• Using JMeter for Distributed Load

    20 February 2015
    By Roman Denisenko, Senior QA

    Introduction

    Sometimes during performance testing we have to deal with high-powered systems. Such systems can painlessly handle massive amounts of requests creating an extra headache: how can you emulate such a huge load yourself, without access to the full production side hardware capabilities? Another situation occurs when the system to be tested has multiple servers where the behavior is controlled by forces on the client’s side, and therefore we have to handle a geo-distributed load.

    I think every performance engineer has faced the aforementioned issues at least once in his experience. The solution is to use distributed agents to emulate the load. Almost all commercial and free software provide abilities for the utilization of external agents which work simultaneously, increasing the amount of the overall load. In this article, I would like to talk about the ways to make the most popular free performance tool emulate the load from different agents. More specifically, I will talk about JMeter and its performance load agents.

    READ MORE

  • Mobile Applications and PA-DSS

    10 December 2014
    By Roman Denisenko, Senior QA

    I often receive questions that start with “I’ve got a great mobile application and I am going to add the ability to make payments. But I am a bit worried because of the PCI PA-DSS standard.”

    The situation is so typical that I’ve finally decided to write an article dedicated to PCI PA-DSS and what to do about it.

    To start with, let`s refresh our knowledge about the PCI PA-DSS standard and maybe even learn something new.

    As you remember, the PCI PA-DSS standard is mostly known for enhancing the security of payment applications. Overall, every application that works within the PCI DSS-compliance infrastructure should be PCI PA-DSS compliant.

    Let`s drill down into the requirements.

    READ MORE

  • Client Side Performance Testing

    12 February 2014
    By Roman Denisenko, Senior QA

    Intro

    Today, internet users expect a website to not only provide functionality and a user-friendly interface, but work fast. Most of efforts is spent on optimizing server side code to reduce response time (TTFB – time to first byte). However, this approach doesn’t account for delays occurring on the client side (in browser). As a result, while we have very good TTFB on the server side the end-user experience might be very disappointing.

    In this article I will highlight some methods of client side performance testing in order to make your users happier with responsive web sites.

    READ MORE

  • PCI DSS version 3.0. What is new?

    25 December 2013
    By Roman Denisenko, Senior QA

    Introduction

    In October 2013, the Payment Card Industry Security Standards Council (PCI SSC) released the final version of the most interesting standard for all merchants and service providers who work with credit cards, the Payment Card Industry Data Security Standard (PCI DSS). This standard is widely regarded as one of the information security industry’s most important baselines for ensuring the security of sensitive data.

    The old version 2.0 will remain applicable till 31th December 2014 which provides companies the necessary amount of time to meet the requirements of the new version. From 1st January 2015, only version 3.0 will be valid.

    PCI SSC works with the standard on a 3 years cycle. During the first year after the publishing of a new version vendors completes their implementation of the new standards but the previous version of the standard is still applicable. From

    November of the first year to March of the second year PCI SSC collects feedback on the new version. At the end of the second year the old version of the standard is retired and all validation efforts for compliance must follow the new standard. During April through August of the second year the PCI SSC reviews feedback. In the spring of the third year the Council’s Technical Working Group prepares a draft version of the next version of the standard. The final point within the standard lifecycle is the approval of the final version (in July) and final publication (in October). You can find more detailed information on the official site.

    So let`s begin to investigate the most interesting question: what is new within the newest version of PCI DSS?

    READ MORE

  • International Security Standards

    16 December 2013
    By Roman Denisenko, Senior QA

    We have already published two articles about security standards in the UK and the US. Now we will talk about international standards which are adopted around the world.

    READ MORE

  • UK Security Standards

    29 November 2013
    By Roman Denisenko, Senior QA

    In the previous part of this article we spoke about International security standards. In this part, we’ll talk about the ones which are adopted in the United Kingdom.

    READ MORE

  • US Security Standards

    14 November 2013
    By Roman Denisenko, Senior QA

    This is the first in the series of articles about security standards.

    Security standards describe measures which have to be taken to help with keeping confidential data secure and reduce risk of intrusion. Organizations having sensitive data in possession have to comply with these standards in order to operate. Security standards can be classified as national and international. In this first article we will review major international standards adopted in the USA.

    There are many mandatory and optional compliance standards which help to defend sensitive data from malicious persons. Unfortunately, during my research I did not meet any documentation which summarizes information about commonly used standards in a single place. I had to dig through official documents, study a lot of additional articles and gather information bit by bit. Because of this I had an idea to create a document which will be useful for everyone who wants to know the basic information about a standard but doesn’t have enough time for a large-scale research.

    I divided all standards into three large categories: international and two national, namely US and UK. Some of those are mandatory, others are optional. In this article we’ll talk about standards which are adopted in the USA.

    The United States is a country with a wide range of standards that cover almost all aspects of life. Not only government organizations must be compliant with a huge amount of mandatory certifications and standards but financial organizations, organizations within the energy power spheres, healthcare and much more have their own specific standards which mitigate security risks and often are mandatory for compliance.

    READ MORE

  • On January 25th, 2013, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) published the final privacy and security regulations called the Final Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). About a month ago the Rules became effective. And September 23rd is appointed to be the Compliance deadline in order to conform to most of the HIPAA requirements. The penalties for non-compliant companies will be imposed from September 2014.

    Unfortunately, following the requirements is not enough to protect a client’s data against hacker attacks. What the HIPAA weaknesses are, and how they can be improved, will be discussed in this post.

    READ MORE

  • The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 detailed requirements for card issuing organizations, providers of fee-based services, and to other companies who store, process, or transmit cardholders’ data. Adherence the PCI DSS rules reduce risks and help to defend products from unauthorized attacks.

    Having considered the main risks and discussed the first 6 of the 12 requirements we are now close to the end of our PCI DSS tour.

    READ MORE

  • The Payment Card Industry Data Security Standard (PCI DSS) lays out the official requirements for security controls and processes that keep payment card data safe from exploitation.

    READ MORE