fbpx

How to choose the right IT outsourcing company?

The history of outsourcing is longer than we might think. The first mention of this form of business cooperation dates back to the late 1970s. However, no one will be surprised that before it was written about, it was already used in the USA in the middle of the 20th century.
Outsourcing has transformed over the years and has specialized in specific business areas. Initially, accounting services were most often outsourced, but in our current form, outsourcing has focused on many specific areas.

Today, the market for outsourcing services is very wide and saturated with specialized companies, especially when it comes to the IT industry. On the Polish market, 22% of the IT segment are outsourcing companies, and according to the Central Statistical Office (GUS), 71% of domestic organizations use their services.

Having your own IT department will not provide your company with every specialist. The perfect complement to this can be precisely the contractors from outsourcing. The fact that many companies on the market specialise in this field raises the question, which supplier to choose? What should be the guiding principle when choosing? What aspects to pay attention to? What to avoid when choosing? I will try to answer these and other questions in this article.

outsourcing informatyczny

Before you start searching, set a goal to achieve with the provider help.

A clearly defined plan or business objective will allow you to determine the role that the outsourcing provider will play in your organization. With the direction you have set, you can explain clearly what you expect from such a partner and how you want them to help you achieve your business goal.

A large corporation or a smaller supplier?

This is another aspect that can cause headaches when choosing a supplier. To make a good choice, it is necessary to determine at the very beginning how we want to cooperate with the supplier. Cooperation with either a large corporation or a smaller supplier has its pros and cons.

outsourcing partner

If you are looking for long-term cooperation and know that you will be hiring specialists for longer projects, then a larger supplier will do better. Short annual or semi-annual projects are best done with a smaller partner. A smaller partner will be able to adapt better to the changes and the dynamics of the project.

Check how the company works.

Once you have found several potential outsourcing partners, it is worthwhile to find out what opinions they have and how they work. Pay attention to match the profile of the partner to the project in which they are supposed to help you. Look for companies specialized in a particular field that have experience in implementing projects similar to yours (at least in part). Surely in every case, you will find on the website a case study, recommendations, and completed projects.

However, blind belief in what they write on the Internet can be misleading. It’s worth to go one step further and ask a potential provider for information about the companies who were working with them in the past and call them in person. Then you can ask for a recommendation or short review of the potential provider.

Costs, costs, costs?

outsourcing partner, firmy outsourcingowe, outsourcing ict

I am aware that the costs will dominate the selection of a partner. However, often the lowest costs do not go hand in hand with good quality specialists or cooperation with the supplier itself. Cooperation with a good outsourcing company can bring savings. It is worthwhile to carefully analyze the budget in relation to demand before starting cooperation.

If the project will be settled in the time & material model, it is worth to calculate the exact number of working hours in each month and leave yourself a safety buffer in the form of free funds for possible overtime of specialists. It looks a bit different when the project is paid for in its entirety.
Here we cannot rely only on dry analysis. In such a scenario, it is best to ask the supplier to work for a few test days to get acquainted with the system and perform all the analyses to assess the work and calculate the costs more accurately.

Selection of specialists.

This is the last stage of the supplier search process and the first stage (hopefully beneficial for both parties) of cooperation. Based on the recommended candidates, we choose those with whom we want to work. Before starting any application process, it is important that you calculate how many specialists you need and what skills they should have.outsourcing process cooperation

How to choose the best testing company for the project?

If you are reading this article, you are probably wondering whether to take advantage of test outsourcing or how to choose the best testing company?

Knowing, that the product is properly tested, allows Product Owners or Sponsors to sleep in peace.

Testing is the key to the success of applications and IT systems. Additionally, conducting tests at the early stages of the project can reduce the costs of error repairs by 100 times.

We learned from various reports that software tests account for about 30 percent of the total project duration, and their costs can reach 50 percent of the total project budget.

project duration the cost of fixing the bug project budget

When creating software, we ask ourselves whether to create and maintain our own test team or to outsource all or part of the tests.

I, as an employee of B2Bnetwork, for obvious reasons, am in favor of outsourcing at B2Bnetwork ?

On a serious note, testing a project is always a matter of time, project specifics and resources.

Outsourcing all or part of software testing allows you to focus on your main goals, cortical activity, driving innovation, budget optimization, and additionally gives you quick access to specialized staff.

Therefore, how to choose the best testing company for the project?

We should definitely look for a company whose main business objective is to conduct professional tests. It should have experience both in the business area in which the tests are to be performed, but also in the type of tests to be performed. For example, if we need to carry out complex automation of application tests or banking system, we should verify whether the subcontractor has previously carried out similar testing projects in the banking and financial area.

Proof of concept B2Bnetwork

A good and safe approach is to carry out Proof of Concept in the targeted project. This allows us to check the test provider, verify the competence and experience. PoC is also useful from the perspective of the testing company. It helps to prove oneself in the realities of the project at the Client’s site and in the final estimation and complexity of the project.

What if we want to verify non-functional aspects, such as application performance?

A contractor who has experience, references, and is competent to prepare a test strategy, which includes configuration and preparation of a distributed environment to generate load, running tests on multiple machines, identification of system bottlenecks and preparation of a comprehensive report on the course of tests, will prove itself here.

Test Management

During the implementation, we may also need a contractor who will manage the project in the testing area, help with functional testing, and provide support in delivering the product to the production environment and successfully complete the project.

I believe that an outsourcing company should be able to deliver a Test Manager overnight, who will prepare an analysis, which show what actions should be taken to start the project and include a team of functional testers throughout the software development cycle.

The models of the cooperation and the accounting

As we all know it, the budget is important in every project, therefore it?s good for the test provider to prepare a comprehensive offer containing several cooperation variants as part of the start of cooperation. For example, the possibility of implementing the project in fixed-price formula, time & material formula or mixed formula.

Trainings

Another important aspect in choosing a testing company is the capability to conduct training. Often, after the completion of a project at the Client?s site, there is a requirement of knowledge transfer and training in the scope of the project.

project management

Qualifications, experience and cooperation opportunities are all equivalently important. However, the option of conducting projects in agile or traditional methodologies shouldn?t be ignored. Choosing a partner who is not able to work in our standards can hinder, slow down or even destroy the whole implementation.

Specialists

The company’s experience is one thing, yet even more important is the availability of competent specialists who are needed to start and carry out the work. In the end, it is their presence, work and commitment that will determine the success of the project.

References and opinions

It is also worth checking references and opinions the company has on a specific test area. It will allow for a preliminary assessment of the degree and extent of experience of a given contractor.

To sum up, choosing a testing company can be hard, but it doesn?t have to be.

Get to know and check out a potential software testing service provider. Remember to use Proof of Concept.

In addition, B2Bnetwork does not charge for preliminary consultations, analyses, project valuations or audits necessary to estimate the scope of the order. Check what we can do.

Work wisely, not hard – automation of regression tests

When we create an application we care about its stability and proper functioning. Equally important is the continuous
development of the project with new functionalities. However, regular updates in the software, in addition to new features, may bring new problems. Something that used to work before may not work now.

The solution to this problem is to regularly test not only the newly added functionalities, but also those previously tested. This is called regression testing. This action will allow us to detect and fix errors in our application in a much shorter time.

Regular testing of the entire project takes time. Some projects are so extensive that it could take us a lot of time to manually check all functionalities. In this situation, it is worth to deal with the automation of regression testing.

Automation allows us to regularly, quickly and easily test all the functions of our application. Thanks to the fact that they were once tested by a human being, we know the expected result and can write a program that will carry out the tests for us, then compare their result with the expected one. If we properly configure any tool to run the tests automatically (e.g. Jenkins), we can generate a report that will give us an overview of all new bugs in one place. This approach allows us to react quickly and fix the malfunction of our project.

Regression tests should be performed not only after implementation of changes in the project.
Regular testing will also allow us to detect errors in software stability as well as complex errors that are easy to overlook as a manual tester. Therefore, it is worth to perform them regardless of new version implementations. For example, periodically, or every time the server on which the system is rebooted.

What features should the proper automatic tests have?

  • Stability – tests should be primarily stable. Repeated runs on the same version of our application should return similar results. In case of different results, it is more difficult for us to determine the type and origin of errors, so it will take us more time to find and fix defects.
  • Test environment – should be as close as possible to the production environment. The greater the similarity, the greater the chance that errors will be detected at an earlier stage of testing.
  • Credibility – it is important that the person working on the application receives a reliable result and can take appropriate action based on it. Our tests will become useless when we receive the answer that some functionality works correctly when in fact it does not.
  • Reports – appropriate configuration of test reports allow us to focus all errors in one place, which makes it much easier to find and correct them.

Creating the right database of automated scripts can take a long time.
In addition, just like the application itself, these tests must be sustainable. This means that when making changes to the application, you also need to make appropriate corrections to the tests themselves.
It is worth remembering at the very beginning of scripting, so as not to waste more time applying patches in tests than in the application itself.

In addition, regression testing does not have to cover 100% of the application, but only its most important functionalities. Of course, it is worth adding more over time so that the test collection grows with the application and strive for full automation of the testing process.

Top 10 Frequently Asked Questions about the ISTQB Exam

There is so much content about the ISTQB exam that it would seem everything has already been written or said. Despite this, I still get questions on this subject. That is why in this article I would like to answer the 10 most frequently asked questions.

1. Who can take the ISTQB exam, who should and who should not – generally for whom?

Common Internet knowledge says that you don’t need special knowledge to take this exam. There are also opinions that ISTQB does not bring any value and does not serve any purpose. As it is in life, the truth lies somewhere in between.

Before answering the first question, let’s start with what ISTQB certification is.

istqb-partner-gold

ISTQB is a standard. If all the testers in the team know the rules, then they are more likely to use the same vocabulary, expressions, phrases, understand schemes, procedures, etc. So, in short, they will speak the same language.

You can read the syllabus and basically say that you know it or you can give social proof of your knowledge in the form of an ISTQB certificate. The choice is yours, of course.

Returning to the question for whom is this certificate?
????? For anyone who needs to demonstrate practical knowledge of basic concepts in software testing: testers, test analysts, test engineers, test consultants, test managers, programmers, analysts, IT directors.
?????For people with at least six months of experience who are determined and want to deepen their knowledge in testing
????? Participants of ISTQB accredited trainings.

2. Do you have to attend the training beforehand?

szkolenie podstawy istqb

Training is not necessary to pass the exam, but if you feel you need help, use it. My experience shows that training helps a lot in learning. Self-education can also bring good results. This is shown by the recent results of B2Bnetwork employees, reaching up to 97% exam score.

It all depends on whether you are determined enough to prepare yourself and whether you have the minimum experience that will help you acquire knowledge.

3. How to prepare yourself for ISTQB FL?

jak samodzielnie zdać egzamin istqb?

Since I am an examiner, I will write from experience what I advises I give and what actually works:
? learn syllabus well,
? make sure you learn the terms from the dictionary,
? take practice tests

All materials are available here https://b2bnetwork.pl/produkt/egzamin-istqb/

4. How many questions are there, is it a test, how long does it take, how many points you need to get etc.?


The test consists of 40 questions and lasts a maximum of 60 minutes (75 minutes for non-native languages).

You can receive 1 point for every correct answer.

You must obtain at least 65% of the points (26 or more points) to pass the exam.

Some time ago I received a question about K levels. On istqb.org we can read that knowledge of K levels: K1, K2 and K3 applies. The division of exam questions into level K takes place in accordance with the ISTQB document – Certified Tester Foundation Level V. 2018 Exam structure and rules.

5. How does an exam look like in B2Bnetwork?

b2bnetwork-akredytowane-centrum-egzaminacyjne-gasq

B2Bnetwork is an accredited examination center. We work with GASQ, thanks to which we can be sure that everything will be delivered on time and with the right quality.

We organize all exams in our Warsaw office.

Sit back and read how your exam will look like ?

* From April 27, we organize remote exams until further notice. More information here

? At the agreed time you will come to our office at Al. Jerozolimska 172. We will invite you to the examination room. There will be a prepared computer waiting for you, a pen, several note papers, cookies, water, tea, coffee.
? Then you will receive the login details for the exam platform and explanation on what to do and how the platform looks like.
? Log in and start the exam.
? Have you completed the exam? Finish and see your result.
? We spent together up to a maximum of 1.5 hours.

That’s all, you can go celebrate. In a few days you will receive an email from GASQ confirming the result

6. When will I receive the certificate?

certyfikat istqbGASQ tells us all the time that they send certificates in up to 8 weeks. Recently they sent it after a week …

7. What if I don’t pass?

nie zdanie egzaminu istqb

Verify where you made the most errors (this option is available after exam). Redo these sections and make an appointment for the next date!

8. How much does it cost?

ile kosztuje egzamin istqb podstawy?

ISTQB FL: 650 zł netto + 23% VAT
A4Q Selenium Tester: 550+23% VAT
ISTQB Agile Tester: 650+23% VAT
ISTQB Advanced Technical Test Analyst: 900+23% VAT
ISTQB Advanced Test Analyst: 900+23% VAT
ISTQB Advanced Test Manager: 900+23% VAT
ISTQB Test Automation Engineer: 900+23% VAT

9. Can I take the exam at other time than indicated on this website?

terminy egzaminów istqb

Sure? B2Bnetwork is an Accredited Examination Center, open from 9am to 5pm, Monday to Friday. ?Write or ?call and arrange an exam!
* Remote exams can be purchased for any date. More information here.
M: +48 533 317 612 / E: joanna.wrzesniowska@B2Bnetwork.pl

10. Is it possible to organize the ISTQB exam for a larger, organized group outside Warsaw?

istqb kontakt

Yes! Also write / call:
M: +48 533 317 612 / E: joanna.wrzesniowska@B2Bnetwork.pl

ISTQB exams during coronavirus

 

From April 27, 2020 ISTQB made it possible to take exams remotely.

What is the procedure? Should you be worried? What are the technical requirements?

I will try to answer all the questions in the article below.

Let’s start from the beginning, i.e. what is the procedure for ordering an exam at B2Bnetwork?.

B2Bnetwork is an Accredited Examination Center verified by GASQ.

  1. At “ISTQB examination” you can purchase the ISTQB Foundation Level exam and pay for it via Dotpay. If you wish to purchase other ISTQB exams, please contact:
    szkolenia@b2bnetwork.pl
  1. In order to complete the order, we require the following information:
    • First and last name
    • E-mail address
    • Preferred language
    • Type of exam (basic, advanced, other)
    • If you take an exam in not your native language, you are entitled to some extra exam time
    • Scan of the elementary certificate, if you wish to take an advanced exam
    • d time of the exam session
  2. You choose the date and time of the exam according to your preferences. There are no queues?
  3. After purchasing the exam, we will send the registration form to GASQ (maximum 72 hours before the exam)

How to prepare for the remote exam?

Technical requirements:

? A desktop computer or laptop with a webcam and microphone

You need a laptop or a desktop computer to take the exam because the Google Chrome extension requires screen sharing and it is not compatible with mobile devices. Your computer must have a webcam and a microphone.

?Google Chrome browser

Please use Google Chrome so that you can add the extension required for screen sharing. Apart from the browser plugin, there is no other software installation required. Administrator rights are required for installation.

? Photo ID

Before the examination start, you need to present your ID. Sensitive data such as ID numer or adress can be covered. Those are not required.

? Stable Internet connection

To run the exam without any problems, you must have a permanent Internet connection with a minimum upload speed of 1 MB / s.

What are the next steps?

  1. After accepting your registration form, GASQ will send you an email to verify the system and configure it for the exam.

Remember to check the system at least 48 hours before the exam!

48 hours before the exam, it is no longer possible to change the date. If the system is not configured on time or during the exam does not work properly, the deadline will expire and the money will not be refunded.

This is how the GASQ email will look:

See how the system check will look:

2. After completing the system check, you will receive an invitation to take the exam

Please note that you will be able to start the exam only at the time indicated in step 2 of the email. If you start the exam before this time, you will not be able to log into the system.

If you exceed this time frame, your exam login will expire and you will not be able to take the exam.

Fees will not be refunded.

This is how the email with the exam invitation will look:

Please note that the time below indicates the time frame within which the exam can be started, not the duration of the exam!

What will the exam look like and what to prepare for it?

? Prepare your environment

Before starting the exam, make sure that:

      • the room is well lit and quiet
      • you are alone
      • there are no additional devices, books or other prohibited materials

Będziesz musiał pokazać egzaminatorowi swoje otoczenie i nie będziesz mógł rozpocząć egzaminu, jeśli będą dodatkowe urządzenia, książki lub inne zabronione pomoce, które mogą ci pomóc podczas egzaminu.

You will need to show the examiner your surroundings and you will not be able to start the exam if there are additional devices, books or other prohibited aids that can help you during the exam.

? Have an ID with you

? Log in to the system on time

You can start the exam by clicking the link from the invitation email. Access to the exam is only valid for the time indicated in the email.

Identify yourself

Note: The examiner will welcome you to the chat window at the bottom of the screen. (The examiner is a GASQ employee)

You can contact the examiner through the chat window throughout the exam.

? Start the exam

How to use the examination system?

  1. Read and accept the exam conditions.
  2. Enter your personal details. Make sure there are no typos or errors in your name or email address.
  3. Start the exam by clicking “Ready”.
  4. Read term and conditions and accept them
    5. Your exam starts now

Using the toolbar at the top of window, you can:

Go to the next or previous question
Mark a question

Open calculator

Take notes

Finish the exam, click if you wish to finish the exam before the time runs out

In the upper right corner, you can see how much time is left until the end of the exam.

On the left side of the screen, the question numbers are displayed. Questions you have answered are marked with a “tick”

Remember that you can contact your examiner at any time during the exam using the chat window at the bottom of the screen

Once the exam is completed, IT IS NOT POSSIBLE to continue!

Your score will be displayed on the screen

You can now exit the exam system

The exam results as well as the certificate will be sent to you by e-mail!

What can’t you do and have during the exam?

  • additional devices
  • books, notes or additional materials
  • headphones
  • talk or sing
  • Exit the room eg. bathroom break

You must know that if you break the exam conditions or are dishonest, the examiner will stop the exam with a negative result, regardless of the answers marked so far. You will not receive a refund.

The certificate

You will receive the certificate in pdf format to your email address within a maximum of 8 weeks. Usually, however, GASQ sends certificates within a few days.

If you have additional questions, I’d be happy to help ?

E-mail or phone me:
Joanna Wrześniowska
Training Department Coordinator
+48 533 317 612
joanna.wrzesniowska@B2Bnetwork.pl

 

b2bnetwork.pl/produkt/egzamin-istqb/

check the prices of individual exams

download study materials

order an exam

Relationship without relation – non-relational databases (NoSQL). Part 2 – individual types of non-relative databases.

As already described in Part 1 (available at: PART 1), non-relative databases can be divided into several categories (in terms of data model):

  • The key ? value
  • The document
  • The graph
  • The family of columns

The following article provides a brief description of each of them. For a more complete picture of individual types of non-relative databases, a sample data model, implementation and characteristic advantages and disadvantages are also added.

Key – value

The data model is in the form of a large scalable HashMap. Each single element in the database is stored as an attribute name (“key”) together with its value.

With the key, the customer has the possibility to obtain a given value, insert a new value into it, or delete it completely.

A value, on the other hand, is a “blob” field, which is simply stored, without specifying a particular type of data (as in the illustration below). The understanding of the content lies with the application.

Klucz ? wartość

Advantages and disadvantages:

AdvantagesDisadvantages
Simplicity of the data modelNot very well suited to complex data
High scalabilityNo support for handling data links
High resistance to errors

 

Example: Riak

riak

A new data warehouse with high availability, ease of use and scalability. In addition to the open source version, it is available in a supported corporate and cloud storage version. The rakia has a fail – safe data replication and automatic data distribution in the cluster to ensure performance and resilience.

Default interaction with the database via HTTP API:

  • GET ? reading
  • PUT ? updating, inserting (when entering the key)
  • DELETE ? removal
  • POST ? inserting (key generation on the database side)

Other examples: Aerospike, Apache Ignite, ArangoDB, BerkeleyDB, Couchbase, Dynamo, FairCom c- treeACE, FoundationDB, InfinityDB, LevelDB, MemcacheDB, MUMPS, Oracle NoSQL Database, OrientDB, Project Voldemort, Redis, Berkeley DB, SDBM/Flat File dbm, ZooKeeper

Documents

As the name suggests, their main element is documents. These are self-describing, hierarchical tree structures, stored and returned by the database. Sample formats of documents:

  • XML
  • JSON
  • BSON

Documentary databases are a collection of documents, which in turn constitute a key-value warehouse. The stored documents are usually comparable, but do not necessarily have to be the same.

Sample documents (equivalents of lines in the relational database):

Przykładowe dokumenty (odpowiedniki wierszy w bazie relacyjnej)

Advantages and disadvantages:

AdvantagesDisadvantages
Simplicity of the data modelLow quality handling of interrelated data
High scalabilityPoorly developed questioning model (keys, indexes)
Large modeling possibilitiesMapReduce

 

Example: MongoDB

Multi-platform, non-relational database system, created in C++ language. It does not have a strictly defined structure of supported databases, instead it uses documents in BSON format (slightly similar to JSON, but in binary form). This allows applications to process them more naturally, while maintaining the ability to create hierarchies and indexing.

Other examples: Apache CouchDB, ArangoDB, BaseX, Clusterpoint, Couchbase, Cosmos DB, IBM Domino, MarkLogic, OrientDB, Qizx, RethinkDB

Graphical

Graphic databases are based on storing knots and edges between them. A node is equivalent to an entity, while the edges correspond to a relationship. An example model can be presented as follows:

Bazy grafowe

Both knots and edges have their properties. The organization of nodes according to relationships allows to find the desired patterns.

Advantages and disadvantages:

AdvantagesDisadvantages
An extensive general data modelData sharding
Simple questioningA complete change in thinking

 

Example: Neo4J

ACID-compliant transactional database with native graph storage and processing. One of the most popular solutions in the category of graphical databases.

Neo4j has been implemented in Java but is also available from applications written in other languages. This is made possible by a dedicated query language called Cypher, communicating via HTTP transactional endpoint or ?bolt? binary protocol.

Other examples: AllegroGraph, ArangoDB, InfiniteGraph, Apache Giraph, MarkLogic, OrientDB, Virtuoso

Columnal (Column families)

In the case of column family databases, as the name suggests, the data is stored in the form of a column family – a group of related data that is usually collected together. These, in turn, are stored in rows with assigned keys.

The concept of this type of database can be compared to a huge, demoralized table with many rows and columns. Therefore, they are mainly used in the VLDB (Very Large DataBase) sector.

Advantages and disadvantages:

AdvantagesDisadvantages
Support for semi-structural dataNo support for handling data links
Natural indexingSlow line operations (especially those involving more than one line)
High scalability

 

Example: Cassandra

cassandra

A distributed database management system designed to handle large numbers of distributed data on multiple servers. Write operations are performed on the whole cluster that does not have a main server. This enables asynchronous reading and writing of data, which translates into minimized delays.

Cassandra has a query language called CQL (Cassandra Query Language). It supports commands similar to SQL statements.

Other examples: Amazon SimpleDB, Accumulo, Druid, HBase, Hypertable, Vertica

Summary

There is no one comprehensive data model to remedy all illnesses. Each of them presents its own specific properties and is used in the area where they work best.

The choice of a specific solution should be dictated by the desired features of the database and the problems they are supposed to prevent.

The above article gives an opportunity to get acquainted with individual data models and their specific implementations, which shed some light on the subject and gives a general picture of the most popular solutions on the market today.

Sources

  1. P. J. Sadalage, M. Fowler, ?NoSQL Kompendium wiedzy?, Helion 2015
  2. A. Wójcik, ?Nierelacyjne bazy danych?, Zeszyty Naukowe WSEI 2014
  3. https://www.geeksforgeeks.org/introduction-to-nosql/
  4. https://itwiz.pl/czym-jest-nosql-jak-wykorzystac-nierelacyjne-bazy-danych/
  5. https://riak.com/
  6. https://www.mongodb.com/
  7. https://neo4j.com/
  8. http://cassandra.apache.org/

Author: Artur Pasik, Performance/Automation Test Engineer

Relationship without relation – non-relational databases (NoSQL). Part 1 – general characteristics.

The following article is a general introduction to the subject of non-relative databases. The potential areas of application of NoSQL and their benefits are presented.

Finally, individual data models are listed, which will be discussed in more detail in Part 2 of this article.

Introduction

Non-relational databases (also called NoSQL databases) include a wide range of different technologies that have been developed in response to the requirements of creating modern applications.

The data structures used by NoSQL differ from those commonly used in relational databases, making some of their operations faster. They are also seen as more flexible.

The choice of a specific solution in terms of the NoSQL data model depends largely on the problem it has to solve.

Many of the non-relative databases are inconsistent (in the sense of the CAP statement) with respect to greater data availability (throughput). They also do not offer low-level query languages (e.g. they do not allow ad-hoc connections between tables, as opposed to SQL), nor do they have standardized interfaces.

Application

Non-relative databases work best under the following conditions:

  • Downloading and storing vast amounts of data
  • The relationship between the stored data is not very important
  • Data that are time-varying and unstructured
  • No need to handle limitations and connections at database level
  • Data that are constantly growing and require regular scalability of the database

Korzyści wynikające z użytkowania nierelacyjnych bazy danych

Compared to relational databases, NoSQL databases are more scalable and provide better performance. It is also worth mentioning that their data model supports a number of solutions that the traditional relational model cannot cope with:

  • Large amounts of rapidly changing, partly structured and unstructured data
  • Agile project management methodologies; iterative, incremental software development model
  • Object-oriented programming – flexible and user-friendly
  • Geographically dispersed, scaled architecture instead of expensive, monolithic

Different types of non-relative databases

Due to the data model, non-relative databases can be divided into several categories:

Summary

This article gives general knowledge about NoSQL databases, their characteristics and the categories they fall into.

In the next article, each of the individual types of non-relative databases will be presented in detail, together with a sample data model, a concrete implementation, as well as representative advantages and disadvantages.

Sources

  1. P. J. Sadalage, M. Fowler, ?NoSQL Kompendium wiedzy?, Helion 2015
  2. A. Wójcik, ?Nierelacyjne bazy danych?, Zeszyty Naukowe WSEI 2014
  3. https://www.geeksforgeeks.org/introduction-to-nosql/
  4. https://itwiz.pl/czym-jest-nosql-jak-wykorzystac-nierelacyjne-bazy-danych/

Autor: Artur Pasik, Performance/Automation Test Engineer

There is no entry without permission – user authentication and authorization

There are two basic types of tokens:

  • ?access tokens?
  • ?ID tokens?.

The identification token is JSON Web Tokens (JWTs), which should only be used by applications.

For example, a fictional application using account authentication with a ready-made Google account. Google sends an identification token to the application, which contains information about the user. The application analyzes data from the token and then uses important information such as: name, surname, address, photo.

“ID Tokens” should not be used to access APIs.

According to OpenID Connect, the recipient of an ID token must be the client from the application ID sending the authentication request. If this condition is not met, the token cannot be trusted.

This mechanism also works the other way around, the API expects a token with a specified aud value, which is equal to the unique API ID.

Access tokens are used to:

  • inform the API that the user providing the token has been authorized to access the API
  • to carry out a pre-determined set of actions (determined by the allocated scopes).

Access tokens cannot be used for authentication and cannot determine whether the user has obtained them. It does not contain any personal user data. The only information the access token stores is an identifier.

Applications should not treat access tokens as opaque Strings. They should not attempt to declare them or expect to receive tokens in the correct format.

JSON Web token is an open standard RFC 7519 that defines how the JSON object can securely exchange data between pages.

The information contained in the token is electronically signed, making it trustworthy. The JWT can be signed with a secret key (on the HMAC algorithm) or public/private pairs (RSA or ECDSA).

JSON Web Token can be used during authorization when one of the parties wants to grant access to services and resources, and without storing the status, wants to verify whether access should be granted.

JWT as an access token can also be used for data transmission or information exchange. Thanks to the signatures of public/private key pairs, you can be sure that the broadcasters are who they claim to be. The signature is calculated by using the header and load. You can also check if the content has been changed.

The structure of the JWT is as follows: xxx.yyyy.zzz

  • The header usually consists of two parts: information about the type of token or JWT and the algorithm we use, i.e. HS256, RSA or HS512. Then the body of the following JSON is coded in Base64Url and creates first part of JWT.
    {
      alg??: ??HS256?
      ?typ?: ??JWT??
    }
    
  • The content of PayloadJWT token is responsible for storing the data we intend to send in the token. Moreover, the token contains types of information such as: Registered claims, Public claims, Private claims. In addition to information about the expiry date, identification data and user rights. It is coded in Base64 format.
    {
      alg??: ??HS256?
      ?typ?: ??JWT??
    }
    
  • The digital signature (Verifay) confirms the authenticity of the data, giving certainty that the sender is who he claims to be. By selecting the HMAC algorithm SHA256 will be created in the following way: HMACSHA256(base64UrlEncode(header) + ‘. + base64UrlEncode(payload), secret). Note that the secret (password) should be of considerable length and contain different characters.

JASON Web Tokens can be used to build an authorization service where we can authenticate users of the application. The token that goes to the server is parsed and then verified for correctness, permissions, validity, TTL and others.

OAuth 2.0 is an open protocol that allows to create authorization mechanisms using various platforms such as mobile, web and classic applications. In the process of obtaining a token, the client, resource owner and authorization server will take part.

A resource owner is an entity that can grant access to a protected resource. It is usually an end user.

A client is an application requesting access to a protected resource on behalf of the resource owner.

An authorization server is a server that authenticates the owner of the resource and issues access tokens after obtaining the appropriate authorization. In this case Auth0.

Access tokens must be confidential during transport and storage. The only pages that should see the access token are the application itself, the resource server and the authorization server. The access token can only be used by https protocols, as passing it through an unencrypted channel could lead to easy interception by unauthorized persons.

The benefits of using are measurable. Customers, i.e. external applications, have no contact with user authentication data. It is possible to use one authorization server to protect several different resources. It also allows to limit the number of accounts set up in different applications and thus eliminates the risk of using the same password in different applications.

The method of obtaining a token must be adapted to its needs. If the customer is run through the web we should use the Implicit Grant method (customer created using JavaScript). When we know that the client comes from a trusted source and is e.g. a business partner, we can use Client credentials flow (only the ID and secret are sent to the authorization server).

The most likely scenario is that the client is an untrusted application, while one of the elements of the process is the owner in an open form using a web browser. Here the Authorization Code Flowe method should be used.

The threats resulting from the use of OAuth 2.0 include the lack of an encrypted communication channel. Compared to OAuth 1.0, communication channel encryption has been completely withdrawn, so TLS encryption is crucial. Leakage is tantamount to the use of token by unauthorized persons. The client is an element of the system and it has certain privileges that are given by the generated token. The client is entrusted with the task of storing the token in an appropriate way, both in case of classic attacks and during the occurrence of an error in the application and an error message related to it. This concerns both the token and the refreshing token. It is also dangerous to store tokens in browser cookies, which are vulnerable to Cross-Site Scription and Cross- Site Reguest Forgery attacks.

Compared to version 1.0, there have been major changes in terms of convenience in various business scenarios. The huge disadvantage is the removal of standards and encryption mechanisms. This may cause various controversies concerning security guaranteed by OAuth 2.0 token.

Bibliography:

Autor: Szymon Wasiak, Test Automatyzujący

How much is one second – performance tests

Have you ever wondered what one second means, what can happen in it and what effect it can have on our lives?

For each of us, a second can mean something different. For an athlete, one second can be decisive in winning or breaking a record. Being late a second, we may not be able to get on the subway train, it may also save us from an accident on the road.

It’s hard to say exactly what one second is, since 20 May 2019 the International Institute of Weights and Measures defines it as follows:

Second, the symbol ?s?, is the time unit in the SI system. It is defined by the accept of a fixed numerical value of the frequency of cesium, it means the frequency of hyperfine transition in the atoms of cesium 133 in undisturbed basic condition amounting 9 192 631 770 expressed in units of Hz which is equal to s-1.

Sounds quite abstract, but in everyday life we don’t need such accurate measurements.

However, single seconds are very important in the IT world. Especially when the user is waiting for a page to load or a specific interaction in the application.

A number of studies have been conducted on the perception of websites and stores by Internet users. By definition, the Internet users are very impatient, waiting for a page to be loaded for more than 4 seconds causes nearly 25% of the respondents to leave the site (Kissmetrics):

Following this path, the above situation translates into a drop in sales in Internet shops or a perception of a given brand through the prism of its main page. The results of these studies have shown that nearly 47% of users expect the time of loading websites to not exceed 2 seconds.

To check how long a page is loaded, you can use DevTools option (F12 in each browser). An example screenshot of the wp.pl website below. Here you can see all queries that are executed after starting the main page.

How to speed up the application? You can use ready-to-use tools that will check the performance of your website and suggest appropriate steps to accelerate it. The most popular one is PageSpeed Insights, a tool from Google that measures the performance of page loading. This report allows you to diagnose technical problems with the site as well as with its construction. The obtained result is on a 100-point scale – the bigger the better. The report is based on pages loaded on mobile and stationary devices.

Another very popular tool is Mobile-Friendly Test. The tool checks the application for performance on mobile devices and prepares a report on website performance. It verifies the completeness of the page loading and indicates the resources that could not be loaded.

Also noteworthy is the Pingdom Speed tool. Similarly, to Google’s tool, it generates a report with information about the possibility of optimizing the site. In addition, in Pingdom Speed you can indicate the location from which the test is performed, e.g. Australia or Brazil.

Some tools, such as GTmetrix, in addition to preparing a report, also allow exporting the report to a PDF file that can be sent, for example to a client.

The above tools offer a number of solutions that can improve the performance of the website/shop, but what if we have already used all the suggestions and applied all the good practices to speed up the pages and the application still responds slowly? Performance tests come to our aid, thanks to which we are able to check how the application works from the inside.

Performance tests belong to the group of non-functional tests and are performed to check the fulfilment of requirements such as the acceptable load response time, the number of process executions per unit of time, the number of parallel users who can use the system without losing performance loss. Performing such tests helps organizations to prevent application unavailability, which directly translates into company revenue.

Losses of companies as a result of failure of the application to work for a short time may reach millions of PLN. That is why it is so important to check the application for performance requirements.

Performance tests are divided into different types and types, and the most common tests are the following:

  • Load testing ? the most frequently performed tests to check the operation of an application under an assumed load. Performing such tests allows to determine the response times of the application and allows to find bottlenecks in the application, such as memory leaks, code errors (e.g. infinite loops, thread jamming) or errors related to the configuration of the application server or database.
  • Stress testing ? Stress tests are designed to check the operation of an application with a load significantly exceeding the intended movement. System reactions under extreme conditions are tested.
  • Endurance testing ? these tests verify the operation of the application under constant, long-lasting load, which may cause e.g. slow memory leaks.
  • Peak testing ? Peak testing is used to simulate traffic in situations of increased traffic growth, e.g. during a promotional campaign.

To prepare performance tests we use, among others, the Apache JMeter application – a free tool written in Java. It is an advanced program for measuring the performance of static and dynamic elements, allowing to perform performance and overload tests. Thanks to a very large number of add-ons it is possible to prepare extensive test reports. Apart from JMeter there are also other open-source tools such as Grinder or Locust, but they do not provide as many possibilities as Apache JMeter.

An alternative to open source tools are paid tools. Among performance tests, LoadRunner (which has been on the market for more than 20 years!) is in the first place, currently supplied by Micro Focus. The results of performance tests carried out using LoadRunner are very often used as a benchmark for other tools. LoadRunner consists of several components – VuGen (Virtual User Generator) to create test scripts, Controller to run tests, Analysis to prepare reports and analyze results and LoadGenerators to generate traffic during tests.

VuGen allows you to record a large number of protocols from HTTP to .NET, SAP, RDP, Web Services, Mobile Web and many more. You can add your own functions to the scripts, the scripts are created using C, JavaScript, C #, VB.NET and Java programming languages (depending on the selected protocol). LoadRunner integrates perfectly with other tools from the Micro Focus family, such as ALM, as well as with CI tools such as Jenkins. VuGen also integrates with the GitHub.

A single second in the IT world is very important. Even delays in the time of loading a page or application response can have a very negative impact on the users’ perception of a given portal/application and thus translate into financial results. Owners wanting to offer their customers an efficient and fast website or application should check it as accurately as possible in order to avoid losses or negative reactions of users.

Autor: Emil Użdziło, Performance/Automation Test Engineer