How did you guys set up your vulnerability regression testing?

I have used static analysis tools like HCL AppScan and SonarQube. These run against your source code and can be set up as "checks" in GitHub, Azure DevOps, etc.

When and how do you deploy the regression tests?

You can use a dynamic scanning tool like SortSite or ZAP.

How did you use the regression tests in the Definition of Ready and Done respectively?

Results of scans we tied to a "release" (stored in a shared directory) and we scanned periodically through the sprint including the last commit before release. My government contracts required we send the results before they would deploy the code.

Have you found a way to use Owasp ZAP appropriately in a regression pipeline as well?

ZAP has a CLI. I have only run these manually after automated tests pass and let me know the code is stable enough as the scans as they can take some time. You can run anything via CI/CD and shell commands, so if there is a results parsing plugin for your tooling then you are all set. I know if the results are in JUnit (XML) format than there is likely a plugin. I have done this with JMeter tests results output as JUnit format, which were published in Azure DevOps.

I'm currently tasked with automating a 10+ year old, and rather large application.

There are no exposed APIs, it's built as a monolith. There are no unit tests, nor promise of unit tests to come. The entire application cannot be run locally, and testing has to cover Internet Explorer as the primary platform.

Management think it would be acceptable to have 5000+ selenium tests to cover this. I know this is unworkable and impossible to maintain, especially in an 'Agile' methodology given how flaky both GUI tests in general, and the UI of the system are.

What might be a good strategy to approach this project, other than running far away?

After searching on Google & suggested by @pavelsaman, I took following steps and this error particularly got resolved :

• Re-install [Uninstall and install again] the application
• Open mobile settings and From apps & notifications select your targeted application
• Tap on Permissions
• Check what all permissions has been denied [This you might did it unknowingly. Grant all permissions again, perhaps on each re-installation]
• Grant all the permissions to the application and double check it. [Refer below screenshot]
• Run application - It should have resolved error I/ConversationToQueryExtension by now

Some opinionated points from my experience, doing mostly development and operations with only a bit of QA and support, for the past few decades. Make of them as you will.

I don't think it matters if bugs are picked up during formal QA, or by developers doing other work, or even customers or consultants. They should be treated, mostly, the same. My opinion is that they should all be recorded if they are serious enough that someone is motivated to point the bug out or report it.

• Low priority bugs may later increase in priority (for business or technical reasons (e.g. other changes make the severity of the bug worse)).

• Bugs can be incorrectly considered low priority and this can be noticed when e.g. support have a record that n people have called about a bug, or they have spent n hours due to the bug. If there isn't a ticket for support to find then they have to, in effect, create their own record to notice trends in calls and this work could have been saved. Support also don't always have the right perspective to accurately describe an issue in a way such that it will be found again when needed as they may only have a customers description - though that applies to everyone some of the time of course.

• Working out what is wrong can take a lot of effort - more effort than a search for the symptoms (esp when you have a unique log message). Sometimes you observe something "odd" about a production system and you are unsure if its a symptom of something horrific. A quick search in the issue database to find that the problem is known and not serious can save a lot of time, especially at 4am after many stressful hours of recovering a system that encountered some mishap. I won't speak of the emotions of spending many hours of the night looking at an issue to find the next morning it was known but hadn't been logged and you could have had more sleep or spent time with your family.

• It might not be obvious to everyone that an issue is low priority. People on-call may not be experts in every part of the system and may have just been pulled from their beds. They may well spend time diagnosing an issue and logging it only to have it closed. This is dispiriting for the reporter (speaking personally), especially in a product with a lot of issues. If there was already a record of the issue, while it may be disappointing that it wont be fixed, at least you haven't wasted time trying to write a good bug report and they might learn something (i.e. why it actually isn't a higher priority may give them insight into the system).

• Sometimes developers don't have time/motivation for something big. Maybe they start holiday tomorrow and they just finished your planned work earlier than expected. They have a few hours now but don't want to start anything they can't finish or taxes their mind too much...they could just read the news till they think its safe to sneak out (so I've heard...) or maybe they could pick an easy but interesting bug and get some satisfaction of crossing something off. This requires an issue to be an easy fix as well as low priority of course.

• A minor point but I have often used low priority bugs to train new developers on how the team works. There is no pressure on them to get the bug fixed by a particular time, or indeed ever, so they can concentrate on learning the SCM system, the build system, the ticketing system, whatever other archaic system inflicted on the dev team. If they manage to fix the issue it's a bonus.

• Having lots of tickets shouldn't be a burden. If it is you need a better ticketing system or better method of recording of issues. Whether true or not, I have often had the impression that people who constantly worry about the bug numbers are never the people who actually fix the bugs, or the people arguing for more resources to fix the bugs, but are often the people who have to put the numbers in a power-point and pray no one asks them what they mean.

So my summary is record everything that has been found and described. It may help someone, someday, and the disk to store them is cheap. If you have people who are desperate for no open issues, suggest they fix a few bugs

Here is what I did at Microsoft, not saying it's right just what I know. We saved secrets to the Key Vault. For local host we had to install a PEM file and set our environment variable to the SHA of the signature. There was a Setup step that checked if the PEM env var was set to use that to retrieve and set the secrets. That allowed access to the Key Vault. For the build pipeline we could just call the key vault to set the env vars for the secrets.

Visit https://www.selenium.dev/downloads/ and you will find sction which browsers are officialy supported by selenium. For IE it is "Only version 11 is supported, and it requires additional configuration."

https://www.javadoc.io/doc/org.seleniumhq.selenium/selenium-api/3.141.59/overview-summary.html

See this location , here you can find all selenium versions

if you are looking for driver specific class information then goto specific driver :

https://www.javadoc.io/doc/org.seleniumhq.selenium

eg:

https://www.javadoc.io/doc/org.seleniumhq.selenium/selenium-chrome-driver/4.0.0-alpha-7/org/openqa/selenium/chrome/ChromeOptions.html

There is a class named State that has several attributes, which I need to write unit tests for. The test will need to have certain actions that change attribute values of the State instance. Expected parameters are located inside of the dictionary. The unit test will compare the attributes of the State instance with the values of the dictionary for equality.

The question is what is the best place to keep the comparison logic at? I was thinking about 2 options:

1. Add __eq__ method to the State class that contains comparison logic.
2. Add helper function inside of the test module that contains comparison logic.

Which one of the options is better and why?

I'm interested in running a test over many hours.

What is the maximum value I can put for Ramp Up Period in JMeter?

This is an open question. I know no answer is wrong or correct. If someone asks this question in an interview He wants to understand your thinking process. Can anyone put a light on this, how to answer this question?