Penetration testing tools do a good job of finding obvious web errors. But some do so simply, by sending only canned tests (such as 1000 ‘a’s) at the interface. What if your developers’ code resists this folly but still contains more subtle vulnerabilities / errors? In this talk, I’ll present the age-old practice of boundary value testing to help audience members generate more potent test data—data that can even find subtle logic bugs. Then the question becomes, how much evil test data is enough? This session will cover equivalence class partitioning, showing audience members how to select a minimum set of data that maximizes bug-finding potential.

Applying these techniques, testers will become more senior, and more effectively find implementation bugs. These techniques are also a good way to begin adding security to an untrained quality person’s repertoire—immediately adding value.

---