What Are the Types of Security Testing?

Bart is correct, Sprints are supposed to be fixed length and not vary from sprint to sprint. If you are constantly changing durations, you can't get into a good cadence and that's key to effective Scrum.

When you have a holiday in a sprint instead of extending the sprint, you just recognize that you do not have as much capacity in this sprint. You take this into account when doing sprint planning. For example, if you're average velocity is 100 and you have two days of holiday in your ten-day sprint, then you only have 80% of your days. So you would multiply your velocity by 80% for a sprint capacity of 80 points.

The only area where holidays cause issues is if you Sprint start or sprint end fall on a holiday. If they do, just move the appropriate events to another day without changing the sprint duration.

Holidays is one of the main reason many coaches, including myself, recommend starting Sprints on Thursdays or Wednesdays. Most holidays fall on Mondays or Fridays so you limit the chances your major events will fall on a holiday.

I was just wondering if someone having total control over his/her network, is running my mobile app. Also wireshark is capturing all requests made using the network. My app is calling API endpoint like http://bob.com/alice/param1/param2 and also passing the HTTP parameters.

Is wireshark capable to capture the network requests like this and is the url visible?

Also is it possible for someone to track the HTTP parameters I am passing it?

Is it plaintext if I am not using HTTPS? What if it's just a HTTP call?

If not using wireshark, is there any other way to capture network calls made by the app (android / iOS / PhoneGap / Ionic)?

Memory doesn't belong to a container, it belongs to a process. By default a container will setup a namespace for PIDs (and other things) so a process running under a container will only see processes running under that same container and therefore only be able to read the memory of those process. However, if all capabilities were granted then the process could escape that container's PID namespace and potentially access all processes.

Is there a difference between whether you run in a container or not? Yes, to the extent that a process makes use of the capabilities it has.

You are developing a software based on various modules. Each module is considered an Epic in JIRA. When the module is accepted by the client, the PM closes the Epic. After some time the client demands a new feature in the module. Do you a) reopen the Epic (which is not a out of the box step in JIRA) or b) create a new epic with the same name (or a similar one) or c) don't treat it as an epic at all (given that this is a small feature request that it may be treated in one sprint) or d) any other idea?

Mitigations for XSS attacks are not typically restricted to input filtering as you’re describing and attempting, as you’re experiencing it’s like playing whackamole with possible filter bypasses. That’s why the Filter Evasion cheat sheet from OWASP exists.

Any untrusted input that’s reflected in a browser response needs to be output encoded. For example with html encoding the < char becomes < in the http response and the browser does not treat it as the entry of a tag. Also, setting appropriate content-type headers for the response. Basically, start by understanding this well: OWASP XSS Prevention Cheat Sheet

They are all sent together by the server

All certificates, except for the root certificate, are sent together as one bundle.

Technically, you may include the root certificate as well, but it will be ignored by the client.

If the server only sends the "leaf" certificate, then it depends on the browser if they are able to somehow get the missing intermediate certificates. One way, for instance, is for them to cache intermediate certificates from previous connections. Chrome uses the Authority Information Access extension to locate missing intermediate certificates that way.

If all of these attempts fail, and the intermediate certificates are not available, then the certificate verification will fail.

So at my workplace we're following scrum and we've started to have backlog refinement meetings periodically.

Some of us in the Development team feel like this meetings are not very productive and are just a waste of time. It does not help that the team is distributed between Madrid, Spain and Mexico City, Mexico but we've barely started to work this way.

Because of this some of us feel like not everybody should go to this meeting.

Do you think that everybody should go to every refinement meeting? Should it be a rotationary thing? Is there any literature about this?

JIRA can export data in the following formats:

1. As an XML dump

For example, here are the steps to export to Wordpress:

1. Install the [RSS Widget](https://en.support.wordpress.com/widgets/rss-widget/) in WordPress

2. Create a filter in JIRA and share it

3. In the filter screen Export>RSS (issues) and right click to copy the URL

4. Go to the WordPress RSS Widget and add the RSS URL and the username and password:

https://jirainstance.com/sr/jira.issueviews:searchrequest-rss/XXXXX/SearchRequest-XXXXX.xml?tempMax=10&os_username=uxwpuser&os_password=uxwppassword

Where:

tempMax = n -> n is the total issues you want to display in the widget

&os_username=uxwpuser&os_password=uxwppassword is the section you need to add at the end of the URL's

XXXXX is the filter ID in JIRA

2. Export to Excel:

References

• Solved: How can one post JIRA reports in WordPress instances

• Export More than 1000 Issues to Excel from Issue Navigator in JIRA

• Atlassian Community - Solved: How to do pagination on JIRA Rest api?

TL;DR: Maybe a bit harsh, but get rid of him/her.

Most companies have a defined culture or core values. Suggested is to use your core values in the hiring process. I think the same goes for the firing process, fire to protect your core values.

Introducing Agile is a team culture shift according to the Agile Fluency Model. People blocking this culture shift should eventually be removed. I would discuss this with the person for a max period of 4-6 months. Discuss this aswell with upper-management and announce that not changing the culture is not an option. Make sure that it is clear what is expected from this person. Keeping people around with the wrong attitude is not worthwhile for both parties. This person will be happier in another company probably.

If it is a larger company, maybe some more traditional teams exists. I would suggest to move this person there.

Culture is important:

Value your culture and values highly. Showing that the company makes exceptions is the same as saying: "We do not take our values seriously". Now everyone will just do whatever they want. This is not the path a company wants to walk.

Continuing to tolerate this behavior will demonstrate to the rest of your company that core values are optional, and not truly core to building your company. This would be analogous to a cancer in your body that you have chosen to not remove.

http://www.rhythmsystems.com/blog/bid/87071/fire-to-protect-your-core-values

Waste of time:

Some people are open to change, some would rather just see how it works out, but some just push back. My experience with the last group is that is just a waste of time to convince them. They will keep making stupid remarks about the process and Agile principles or ideas. Agile has proven itself over time now. I have no need for people pushing back in my teams.

Self-Organized teams start with self-organization.

The normal advice I give to clients is to create a User Story for what is a "good team" with clear acceptance.

Then you get everyone in a room. You show them to user story, tell them how many teams should exist and then let them self-organize into teams. Usually you will go through 2-3 iterations of this before you have your final set.

As Simon Sinek says, "Hire for attitude, you can teach skill." For teams for fit first. Skills will improve faster with a good team.