How to advertise

Other Software QA and Testing Resources

Top Resources

Google Testing Blog - Public blog site for Google's testers. Includes archives going back to 2007.

James Bach's Blog - Large collection of thoughtful postings/articles on Jame's Bach's Satisfice web site; organized into a wide selection of categories. - Comprehensive software testing resource site from Techwell Corp., with articles, news, information on software testing and quality engineering, books, tools, conferences, message boards.

Return to top of resources listings

Software QA and Testing-related Organizations/Certifications/Conferences

Association for Software Testing - A nonprofit professional organization dedicated to advancing the understanding and practice of software testing. For scholars, students, and software development practitioners. Sponsors conferences, publications, web sites, newsletter.

American Society for Quality - American Society for Quality (formerly the American Society for Quality Control) web site; geared to quality issues in general, not just Software QA. Has a Software Division that focuses on Software QA, and publishes Software Quality Professional Journal. ASQ is the largest quality organization in the world, with more than 100,000 members. Provides a wide variety of general quality-related certifications, as well software-specific ones such as the CSQE (Certified Software Quality Engineer).

SEI - Web site of Software Engineering Institute (at Carnegie Mellon University); info about SEI technical programs, publications, bibliographies, some online documents, SEI courses and training, links to related sites.

The Atlanta Quality Assurance Association - Atlanta, Georgia group with monthly meetings.

SQuAD - Software Quality Association of Denver - software QA monthly meetings and an annual conference, in Denver, Colorado. Site has links to many past meeting presentations.

TCQAA - Twin Cities Quality Assurance Association of Minneapolis and St. Paul, Minnesota. Has monthly meetings. Site has link to past presentations

KWSQA - Software QA/Testing group with monthly meetings in Kitchener-Waterloo region (Ontario, Canada).

Seattle QASIG - Seattle, Washington area group with monthly meetings.

Note: The above is only a partial listing. There are many other local QA- and Testing-related meetings in cities around the world. Check with local software-related professional organizations or sites such as for information about current local meetings in your location.

Certification Information for Software QA and Test Engineers:

ISTQB Certified Tester - The International Software Testing Qualifications Board, based in Belgium, was initially a part of the European Organization for Quality - Software Group. Certifications and testing are administered by ISTQB organizations in each of a number of countries around the world. Multiple certification levels are available.

CSQE - ASQ (American Society for Quality) CSQE (Certified Software Quality Engineer) program - information on requirements, outline of required 'Body of Knowledge', listing of study references and more.

ISEB Software Testing Certifications - The British Computer Society Information Systems Examinations Board (ISEB) maintains a program of several levels of testing certifications. Some levels are equivalent to the ISTQB Certifications.

ASTQB - The American Software Testing Qualifications Board is a branch of the ISTQB Certifications are based on experience and a written test. Multiple types of certifications are available. The ISTQB Body of Knowledge, Terms, and sample exams are available as free downloads.

CSQA/CSTE - QAI Global Institute's program for CSQA (Certified Software Quality Analyst), CSTE (Certified Software Tester), and Certified Software Project Manager (CSPM), Certified Associate in Software Quality (CASQ), and many other certifications.

Software QA and Testing Conferences:

Conferences - Testing-related conferences listing at Kerry Zallar's 'Software Testing Stuff' web site.

Return to top of resources listings

QA and Testing-related Magazines/Publications

TEST Magazine - Testing magazine published in digital format on a bi-monthly basis, from 31 Media.

LogiGear Magazine - Online testing magazine from Logigear; site includes archived articles from past issues by year and by category (such as Test Methods & Metrics, Agile, Mobile, etc.). Published 4-6 times per year.

Software Quality Professional Magazine - Published by the American Society for Quality; web site includes table of contents and abstracts of all articles, and full text of selected articles.

Methods and Tools - Software Methods and Tools e-newsletter web site by Martinig and Associates; regular articles are included on process improvement, testing, modeling, management, etc. Site includes current issues and past issues with full text of all articles; as well as extensive additional information and resources.

Return to top of resources listings

General Software QA and Testing Resources

(Note: also see the 'Books' section for a listing of books on Software QA, Testing, and related subjects.)

Alan Page's 'Tooth of the Weasel' Blog - The blog's subtitle is: 'Notes and rants about software and software quality'. Alan spent 22 years at Microsoft including a two year position as Microsoft’s Director of Test Excellence, and among other publications was the lead author of the book “How We Test Software at Microsoft”.

A tale of working from trunk - A posting from Alister Scott's blog, about "how we went from long lived feature/release branches to trunk based development, why it was really hard". Includes 'lessons learned'.

Stories From a Software Tester - Jeff Nyman's wide-ranging blog postings on topics related to software testing, with a comprehensive archives index going back to 2011.

The Future of the Testing Role - Youtube video of a James Bach presentation in March 2017 on what it means to be a test engineer in an agile CI/CD environment. Includes: what is unique about the task of software testing, what is unique about good testing specialists, the objective of 'an informed client', how test specialists may become at risk of becoming tool jockeys or developer assistants, the 'right shifting' of testing - sometimes to the point of minimizing or eliminating pre-production testing, and impacts of current practices on software risk.

The challenge of verification and testing of machine learning - Article in cleverhans-blog by Ian Goodfellow (Staff Research Scientist at Google Brain) and Nicolas Papernot (graduate student in Computer Science and Engineering at the Pennsylvania State University and Google PhD Fellow in Security). The article points out such things as: "It is clear that testing of naturally occurring inputs is sufficient for traditional machine learning applications, but verification of unusual inputs is necessary for security guarantees. We should verify, but so far we only know how to test. Current machine learning models are so easily broken that testing on unusual inputs is sufficient to expose their flaws." They also provide 'cleverhans', an open source Python library to benchmark machine learning systems' vulnerability to adversarial examples. It provides standardized reference implementations of adversarial example construction techniques and adversarial training, and may be used to develop more robust machine learning models. Also see the May 2018 article at the OpenAI web site where it was reported that it was not uncommon to find that artifical intelligence implementations had bugs, sometimes significant: '...when we looked through a sample of ten popular reinforcement learning algorithm reimplementations we noticed that six had subtle bugs found by a community member and confirmed by the author. These ranged from mild serious ones...'

Pass vs. Fail: Is There a Problem Here? - Interesting blog article on testing vs checking and the issues in 'pass/fail' type testing and reporting, from Michael Bolton's DevelopSense blog.

Cloud: beyond infrastructure thinking - Article from Thoughtworks discussing cloud-adoption hype vs reality. Includes a discussion of cloud adoption and such issues as vendor choice lock-in.

Lean Software Development: The Backstory - Long article by Mary Poppendieck, author of the book 'Lean Software Development'. Includes sections on 'The State of Lean Software Development', 'The Difference between Lean and Agile Software Development', 'Lean is about Flow Efficiency', 'The Future of Lean Software Development', 'Case Study: Hewlett Packard LaserJet Firmware' and more. From Mary Poppendieck's The Lean Mindset blog site.

Thoughtworks Technology Radar - Although not specifically about testing, this periodically-updated posting from Thoughtworks provides useful concise assessments of recent trends re common software development/engineering processes and technologies.

Agile Versus Lean - Article from Martin Fowler's site discusses the relationship between lean and agile philosophies, in that both stress adaptive planning and a people focused approach. Also how Mary Poppendieck, a proponent of lean software development and author of related books, had a background in lean manufacturing and subsequently brought lean philosphies into Agile as a founding board member of the Agile Alliance.

Why the Great Glitch of July 8th (2016) Should Scare You - Thought-provoking post by Zeynep Tufekci regarding multiple major computer system failures reported in July 2016, in which she writes: "The big problem we face isn’t coordinated cyber-terrorism, it’s that software sucks. Software sucks for many reasons, all of which go deep, are entangled, and expensive to fix". Her summary of the causes includes: layers of old/fixed/patched software, technical debt, complexity, and 'lack of interest in fixing the real problem'.

Heuristic Test Strategy Model - A 5 page checklist-based approach to test strategy by James Bach. Essentially a set of things to consider for a testing strategy, in 4 categories. Includes checklists for 'General Test Techniques', 'Quality Criteria Categories', 'Project Environment', 'Product Elements'.

Software Testing Mindmaps - Useful way to view various testing strategies such as 'How to test text fields', 'Web Security Testing Checklist', 'Mobile Testing in a Nutshell', or 'Web App Testing Toolkit'. More than 100 'mindmaps' in categories 'General', 'Mobile', and 'Web'. Can be helpful in considering various test strategies and tools.

The Seven Basic Context-Driven Principles - Article about the 'context-driven' approach to testing on the Association for Software Testing web site, by Cem Kaner and James Bach. Lists the main principles and includes description, examples.

The Value of Checklists and the Danger of Scripts - Presentation at CAST conference by Cem Kaner; old presentation but still valid.

Health Exchange Mess - Post-mortem on the 2013 implementation problems of the Maryland State Health Exchange, authored by Charles Hayward, a retired US Government Accountability Office auditor. The April 2014 article is in 2 parts: 'Health Exchange Mess Part I: Failures in leadership', and 'Health Exchange Mess Part II: Assigning blame, recouping money.' Also see LA Times articles summarizing problems with implementations including those in Hawaii, Massachusetts, and Oregon in a March 2014 2-part series by Maeve Reston: 'States that have struggled with healthcare sites consider lawsuits' .

XP in a Safety-Critical Environment - Interesting article by Mary and Tom Poppendieck concerning the applicability of XP practices in safety-critical software development.

Software Negligence and Testing Coverage - Article by Cem Kaner contains an old but still very informative list of 101 types of testing coverage measures; shows the complexities in any discussion of 'testing coverage'. Selected quotes of interest from the article: "Even if you achieve complete coverage for a given population of tests (such as, all lines of code tested), you have not done complete, or even adequate, testing." and "The decision as to whether to try for 1%, 10%, 50% or 100% coverage against any given population is non-obvious. It involves tradeoffs based on thoughtful judgment."

What is DevOps? - Article from New Relic discribing the common themes, tools, and ideas behind 'DevOps', a widely-used term having widely-varying interpretations including it's relation to testing.

Software Engineering: An Idea Whose Time Has Come and Gone? - An interesting article by Tom DeMarco in which he indicates, among other things, that his early ideas and advice regarding quantified work, project planning, and metrics for software projects - such as those in his 1982 book 'Controlling Software Projects: Management, Measurement, and Estimation', may have been wrong.

TDD is dead. Long live testing - A perspective on unit testing vs system testing, by David Heinemeier Hansson (creator of Ruby on Rails), in which he suggests considering a rebalancing of the testing spectrum from unit to system. Steve Sanderson in his blog has posted 'Selective Unit Testing – Costs and Benefits' in which he discusses considerations for when to focus on unit testing vs when to focus on integration testing.

Exploring Exploratory Testing - Article by Cem Kaner and Andy Tinkham about the exploratory testing approach to software testing; includes discussions of questioning strategies and heuristics.

Exploratory Testing Explained - Article by James Bach on exploratory testing; includes attributes of a software project and tester that impact decisions on testing approaches, exploratory testing examples, etc.

Cem Kaner's software testing site - Cem Kaner's site contains a large selection of his articles about software testing, legal issues, test management, and more (see the 'Publications' section of the site). Also see his '' website , a consumer and legal-issues orientation to software quality issues.

They Write the Right Stuff - Summary of the original article 'How to write near-perfect software' by Charles Fishman that was in Fast Company magazine - about how software was developed for the U.S. Space Shuttle. "The group's most important creation is not the perfect software they write -- it's the process they invented that writes the perfect software."

What does the software quality process for NASA's SLS look like? - NASA is building the Space Launch System (SLS) to land the first woman and next man on the Moon by 2024. These Stack Exchange postings have links to information and documents detailing the software development and QA processes for SLS software.

What is a Test Architect? - Discussion re test architects by Microsoft's Alan Page.

RBCS Testing articles - RBCS Consulting Services web site's collection of software testing articles on a wide variety of testing-related subjects.

Errors in Scientific Software - Article titled 'The T experiments: errors in scientific software' by Les Hatton; old but still alarming article. For more recent articles on software bugs slipping unknowingly into scientific research, sometimes resulting in retraction of published papers or invalidating medical research, see 'Computational science: ...Error: …why scientific programming does not compute' by Zeeya Merali in Nature magazine; or see A Bug in FMRI Software Could Invalidate 15 Years of Brain Research (2016).

Perspective on software testing certifications, by Cem Kaner - includes a discussion of a proposed 'Open Certification Process'; section 3 of the paper has a long discussion of "Project Manager’s Perspective: Problems With the Current Certification System"

'Good programmer' definitions/discussions - Since testers and developers often need to work closely together, and since many testers also do some programming, it is helpful to get some perspective on 'what is a good programmer'. Also see the discussions in the Joel On Software blog..

WSR Consulting Group publications - Good collection of QA and Testing related articles from WSR consulting, a computer crisis/litigation consulting company. The articles have an emphasis on proper management of problem projects and engineering-customer relationships for software projects.

Where is the Science in Computer Science? - Article in Communications of the ACM (from October 2012) by Vinton Cerf (VP at Google, past winner of the Turing Award, one of the acknowledged 'Fathers of the Internet', and president of ACM). In the article he states, among other things, '....Even though we design software systems and ought to have some clues about how these systems behave and perform, we generally do not have a reliable ability to anticipate the states these systems can get into, their vulnerabilities, their performance, and ability to adapt to changing conditions.' He also goes on to note our generally poor ability to predict how long it will take to find and fix bugs, or to have an idea how many new bugs will be created by fixes.

'Software Experts' site - Software engineering site oriented to microcontroller/embedded system environments, by Eberhard De Wille and Dana Vede. Site has sections on design, coding, refactoring, process, and a large section on testing.

ITIL - Originally the 'IT Infrastructure Library' - a set of best-practices guides on the management and provision of operational IT Services, covering 5 main topics: Service Strategy, Service Design, Service Transition, Service Operation, and Continual Service Improvement. ITIL was initially developed by of the British Office of Government Commerce and the itSMF, the 'IT Service Management Forum' a UK-based organization comprised of 1000 companies and government organizations worldwide; ITIL is now owned by AXELOS, a joint venture of the British Cabinet Office of the UK government and Capita plc. The ISO/IEC 20000 standard is based on ITIL. There is a good summary of the ITIL approach in Wikipedia. Various training courses and certifications are offered in many countries. There are 3 levels of ITIL certification: Foundation Certificate, Practitioners Certificate and Managers Certificate.

Big Ball of Mud - Outstanding essay on the 'de-facto standard software architecture', by Briane Foote and Joseph Yoder of the U. of Illinois at Urbana-Champaign. The 'Big Ball of Mud' architecture is defined as 'a casually, even haphazardly, structured system. Its organization, if one can call it that, is dictated more by expediency than design....The overall structure of the system may never have been well defined. If it was, it may have eroded beyond recognition.' They discuss why this architecture is so popular, advantages and disadvantages, and what can be done to improve such systems. Web Site - James Bach's Web Site with a collection of his articles on various aspects of software testing. Articles are old but still of interest. Also see Youtube for videos of his more presentations.

Illustrative Risks to the Public in the Use of Computer Systems - Enormous list of software, system, and related problems compiled by Peter Neumann/SRI International. Organized by categories such as space, defense, medical, stock market, elections, insurance, cryptography, etc. Includes related book list, other information. (Also see 'Risks Digest' listed below.)

ARIANE 5 Flight 501 Failure Report by the Inquiry Board - A rare and instructive detailed public analysis of a major software failure - the 1996 launch failure of the new (At the time) Ariane 5 rocket. This is the official report of the inquiry board appointed by the French National Center for Space Studies and the European Space Agency. Also see the article 'Design by Contract: The Lessons of Ariane' which includes a discussion of the code reuse issues brought to light by the Ariane 5 failure.

Risks Digest - Digest of the 'Forum on Risks to the Public in Computers and Related Systems'. Includes latest issue and archives covering software and system problems, vulnerabilities, disasters; based on the comp.risks newsgroup.

SEI Capability Maturity Models - Software Engineering Institute's CMMI web site, with info and documentation downloads on the CMMI models for for Development, Services, Acquisition, People, and Data Management.

CMMI and Agile - CMMI and Agile Srinivas Venkataraman Youtube video showing slides of talk by Srinivas Venkataraman - includes discussion of where CMMI-specific goals and pracitces map or do not map to Agile practices.

Construx Software Resources - Site with many useful resources, estimation info and resources, various checklists, and Steve McConnell's 'Software Survival Guide' website.

Software Engineering Resources - Large collection of useful information and links to many other sites and resources, all related to the SW engineering process including agile processes, project planning and management, metrics, risk analysis, programming methods, OO SW engineering, testing, QA, CM. From R.S. Pressman, author of the book 'Software Engineering, A Practitioner's Approach'.

Software Test Coverage Analysis article - Article containing a good discussion of test coverage analysis from Steve Cornett/Bullseye Testing Technology, maker of "C-Cover Test Coverage Analyzer" tool.

Technical Debt - Short article explaining technical debt, by Martin Fowler. Also see his 'Technical Debt Quadrant' article.

Embrace Technical Debt - Article by Eric Ries (author of book 'The Lean Startup') from his Startup Lessons Learned site. Among other things, he discusses how technical debt concerns might vary depending on context. For example when a design or business model has a high likelihood of changing (such as in a startup), technical debt concerns might be moderated compared to more stable contexts. He discusses how to take a disciplined approach to these context variations.

Object-Oriented Concepts - Basics of object-oriented programming concepts, from Oracle's (formerly Sun's) Java site. Good quick intro.

Return to top of resources listings

Agile Testing Resources

Manifesto for Agile Software Development - The origin of the 'Agile' approach and the twelve guiding principles of agile software development.

Agile Methodologies - Martin Fowler's online discussion of 'agile' methodologies (XP, Scrum, Crystal, FDD, DSDM, etc.) includes summaries of various approaches as well as reference information, and factors to consider in choosing these approaches.

Agile Testing - Article discussing 'Nine Principles and 6 Concrete Practices' suggested for agile testing by Elisabeth Hendrickson. Topics include: who does testing on an agile team, documentation, Test-Last vs Test-Driven unit testing, ATDD, Exploratory Testing, and more.

A Sprint Framework for Testers - Suggested processes and practices to consider for testers in an Agile environment - from an October 2015 blog post by Conner Roberts.

Agile Testing and Quality Strategies: Discipline Over Rhetoric - Introductory agile testing article by Scott Ambler.

Agile Testing - Key Success Factors - Chapter 21 from the book 'Agile Testing: A Practical Guide for Testers and Agile Teams' by Lisa Crispin and Janet Gregory; book excerpt provided by InfoQ.

Perils and Pitfalls of Agile Adoption - Article by Matt Heuser at InformIT site, includes discussion of risks such as that agile methods are easy to misunderstand, that it's easy to think you're doing Agile right, and be wrong, and that agile methods make value (or lack of value) visible.

DORA DevOps Quick Check - Free online tool for testers or other agile team personnel who would like to get an idea of how far along their organization's agile/devops processes really are, Google provides a quick method of measuring a team's software delivery performance. Compare it to the rest of the industry by responding to five multiple-choice questions. Compare your team's performance to others, and discover which DevOps capabilities should be a focus for improvement. Results are compared to those in relevant industry categories.

An Uncomfortable Truth about Agile Testing - Article by Jeff Patton on the StickyMinds site about some of the potential difficulties of testing on an Agile project.

Ron Jeffries Site - Agile/Scrum/XP - Large collection of articles and posts from Ron Jeffries about Agile, Scrum, and Extreme Programming, including a discussion of how QA fits into the XP approach, XP Magazine archives, and many testing-related articles with relevance to XP/Scrum/Agile. Also see 'The Rules of Extreme Programming' at the web site.

Guide to Continuous Delivery - Large collection of articles on Atlassian (whose products include Jira, Confluence, Bamboo etc) web site with basics of CI/CD including different types of testing, code coverage, branching strategies, etc. Other useful articles are contained in their 'Guide to Agile Development' and their 'The secrets behind story points and agile estimation'.

17 Theses on Software Estimation - Long article by Steve McConnell, author of the book 'Software Estimation - Demystifying The Black Art', related to an ongoing online discussion with Ron Jeffries re the agile-related topic '#NoEstimates'. He covers topics such as 'Responding to change over following a plan does not imply not having a plan', and 'Agility plus predictability is better than agility alone.'

Do Better Scrum - Free pdf booklet of 76 pages - 'an unofficial set of tips and insaights into how to implement scrum well'. By Peter Hundermark.

Scrum Basics - Web site of Scrum Alliance with an 'About Scrum' section providing an overview of Scrum basics; site also has a Resources section that includes e-learning videos and articles, and more.

Return to top of resources listings

Test Automation Resources

Quality Thoughts - A wide-ranging software testing blog by Alister Scott, with articles mostly related to test automation but also about many other topics including tools, agile, CI, experience reports, work culture etc.

Test Guild - Joe Colantonio's site with a long-running blog, podcasts, interviews, and other resources relevant to test automation.

From QA to Engineering Productivity - Google Testing Blog essay on how the focus of QA at Google evolved to more of an 'Engineering Productivity' focus.

GTAC - Web site for the Google Test Automation Conferences includes links to past conferences and slides and videos for each, covering years 2006 - 2016. Includes archive of presentations, videos, slides.

How to Grade Your Selenium Tests - Slideshare of a Dave Haefner presentation on how to judge how good/bad your selenium test automation is. Provides good guidance on selenium test design and coding.

7 Deadly Sins of Test Automation - Slideshare by Adrian Smith - the 'seven deadly sins' discussed are a set of common anti-patterns found to erode automation's value, resulting in long term maintenance issues and reducing teams' ability to respond to change and continuously deliver.

Brief comparison of BDD frameworks - Short article on the DevOps Zone web site comparing 5 BDD tools: Concordion (for Java or C#), JDave (for Java), Easyb (for Groovy), JBehave (for Java), Cucumber (for many languages including Ruby, Java, Javascript, C++, .Net, etc.) By Sebastian Laskawiec.

The Forgotten Layer of the Test Automation Pyramid - Short article by Mike Cohn (author of 'Succeeding with Agile' book) about the Services testing layer of the pyramid. Also see Justin Rohrman's article Getting Started with API Testing article in the Gurock Quality Hub site.

Seven Steps to Test Automation Success - Old but still surprisingly relevant introductory article on considerations in successful automated testing; by Bret Pettichord.

Effective Performance Testing articles - Extensive collection of how-to and other information on performance testing at Scott Barber's web site.

Udacity - Free Udacity software engineering courses online - Courses and Nanodegree Programs.

See other automation-related FAQ's such as 'Will automated testing tools make testing easier?' and 'What's the best way to choose a test automation tool?' in the Less-Frequently-Asked-Questions section.

See the 'Tools' section for test tool listings and the 'Web Tools' section for web site testing tools.

See the Bookstore section on Automation for books on test automation.

Return to top of resources listings

Mobile Testing Resources

How to Test a Mobile Application - Article on general considerations for mobile application testing (web, app and hybrid). Includes a variety of topics, such as 'Which is better – Emulators or simulators'.

Android application testing with the Android test framework - Long tutorial by Lars Vogel re how to test Android apps with different Android testing frameworks. Includes test automation, what/how to test, mocking, more.

Test Automation Interfaces for Mobile Apps - Article in LogiGear Magazine by Julian Harty discusses mobile automation considerations from the perspective of 3 automation stages - Discovery, Design, and Execution. There is discussion of the mobile app's interfaces which he groups into a) Human–computer Interaction ( HCI) - touch, proximity, movement, sound, light, controls; and b) Sensor interfaces such as accelerometers, magnetism, GPS, Orientation, Camera, etc. Possible automation interfaces discussed include the GUI, code (unit testing), API's, accessibility capabilities, etc.

Browser compatibility: viewports - Mobile device/browser compatibility information from Peter-Paul Koch's web site.

Testing Mobile Web Apps with WebDriver - From the Open Source at Google blog - discussion of how to write automated tests to test a site when viewed from an Android or iOS browser. The WebDriver web testing framework includes a touch API that allows a test to interact with a web page through finger taps, flicks, finger scrolls, and long presses. It can rotate the display and provides an API to interact with HTML5 features such as local storage, session storage and application cache.

QuirksBlog - Mobile - Articles re mobile browser compatibility and responsive issues from blog of Peter-Paul Koch.

See the 'Mobile Web/App Testing Tools' section of the Web Test Tools List page for mobile testing tools.

Return to top of resources listings

Web QA and Testing Resources

Ultimate Website Launch Checklist - Useful comprehensive checklist that can be useful to help drive testing strategy, by Tom Houdmont.

Web Site Performance Testing - A collection of useful information on various aspects of performance testing, from Scott Barber's web site. Topics include: "Pinpointing and Exploiting Specific Performance Bottlenecks", "Common Performance Testing Challenges", "How Fast is Fast Enough", and "Introduction to Performance Testing". Although some of the information is not specifically oriented to web performance testing, it is still highly applicable.

Web Developer Checklist - Categorized checklist with links to other info/guidelines/tools - provides useful considerations for web testing; also available as a Chrome extension or as an extension for Firefox or Edge.

Evaluating Web Sites for Accessibility - Articles and information on the World Wide Web Consortium web site's 'Web Accessibility Initiative' section on how to assess and test web sites for accessibility issues.

Automated local accessibility testing using WAVE and WebDriver - Interesting article from WatirMelon Testing Blog by Alister Scott; refers to some other interesting related resources.

Return to top of resources listings

Web Security Testing Resources

OWASP - The Open Web Application Security Project (OWASP) is dedicated to finding and fighting the causes of insecure software. Everything available in site is free and open source. Includes a book-length free downloadable 'Testing Guide' that includes a large section on 'Web Application Security Testing', a 'Code Review Guide', etc. (The guide is a bit dated but still useful and free. There is a 'Cheat sheets' section at

WebGoat - A deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application aims to provide a realistic teaching environment, providing users with hints and code to further explain the lesson. Written in Java - installs on any platform with a JVM; installers available for Linux, OS X, and Windows. There are over 40 lessons, dealing with Cross-site Scripting (XSS), Access Control, Thread Safety, Hidden Form Field Manipulation, Parameter Manipulation, Weak Session Cookies, SQL Injection, Web Services, Dangers of HTML Comments, etc. - Web site security guidelines and information from the StopBadware site, formerly based at Harvard University’s Berkman Center for Internet & Society and subsequently spun off as an independent non-profit.

Top 10 Common Web Attacks - The most common attacks, and the vulnerabilities most commonly exploited, are typically the first and weakest link in a site's defense, and are therefore an appropriate focus for initial efforts in shoring up a defense with at least a minimal level of security. Includes discussion and explanation of OWASP's Top 10 Application Security Risks.

SANS Security Resources - Web site of SANS (SysAdmin, Audit, Network, and Security Institute), a cooperative research and education organization for sysadmins, security professionals, and network administrators for sharing lessons learned and solutions. Includes an Intrusion Detection FAQ; more than 1500 white papers on security; webcasts; security trends, top security risks, and much more are freely available.

National Vulnerability Database (NVD) - National Vulnerability Database maintained by U.S. National Institute of Standards. The NVD is the CVE dictionary augmented with additional analysis, a database, and a fine-grained search engine. The NVD is a superset of CVE. The NVD is synchronized with CVE such that any updates to CVE appear immediately on the NVD. Includes vulnerability scores.

Common Vulnerabilities and Exposures (CVE) - Searchable, downloadable, and on-the-web 'Common Vulnerabilities and Exposures' list hosted by Mitre Corp. CVE goal is to standardize the names for all publicly known vulnerabilities and security exposures, so that security information can be efficiently shared and handled. Many security test tools are utilizing or planning on utilizing this standardized naming/numbering system.

Inside the West's Failed Fight Against China's 'Cloud Hopper' Hackers - Article from June 2019 about a long term compromise of multiple major companies worldwide, indicating that 'For those that thought the cloud was a panacea, I would say you haven’t been paying attention', according to Mike Rogers, former director of the U.S. National Security Agency.

Common Attack Pattern and Enumeration - CAPEC is a publicly available, community-developed list of common attack patterns (descriptions of common methods for exploiting software systems), with a comprehensive schema and classification taxonomy. By Mitre Corp.

W3 Security Resources - Large collection of information and resources on web security, including an FAQ, hosted by the W3C Consortium (the folks who set web standards/protocols, etc.)

Computer Emergency Response Team site - CERT's internet security web site at SEI; includes vulnerability database, web server security information, blogs, podcasts, publications; hosted by the Software Engineering Institute at Carnegie Mellon University.

Penetration Testing Execution Standard - A proposed security evaluation standard from a group of information security practitioners. Although it was last updated 2014 (as of 2017) it still provides a useful outline for security evaluations. Covers the following areas of pen testing execution: Pre-engagement Interactions, Intelligence Gathering, Threat Modeling, Vulnerability Analysis, Exploitation, Post Exploitation, Reporting. There is also an accompanying 'Technical Guidelines'.

See the 'Web Tools' section for web security test tool listings.

See the Bookstore section on Security Testing for books on software security testing.

Return to top of resources listings

Web Usability Resources

Articles from the Nielsen Norman Group web site - Articles from the Nielsen Norman Group web site re usability/design with such articles as 'You Are Not the User: The False-Consensus Effect', 'How Users Read on the Web", 'Costs of User Testing', and 'Differences between Print Design and Web Design'.

User Interface Engineering - Web site of User Interface Engineering Inc., founded by Jared M. Spool. Many articles on web site and product usability, such as 'Web Application Form Design', 'Seven Common Usability Testing Mistakes', '5 Things to Know about Users', and more.

Web Design Best Practices Checklist - Checklist from web site of Terry Ann Morris, covers page layout, browser compatibility, navigation, color and graphics, multimedia, content and presentation, functionality, accessibility. - Web site with a large collection of web usability resources, information, and guidelines. Although the site was developed by the U.S. federal government for use by various federal agencies, the site is a resource available to anyone.

Prioritizing Web Usability - PDF chapter from book on Web Usability by Jakob Nielsen and Hoa Loranger; from 2006 but still useful.

Return to top of resources listings