Category: Test

What It Means To Be CREST (Intl) Accredited

Anyone with a computer and an Internet connection can set themselves up as a penetration testing or cyber incident response service provider.  These could include irresponsible organisations that do not have in place policies, processes and procedures to ensure quality of service and protection of client based information.  The individuals employed by these companies may have no demonstrable skill, knowledge or competence in the provision of security testing.

CREST is an International not-for-profit accreditation and certification body that represents and supports the technical information security market. CREST requires a rigorous assessment of business processes, data security and security testing framework to demonstrate a level of assurance that the information security methodologies used can competently and securely provide customers with a robust assessment of their cyber security posture.

As a result, CREST only provides accreditation to highly trusted professional services organisations, and their employees who provide the often sensitive and high-risk penetration testing, cyber incident response, threat intelligence and security operations centre services.

All CREST accredited member companies are required to submit policies, processes and procedures relating to their service provision to provide added assurance for the buying community.  These policies, processes and procedures include:

  • References for certified individuals
  • Assignment preparation and scope processes
  • Assignment execution processes
  • Technical methodology
  • Reporting templates
  • Data storage and Information Sharing policies
  • Post technical delivery methodologies
  • Asset/Information/Document storage, retention and destruction processes

The buying community needs to be in a position where it can procure services from a trusted company with access to demonstrably professional technical security staff.  CREST provides the buying community with a clear indication of the quality of the organisation and the technical capability of staff they employ.

JDS is a proud CREST (Intl) accredited member company who can confidently provide our customers the added reassurance that our services meet the highest professional and security standards.

Five Reasons Why Your Organisation Should Be Penetration Testing

Modern businesses require an advanced approach to security and due diligence.  Having anti-virus software and a firewall is no longer an efficient strategy to prevent highly sophisticated security attacks which can result in irreversible damage to your organisation.

A professional penetration testing service is the best way to identify the strengths, weaknesses and holes in your defences.  Read on to uncover the five best reasons why your organisation needs penetration testing.

1. Protect Your Organisation From Cyber Attacks

Reports of cyber crime within Australia have increased nearly 15% each year since 2019, with the average reported financial loss per successful cybercrime incident being $50,673. Regardless of your organisational size or sector, cyber criminals view every business as a potentially exploitable prospect. The internet is continuously being scanned in search of vulnerable systems.  Carrying out penetration tests will enable you to identify vulnerabilities that are most likely to be exploited, determine what the potential impact could be, and enable you to implement measures to mitigate or eliminate the threat.     

2. Identify and Prioritise Vulnerabilities

Put simply, a pen test will uncover all of the potential threats and vulnerabilities that could damage your organisation’s IT assets.  The resulting report prioritises these vulnerabilities from low to critical, and further categorises them by likelihood and impact.  This gives your team a clear picture of your security posture, and the opportunity to mitigate the greatest threats first before moving on to less risky ones.

3. Stay Compliant With Security Standards and Regulations

Regular penetration testing can help you to comply with security standards and regulations such as ISO 27001 and PCI.  These standards require company managers and system owners to conduct regular penetration tests and security audits to demonstrate ongoing due diligence and maintenance of required security controls. Not only does pen testing identify potential vulnerabilities, ensuring that you are protecting your customers and assets, but it also helps to avoid costly fines and fees connected with non-compliance. 

4. Reduce Financial Losses and Downtime

Recent studies have reported that the average financial impact of a major data breach in Australia is around $3.7million per incident.  This takes into account expenditures on customer data protection programs, regulatory fines, and loss of revenue due to business operability.  System downtime is incredibly costly – the longer your system is down, the more exorbitant the cost.  A penetration test is a proactive solution to highlight and fix your system’s most critical vulnerabilities, and ensure your team are ready to act if your systems were to go down unexpectedly. 

5. Protect Your Reputation and Company Loyalty

Consumers are extremely quick to lose trust in companies and brands, and all it takes is one security breach or data leak to tarnish your reputation.  Customers and partners of your organisation want to know that their private data is safe in your hands, so it is in your best interest to be aware of any vulnerabilities which may put the company’s reputation and reliability in jeopardy.  

This is just a handful of reasons why organisations should carry out regular penetration tests, but there are many more.  Connect with JDS to discuss your pen testing needs and get a full scope of work customised to your requirements.

Accelerate upgrades with ServiceNow Automated Test Framework

Upgrade more often

In 2019, ServiceNow will move to “N-1” upgrades, meaning you can’t be more than one release behind before ServiceNow will force the upgrade to your platform, ready or not.

It’s nothing to be afraid of. The evolution of enterprise to the cloud means we can break free from the shackles of the old on-premise software model. ServiceNow takes care of all the back-end technical changes, which eliminates a lot of the burden that has made upgrades slow and expensive.

Your challenge now is to make sure that nothing in the upgrade process disrupts your business. Test automation with ServiceNow ATF can help – see our technical post here for more on that.

Accelerate test automation with JDS Kick Start

We can help you get started with ServiceNow ATF. In just a few days, the JDS ServiceNow ATF Kick Start engagement will provide you with the detail you need to scope and plan automation of testing across your platform.

JDS brings over a decade of experience in test automation, and our experienced ServiceNow team can help with a rapid assessment of your platform.

JDS ServiceNow ATF Kick Start includes:

  • Identification of the top use cases that are candidates for automation
  • Joint review and refinement of use cases
  • Report and recommendations for automation

Call us

To find out more and to book a Kick Start – email [email protected] or call 1300 780 432 to reach our team.

We partner with leading technologies

Citrix and web client engagement on an Enterprise system

JDS was engaged by a leading superannuation firm to conduct performance testing of their enterprise applications migrating to a new platform. This was part of a merger with a larger superannuation firm. The larger superannuation firm was unaware of their application performance needs and until recent times, performance was not always a high priority during the test lifecycle.

JDS was brought in to provide:

  • Guidance on performance testing best practice
  • Assistance with performance testing applications before the migration of each individual super fund across to the new platform
  • Understanding the impact on performance for each fund prior to migration

During the engagement, there were multiple challenges which the consultants faced. Listed below are a few key challenges encountered, providing general tips for performance testing Citrix.

Synchronisation

You should have synchronisation points prior to ANY user interaction i.e. mouse click or key stroke. This will ensure the correct timing of your scripts during replay. You don’t want to be clicking on windows or buttons that don’t exist or haven’t completely loaded yet. For example:

ctrx_sync_on_window("Warning Message", ACTIVATE, 359, 346, 312, 123, "", CTRX_LAST);
ctrx_key("ENTER_KEY", 0, "", CTRX_LAST);

Screen resolution and depth

Set your desktop colour settings to 16bit. A higher colour setting adds unneeded complexity to bitmap syncs, making them less robust. Ensure that the display settings are identical for the controller and all load generators. Use the "Windows Classic" theme and disable all the "Effects" (Fading, ClearType, etc.)

Recording

Your transactions should follow the pattern of:

  • Start transaction
  • Do something
  • Synchronise
  • Check that it worked
  • End transaction

If you synchronise outside of your transaction timers, the response times you measure will not include the time it took for the application to complete the action.

Runtime settings

JDS recommends the following runtime settings for Citrix:

Logging

  • Enable Logging = Checked
  • Only send messages when an error occurs = Selected
  • Extended logging -> Parameter substitution = Checked
  • Extended logging -> Data returned by server = Checked

Citrix 1

 

Think time

Think time should not be needed if synchronisation has been added correctly

  • Ignore think time = Selected

Citrix 2

Miscellaneous

  • Error Handling -> Fail open transactions on lr_error_message = Checked
  • Error Handling -> Generate snapshot on error = Checked
  • Multithreading -> Run Vuser as a process = Selected

Citrix 3

ICA files

At times you may need to build your own ICA files. Create the connection in the Citrix program neighbourhood. Then get the wfclient.ini file out of C:\Documents and Settings\username\Application Data\ICAClient and rename it to an .ica file. Then add it to the script with files -> add files to script. Use the ICA file option for BPMs/load generators over the "native" VuGen Citrix login details for playback whenever possible as this gives you control over both the resolution and colour depth.

Citrix server setup

Make sure the MetaFrame server (1.8, XP, 3, or 4) is installed. Check the manual to ensure the version you are installing is supported. Citrix sessions should always begin with a new connection, rather than picking up from wherever a previously disconnected session left off, which will most likely not be where the script expects it to be.

Black screen of death

Black snapshots may appear during record or replay when using Citrix Presentation Server 4.0 and 4.5 (before Rollup Pack 3). As a potential workaround, on the Citrix server select Start Menu > Settings > Control Panel > Administrative Tools > Terminal Services Configuration > Server Settings > Licensing and change the setting Per User or Per Device to the alternative setting (i.e. If it is set to Per User, change it to Per Device and vice versa.)

Lossy Compression

A script might play back successfully in VuGen on the Load Generator; however, when running it in a scenario on the same load generator, it could fail on every single image check. This is probably a result of lossy compression—make sure to disable it on the Citrix server.

Script layout

Put clean-up code in vuser_end to close the connection if the actions fail. Don't put login code in vuser_init. If the login fails in vuser_ init, you can't clean-up anything in vuser_end because it won’t run after a failed vuser_init.

JDS found performance issues with the applications during performance tests; however, these issues leaned towards functional performance issues more than volume. They were still investigated to provide an understanding of why the applications were experiencing performance problems.

The performance team then worked with action teams to assist with any possible performance resolutions, for example:

  • Database indexing
  • Improvements to method calls
  • Improving database queries

Tech tips from JDS

ServiceNow performance testing tips

Although ServiceNow comes prepackaged with a wide array of prebuilt applications, it’s possible to extend these and develop entirely new applications, and this is where performance problems may arise.

Out-of-the-box, ServiceNow is a fast, robust, secure SaaS platform. ServiceNow is designed to be extended and modified, but customers need to understand those points where performance issues may arise.

Slow loading forms can be a source of user frustration and hinder user uptake. Forms are an area where performance problems can be encountered because customers need to implement additional layers on top of the standard system to incorporate their own business logic. These layers can also build up incrementally over time which can result in reduced performance from one year to the next.

It’s important to understand what business rules and scripts are executing, and in what order, when a record is loaded in a form. This will allow us to better understand where performance issues may arise.

ServiceNow Forms

 

As you can see from the diagram above, there are business rules which execute on the server and scripts which execute on either the client or the server. Both can be a source of performance issues if not managed carefully.

 

Where possible, synchronous scripts should be avoided as the user will be forced to wait for the network/server response to arrive before they can continue their work. As tempting as it is to use asynchronous scripts to enhance the information available to users on a form, this still requires additional communication across the network to ServiceNow. JDS recommends using asynchronous calls sparingly, as there are other means of preloading information, such as using the g_scratchpad.

 

There are four ways of dynamically incorporating additional information into a form in ServiceNow:

  1. g_scratchpad
  2. GlideAjax
  3. GlideRecord
  4. g_form

 

Most ServiceNow administrators are familiar with GlideRecords and g_forms, but these have the heaviest overhead from a performance perspective, as they retrieve all the fields from a particular record when only one value may be needed. To avoid performance issues, you should consider using the g_scratchpad object where possible.

 

What is the g_scratchpad object?
The g_scratchpad object is a simple way of pre-fetching values that are needed on a form. Avoid making additional server calls from the client by anticipating the need for information ahead of time.

 

g_scratchpad
Using the g_scratchpad object is easy.

 

The scratchpad is whatever you need it to be. You define the keys and values you want. Simply load up the g_scratchpad object with whatever information is needed by the form, and then refer to it from the form using Client Scripts.

 

Here’s an example from the ServiceNow Wiki.

Display business rule
g_scratchpad.instanceName = gs.getProperty('instance.system.property');
g_scratchpad.hasAttachments = current.hasAttachments();
g_scratchpad.createdBy = current.sys_created_by;

You can then use this information in your client script without the need for an ajax call.

Client Script
// Check if the form has attachments
if (g_scratchpad.hasAttachments)
// do something interesting here

// Check if this is TEST instance
if (g_scratchpad.instanceName == ‘TEST’)
g_form.setDisplay('test_field', true);

Sometimes, GlideAjax or other methods will be required when information is needed dynamically, but you should carefully consider whether the g_scratchpad can be used before looking at other approaches. JDS recommends developers consult ServiceNow’s own Client Script Best Practices article for more information on this topic.

Why performance test ServiceNow?
When dealing with custom business logic, performance testing ServiceNow can be extremely beneficial. In past performance tests JDS has completed for various multinational companies, JDS has discovered database issues, slow responses for certain forms and also discovered that users from different locations around the world could have an impact in response times. Finding database issues and slow response times prior to going live has allowed these companies to address the problems before launch, helping them achieve their goals of streamlining business processes rather than causing more frustration for employees.

Performance is an important part of the user experience, and is key to ensuring the uptake of ServiceNow within your organisation.

Tech tips from JDS