comment on

I am not building anything as sensitive as a Financial App, but I do to need to get User data from a remote Instant Messaging system's database.

I built a set of testing accounts with known (to my test-package) passwords, and patterned user-data (for example, address1=user1-address1-xxxx, where xxxx is unique test-id (in reality the PID.time() at the start of the test sequence)). This is the only way that I could think of to

Reliably test the interface in the face of a shifting API (there is only one of me writing the test harness; there are thirty or forty folks in Engineering fixing bugs and extending the feature set)
Keep from leaking of my personal account and password data.

The method of generating patterned data turned out to have a side-benefit, I don't have to keep re-initializing the dummy accounts with a known data-state. I can just leave the account in the updated state since I know that my next test run will generate a different test-id by virtue of the included time-stamp. I use the fact that the test-id is in the data to validate the test results (is the time-stamp different or the same? Is this what I expect?).

A few years ago, I was working contract for one of the local banks in San Francisco (one with branches all over the state of California and elsewhere). There was a formal standard for building 'dummy' account-numbers, to we could 'test on the live system'.

We had someone run a test on the Check Ordering software and 'forget' to cancel the order to the printer (Rocky Mountain Banknote, as I recall). When the checks were delivered, Someone started using them to pay for purchases at stores in the Los Angeles air-basin. Since the account did have a positive balance (no surprise here), the checks all cleared.

The Bank didn't twig to the scam for over a month, until the quarterly account-reports came out and showed activity against a dummy account that didn't come from a test-id. They initially 'solved' the problem by sending instructions to all of their Printers to report 'suspicious' account numbers while they figured out a real solution. This generated a lot of false-positives....

My contract expired seven months later, and they were still arguing about the best way to prevent the scam from happening again.

UPDATE: added a paragraph tag after the list close; cleaned up the wording in the first sentence.

----
I Go Back to Sleep, Now.

OGB

In reply to Re: Testing with sensitive information by Old_Gray_Bear
in thread Testing with sensitive information by rpanman

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.