but if you're willing to put the effort in you will really get a tremendous amount out of it. Being able to discuss the basics with other people will really help you to get a deeper understanding.
my 50c
If you don't have test specs, or any kind of specs, you can transform your bug reports into test plan.
For each bug report that occurs, create one test item. That way - you'll have list of tests that you can follow when doing regression testing.
I'm looking for a free or commercial issue tracker. I've looked at a dozen of them, but I can't find what I need.
These are my requirements:
Not only for software. I need a more general tracker in which "complaints" about products other than software can also be recorded.
Very easy to use, for non-technical users
(optional) rich text editing, possibility to add images between the lines, etc.
I've looked at Bugzilla, SupportSuite, Mantis, but these are to much software oriented for my case.
Strange, no-one mentioned Trello [ www.trello.com ]
Its :
General purpose
Software related tracking can also be done
Collaboration on anything with multiple people
Free to use [ Even for multiple users ]
Aimed at a non-technical user
Perfect for your use-case.
Or take a loot at Gemini -- we have IT hardware, Help Desk and all our software dev projects in one place. Gemini does allow for different "meta data" per project type so this works for us. Look at their "white paper" - may be of help to you in terms of set up.
Usually the commercial ones are more polished than the open-source ones, here are some options:
Atlassian JIRA - an industry veteran, very complete solution. If you have a small team (up to 5 people), they also used to have a very low-cost version.
JetBrains YouTrack - relative newcomer, an probably a bit too "keyboard-centric" for your needs.
See also comparison of issue-tracking systems.
Maybe you're looking for a service like http://getsatisfaction.com/ or http://uservoice.com/. They are very customer-centric, and I've seen them used both for software products and for feedback on other things entirely.
Also, I've made Mantis receive email directly both to new and existing issues - f.ex. if subject contains an issue number like [1234] the email becomes a note to the issue 1234.
This way the customer doesn't know about Mantis, you can bcc Mantis with issue numbers, and it's possible to customize workflow in Mantis very much to suit your process needs.
In addition, you can have separate projects in Mantis which can receive from different email addresses, like one for bugs and one for support issues.
Try out Assembla, am not sure whether it is free or what.
Or you may try with googling JIRA
I work on a project known as the Security Development Lifecycle (SDL) project at Microsoft (http://microsoft.com/sdl) - in short it's a set of practices that must be used by product groups before they ship products to help improve security.
Over the last couple of years, we have published a great deal of SDL documentation, as customers ask for more information about what we're doing.
But what I'd like to know is:
What are you doing within your organization to help improve the security of your product?
What works? What doesn't work?
How did you get management to agree to this work?
Thanks.
Honestly, Reading your book was a good start. :-)
Responding to your questions:
Crypto is a hobby of mine that I sometimes blog about (e.g. on TLS and AES). After writing my own implementation of AES, I learned enough to know beyond a reasonable doubt that I should never use my own implementation but rather use the ones written by the CryptoAPI and OpenSSL guys.
Code reviews where people that are good at security issues are marked as required.
Having a class on-site with labs to raise awareness of issues mentioned in your book as well internal mailing lists discussing new issues.
Several folks listen to the Security Now podcast to keep current on what types of issues are out there and what is getting attacked. This indirectly affects design.
Except for an on-site course and buying the code review tool, none of these require management approval.
I'm an indie mac developer, but also a platform security evangelist: I'm the author of Pro Cocoa Application Security published by Wrox. In that book I champion the secure dev technique I use myself: it's based on the Swiderski and Snyder threat modeling, but with two changes. I make it lighter weight by considering which entry points access which assets without using DFDs. I also put more focus on identifying users and misusers, which I think makes it more applicable to shrinkwrap software.
As far as tool support is concerned, I use the Xcode static analyzer (based on clang), but have found it doesn't detect some common vulnerabilities. I did file bugs though :-). I also always use the gcc _FORTIFY_SOURCE macro. There aren't good Mac risk analysis tools but I'm working on that... ;-)
I've spoken on security to Mac devs at conferences and in podcasts and gotten plenty of feedback, if you want me to clarify anything I've said or are interested in the community feedback please ask in comments. Private questions are welcome to (though I'd prefer to stay on the forum): iamleeg at securemacprogramming dot
com.
We think before we code. Strangely enough, it avoids many bugs, including those which are exploitable by adverse parties and henceforth known as "security holes".
Part of the trick is not letting anyone near a keyboard unless he has a solid amount of experience and expertise.
i know nothing about medical records but im sure there's great opportunity in it now.
im planning to either find software that manages records or build my own.
if i do build my own, can someone recommend a platform to use? i prefer vb.net. is there anything better for this?
if you do not recommend me to build my own medical records keeping software, please recommend something that is already existent. is that opensource openEMR any good?
i am planning to start some kind of system as a DEMO for a small doctor's office.
I work in the medical industry as an EDI developer. If you "know nothing about it" as you say, I would recommend strongly against trying to create your own. Even beginning to understand all the nuances surrounding the medical field, all the related laws at local, state and federal levels, the variations between how the exact same "standards" are applied across the various segments of the industry and so forth, can take years or longer.
For instance, there are defined standards, but every state government has their own set of "variations" and exceptions and custom rules, and even across segments in the same state things are not handled the same way (i.e. Medicaid, Medicare, HMOs, TPAs, MCOs and so forth can all have different, and often contradictory, regulations that they have to follow within the same state.
Add to that the fact that regulations change on an ongoing basis and, if the federal government gets its way, things are going to change drastically across the board in coming years.
For a developer, the medical field can be one of the most complex
If you want to pursue this, I would recommend taking on a couple of partners, specifically people with extensive skills and backgrounds as business systems analysts in the medical field to guide you and making extensive use of existing tools as a base and, at least at first, focusing on a very specific segment to start with to build up your experience and background.
As for tools, any of the .NET tools are excellent, though I would recommend C# over VB if you can. There's a broader support for C# in third party tools and apps. In addition to some of the tools others have mentioned, I would also add that you will need mapping software, such as Altova's MapForce. This will aid substantially in your ability to transfer records between entities and between formats and mapforce includes the ability to export the map you design as a C# based .dll you can add to your own home grown apps.
There are existing standards (for example, HL7), which vary somewhat from continent to continent (e.g. North America not necessarily using the same standards as Europe), and vendors' implementations of those standards.
If you want a sledgehammer, the the US Veterans Administrations software is open source, and I thought well regarded (or so I read years ago).
You might want to tell us what scale you are looking for, a one doc office, or a hospital chain?
http://en.wikipedia.org/wiki/VistA
http://en.wikipedia.org/wiki/MUMPS
If you're pretty new to this, and don't know too much about it, building your own would not be a good idea. As BBlake said, it can take years to learn everything you'd need to know. There are a few different types of software you can use. One such medical software is AdvancedMD. You may want to try them or just look around elsewhere. Good luck!
Also see the Practice Fusion tool.
I read about them a bit ago here: http://healthcare.zdnet.com/?p=2522
There may be better opportunities in supporting an existing open source medical services app than in creating a new one.
In Canada, OSCAR is a well-regarded open source medical admin application. You can find a list of other such programs, mainly American, at Sourceforge.
There are about 2000 medical record vendors. I do not know a lot about costs, markups price points in the market but I will say that the software is usually phenomenally expensive. It seems to be based on "what the market can bear". Almost every package I have used looks completely amateur compared to software in almost any other category I have used. It maybe that the market is quite small when it is divided by 2000 vendors.
Most database software and general business software would do the job quite well but there are peculiarities to medicine such as HIPAA.
One of the most intelligent pieces of medical software that I have seen (at least for documenting evaluation and management encoutners) is Praxis. You have to be a doctor who is in practice to realize how genius it is. Disclaimer: I have not used it but wish I could.
Penultimately, for medical software to work the patient has to have a portal into it so that they can update, or bring attention to, mistakes.
Finally, all medical software is fantastic when demonstrated. One only knows its flaws when one uses it on every patient for about 6 weeks.
surely build your own software
i work with vb.net and i started developing my own healthcare applications since 2006
it was hard in the beginning, but now, man.. the sky is the limit
building your own apps will help you add or modify features with extreme ease
good luck
if you need any help just comment on my answer and ask your question, i will respond asap
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 8 years ago.
Improve this question
I have begun work on a personal project that may end up having some real-world applicability. I am beginning to entertain the idea of selling licenses. I am sure some others here have done this before, and I was wondering what successfully processes you've used to do so.
There are many questions on SO regarding licensing, legal implications, etc. However, I have looked around and could not find a duplicate question for this one. To be clear, I am not looking for information on what licensing strategy to use, how to advertise your software, and so forth, but rather, for a checklist of things that should be done to increase the probability of success, and any possible gotchas I have not thought of. If anyone has any personal success stories, they would be very welcome.
For a little background, I am set on the idea of licensing a closed-source, compiled .NET DLL.
A few things off the top of my head:
Strong documentation, because formal technical support is unlikely
Specifying licensing terms and formalizing them with an attorney
Code obfuscation
Exploring license enforcement (either using a commercial package or custom code)
Building a website around the product, including real-world code examples since this is a library
Possibly offering some type of beta period, for feedback and getting the name out a bit
Offering instant/automated purchases
Marketing (oh boy)
Is it necessary (or wise) to start a one-man company to do this?
I will keep this list updated as answers come in. Thanks all!
Some tips:
Obfuscation: Be wary of obfuscating everything. An alternative is to obfuscate just the critical bits (licensing, premium features). The problem with obfuscating everything is that stack traces from error reports are ineffective. When an unexpected exception is caught, you'll want to give the user the option of automatically reporting its details - this really helps with QC.
License enforcement: If it's a utility that can be easily pirated, people WILL pirate it. An activations-based licensing system is ideal - and if it's not too draconian people will be less motivated to circumvent it. For instance, allow at least 3 activations per user (home computer, work computer, laptop). If it's a control library, then an activation-based may not be required - baking the serial number into the library may be enough because customers are unlikely to build their own product on a stolen assembly.
Instant/automated purchases: writing a custom licensing server and web page for this is fairly easy - you need only about 3 tables. LINQ to SQL is ideal for this sort of thing. For the payment gateway, I use PayPal - it's very easy to set up, has the features you need for selling activation codes, and allows multiple currencies. If you use PayPal, enable both PDT and IPN so you can give customers their activation codes both on the screen and via e-mail.
Marketing: try LOTS of things simultaneously - because it's hard to predict the success of any campaign. Especially without experience! Making yourself known amongst the influential people in the field into which you're selling can work very well.
Advertising: advertise on StackOverflow - that's what I'm doing! Google ad words is also worth trying because it's so cheap to set up - you'll know after spending $10 whether it will be effective for you or not.
And good luck with it!
You have most of the practical things listed out, in terms of actually getting a product from you to the customer -
However, there are a couple of things I'd also recommend.
Figure out how you want to handle all of your accounting/purchasing/billing/etc.
Rethink formal technical support (for money), but not at the exclusion of documentation
Talk to a lawyer regarding all of your licensing decisions, agreements, etc., as well as company structure
Talk to your accountant (and/or find one who is good at working with small tech companies)
Some of this will cost some money up front, but save headaches later.
The last two bullets are crutial - there are MANY options for how to setup yourself from a tax perspective, each of which has potential advantages and disadvantages depending on your specific situation.
For example, if you're in the US, there are many advantages to incorporation prior to doing anything on your checklist. If you decide to incorporate, you may want to do it in your state, but there are also advantages to incorporating in Nevada or New Jersey (very pro-corporate states legally). If you're successful, doing this early can save a huge amount of work over time and have significant benefits.
Also, if you incorportate, you might want to consider S vs C corps (S Corps are great if you're a one or two man operation). If you don't incorporate, you can run as a sole proprietorship or an LLC, both of which have advnatages and disadvantages. A lot of this depends on your product (what it does), your expected returns, etc. - having a good lawyer and a good accountant is a huge blessing.
If you're aiming at software development teams as customers then the sort of thing they are likely to expect to see (in addition to the ones you listed) are:
A download service for any additional items and/or patches that the user might need.
Tight version control/configuration management processes so that it's easy to find out what version of the product they have, what they need and what the differences are between versions.
Email/online bug reporting.
A demo/trial version of the product.
A good set of tutorials.
Community support e.g. developer forums. This is a good 'value added' service that can also help with the fact that you have concerns (as a one man company) over being able to provide 'formal technical support'. Hand out a few badges and reputation scores and get a free technical support team ;) ... but if sales take off, seriously consider providing 'formal technical support', it can make a huge difference to the perception of the product.
... and make sure that the website, download service, license server, forums etc are all properly secured and done to a professional standard. If any of the peripheral services are less than 100% then it all reflects badly on the product, especially when yours is a technical one.
You might not want to provide formal technical support, but you could look for creative alternatives like some sort of moderated forum for issue resolution. Also, provide at least an email address for someone to contact you.
Another thing is to hire some sort of designer to make your product, documentation, website, etc look good. It is generally easy to tell programmers who attempt design.