Skip to content
Supporting Mozilla to spread!
Download Beta


Tip #1 – Test Data: Creating exact file size using DOS command utility.

Let us say you wanted to test file upload feature in web application and the maximum file upload size is 3 MB. Now, you search in your local computer to see whether you have 3MB file and finally you see that you do not have exact 3 MB size for any file. Now, what do you do? Will you open *.txt and start entering characters and keep checking if the file is showing 3 MB? Well, that can be done; but it is time consuming and crude way of doing it. We call ourselves engineers, let us do it in cool way.

For windows user, you can just try this command on your DOS prompt;

fsutil file createnew enter_your_filename_here enter_the_number_of_bytes_you_want_to_create

Example: fsutil file createnew myprofilepicture.PNG 12000


Tip #2 – Converting image formats from one to another in bulk

Let us say, you took a lot of screenshots and finally you see that they have lot of file size as you saved them as *.BMP which is why they show up big file size. Now, you want to convert all of them to light-weight file sizes format which could be JPG or PNG. How would you do that? Keep opening every image one by one and again “Save as”? Again, crude way. What if the screenshots that you took are like 100+ images?

Now, let us show you some way where you can change the file formats in few seconds for large number of image files whose format is *.BMP

Download ImageMagick from

You have a command which you can execute once you install the software successfully!

Here is the command,

convert filename.BMP filename.PNG


Well, you need not keep writing the file names every time you need to change the file format. You may want to collect all file names of BMP using DOS command, I will not let you know about this. I want you to figure out this while I have given you the command for conversion. You can run list of commands using Excel or *.bat (Batch file). Go, explore!


Tip #3 – Compare the build files for every new build.

The first activity that needs to be done from a tester could be, comparing the new build files with the stable build which has complete set of files. With this activity, one can get to know if some file is missing and a high alert can be raised to the development team to fix it and check-in new build files to start the testing activity. This can happen if you have access to the source code repository. Most of the testers do not even want to get access to the source code repository and have an assumption that, they are not allowed to do so, while it was just one e-mail sent to the development team your test manager so that he / she could get you the access. For doing this you can use “Beyond Compare” which has folder compare which compares file by file. If some file is missing, then you can get to know at the early stage and you get to know something if fishy with the new build.


Tip #4 – SysInternals Suite – Use them and find out how every utility can help

I have been a fan of Sysinternals Suite utilities. They are tiny, yet bloody powerful. I personally have used it since my school days for various activities, oh yes; being a hacker these tiny little chaps help me in doing a lot. I bet, you cannot ignore yourself from falling in love with them. Every tiny utility helps me identify the tests that I can do. It is like reverse engineering, I use the utility and then identify how this utility can help in my testing activity. Try them at your convenience and you may love them.


Why Security Testing Sucks?


We have known this for long time and it is hard to figure out the reasons behind, “Why management doesn’t agree to this or why management doesn’t understand this”. It could be a business reason finally however, not at the cost of sensitive data leakage of the customers. It takes a technical guy who knows what is hacking and it’s after effects. And only such person may make a decision in a appropriate way.



One of my student enrolled into Ethical Hacking course, and finally once he scored great marks in it; I asked him to hack into WiFi network of neighbor by giving him a laptop. His response was, “I cannot do it, I only know the tool name which can do that and that is AirCrackNG”. Now, ethical hacking course looks like more of a tool-smith where you remember the tool name and just run it without having the mind-set or skill-set which plays a great role in this profession. So, if you are hiring people who has done ethical hacking course, you may want to re-think about, “What else that person need to have as skills?”



In my experience, I have seen product owners going live with vulnerabilities open and I advocated that, it is a bad idea. The reason they provided were, developers do not believe that it will happen anytime. Another reason was, these are the only requirements and the code works according to the specifications. That sounded weird to me. I would be happy if you had said, you do not have skills to do it or you just wanted to not fix it for whatever reason. Last, but not least; it is not only the developers but also testers or test manager in the team who would deny that it needs a fix. Like Gerald M Weinberg says, it is always people problem!



We collectively lack the number of white hackers who could fight the black hat guys. However, I see the change happening and I am man of patience. Things that take time will take time. And the people who claim they are passionate white hat hackers end up in knowing some tools / utilities very well or some techniques and the learning stops there. That doesn’t make white hat hackers cool, what makes them cool is to deep dive into learning more and more and not settling for less. Let us hope for the best in the future.


Most of the testers want the easy way out. I interact with many testers in India in different cities, most of them do not want to use Notepad++ when I tell them about it; they say “I am able to do it in Notepad”. My point is not about not using Notepad if it works for you, it is about “Knowing what Notepad++ has and may be you can do it more effectively and get more ideas while working with it”. Likewise, most testers lack bug advocacy; not only in security testing but many other quality criteria as well. Well, no good thing comes easily. Difficult is different and challenging word is different. Bug Advocacy is challenging and not about easy or difficult.


In some organizations, testers are asked for the code fix as developers may find it tricky bug or could be challenging to fix it. Now, testers may provide an algorithm or logic to help and sometimes provide the code as well. And yes, it is easy to feel like an expert and stopping your learning. Well, the best example could be “Santhosh Tuppad” who thought he was great at security testing (Well, the fact is he didn’t think; but the world thought and still thinks). Here is what I would love to say, while the world is wanting to become famous in whatever reason, I would love to go back to my learning mode and learn how much ever I can in anything that I like before my death.

Following my heart in both my personal life and professional life has been giving me great happiness and happiness matters to me a lot.

While the title reads, “Why Security Testing Sucks?” I am game for making great things happen in security testing and I am not going to settle for less. People just shy away from anything that sucks, it is their will; no comments on that. Well, I want to go ahead and do great in security testing craft along with other quality criteria in Software Testing.



Happy Mother's Day Mom :) I love you!

My Amma (Mother)


Beautiful lady in the picture is my mom who has been taking care of me since I was a baby. She never got tired of me with my stupidity, irritating moments, fights & lot more. She has great energy even today to support me in living my life happily. I have learned many things from her & I love her a lot for always being there for me. In summary, she is the only one on this planet earth who understands me very well.

Never give up when you love something

I have given her a lot of pain, but she always gave me unconditional love. I never understood her pain, while she gave me so much of happiness by loving me so much without any conditions. She is a great fighter in her life. Sometimes I think, she has been cooking, washing clothes, taking care of us when we were ill! And she never gave up. That’s a learning for me from my mother that, “Never give up” when you love to do something. I say this to my mom, I will learn cooking and feed you as I’m big enough and mature enough to take care of you now.



Give without expecting to receive

 When I look back, whatever she has done for me; it was not with any intention of receiving it back. It was like, “Son, I have got your back; go and do what you love to and be happy”. Today, I give to people or community or help people without expecting anything back, and trust me; I feel like I’m on Cloud 9 when I do that.


My childhood days

I still remember how she used to console me when I used to cry for several reasons. I still remember, the Rice and Dal Rasam she used to make it for me and used to walk to my school during lunch hours to feed me. I had fantasy towards remote control cars & toys, she never said “No”; somehow she used to manage the money and get me those which could make me smile. She could never see my hurt, it used to hurt her in turn.


My Engineering days

There were days when she wrote my assignments so that I could rest (I’m laughing while I write this). When I used to sit late night hours to study before the exam, she used to be awake and get me fresh fruit juice or be it some snacks while she also cared about my sleep. I had a great moral support from her. She is my hero.


She doesn’t get irritated towards my stupidity, instead she helps me!

I have this habit of over thinking or sometimes it could be Obsessive Compulsive Disorder (Well, most of us have it in different levels is what I feel). Most of the people get irritated when I speak certain things or dig something or get stuck on one topic for longer time, but my mother has hell of patience when it comes to his son. She listens calmly, she doesn’t argue, she doesn’t get irritated; the only reason she does it is, she wants to be happy and she knows what I have been through and I am going through.


During my “Entrepreneur” days

She never questioned, “Why?” Instead she said, go ahead and do what your heart says. That’s important for your life. Do not take things into your head what the world says about you or about the things that you want to do in your life, be it personal or professional; just go ahead. Just be happy my dear son, this is what she says always. Love You Amma (Amma is equivalent word in Kannada language in Karnataka, India).


HAPPY MOTHERS DAY! Well, it is just one day, but I would like to see you happy always like how you want to see me happy always. So, “Happy Mothers Day To You Always”. My wishes go to all the mothers in the world!

Last, but not least; I love my pappa (Father) a lot and not to forget that I love Rice + Dal Rasam prepared by him whenever my amma (Mother) would be not keeping well. And my elder brother “Sandeep Tuppad” rocks too. He has been there with me in my ups and downs in life when there was great need of someone who could support me. In summary, my family is great & I love my family.

Finally, this blog post is very short to write about my amma. She rocks like her lovely son, that’s me :)

My First Step Towards Mobile Security Testing

Looking at the title it doesn’t mean that I have conquered web security testing totally. And it wouldn’t make sense to me if I said; I would conquer web security totally before I die. It is such a vast area of study and keeps on going and going just like we do not know where the end of this universe is? I wasn’t a freak of mobile phones from long back. However, as a security tester I wanted to see how I could test for mobile security. And I must admit that, mobile security is not yet matured when compared to web security in terms of exploration.

I started from searching for mobile security books on amazon and flipkart. I finally found a book titled “Mobile Application Security” on Flipkart and bought it. With respect to reading from a book, I have always been a reader who would just skip the pages where I couldn’t find it interesting. My reading approach of this book was to go to the last topic which spoke about “Tools and Utilities” for mobile security. (Reference: I started to read about tools description and thought of learning in reverse engineering fashion. One is to learn the concept and find the tool which can accomplish in implementing your idea; while the other way is to learn the tool and then think of test ideas. So, I picked the second approach as of now.

My reading has not been regular as of now, but I hope to get back to the track soon. The reason is, I have been very busy for the preparation of my next start-up. Follow me on Twitter @santhoshst to know the frequent updates and also I have been using hashtag as #MyNextStartupTeaser

In a nut-shell here is what I have learned about mobile (security) testing,

  1. Jailbreaking
  2. Android Manifest Explorer Tool
  3. Intent Fuzzer Tool
  4. Dalvik VM – This was interesting read to know how one could debug for android apps. Thanks to Perze Ababa (His blog: for bringing this to me while we were discussing several things while having dining.
  5. And something related to the check automation

I always see any topic or study as vast. It always depends on how it looks to ones eye. So, I am game for the challenge and look forward to be good enough in terms of mobile (security) testing.

How organizational culture helps in success or failure?

Tstock-photo-friends-confide-secrets-136364492here are many non-technical aspects that made a team successful in a project. I am able to tell this because I have faced these in my professional life. For a quick introduction, look at what Wikipedia says about Organizational Culture. Following some tips would surely make your life better considering professional life.

Gossiping can be wrong if handled wrongly

People do not like someone talking about them in a negative way. Generally, people who are gossiping think that the victim is not aware of it. However, the pathetic situation is when the victim gets to know that there are people who are gossiping. They break down and start focusing their energy on those people while their productivity does get hampered. Productivity involves thinking aspect as well which is focused elsewhere now. Are you having a watch on it? On the contrary, something beautiful that I read about positive side of gossiping can be found here.

No kidding, you are dealing with humans
I have seen lot of team activities in organizations to bring people closer. However, I did not like few or many of them. To showcase one of the examples, let us say; team is on an excursion and there is a singing competition or people are asked to dance. In this case, some may be not interested or feel shy or they are introverts or they are extroverts. I have seen people making fun of such people & finally saying, I was just kidding. Well, be informed that; you might be hurting someone when you were kidding.

Apologies do help to heal
I am fan of asking apologies if I feel the person was hurt. Here, let me make it clear that saying apologies is not about right or wrong. It is about saying, you got hurt and I care so that we can take our team member relationship to a higher extent and do well in our life. There is no harm in apologizing to your managers or sub-ordinates. However, some people refuse to apologize because he / she did not feel sorry. Well, it is not about feeling, but more of other factors which you can find here. Finally, it is empathy. What do you think?

No blame game or taunts
When I work with team members and if someone did not do the work well or goofed up with something; I do not get angry or blame them. Instead, I say; no problem let us do it together or else I say, “How may I help you?” Understand that there is no point in getting angry because it may make things worse rather than fixing. So, better change things with love and achieve success. Have you ever done it?

Be conscious about words
There is way of asking questions when you are dealing with humans. If someone is introvert and you ask him or her “Are you an introvert?” can make that person feel bad thinking that “Introvert is negative”. Well, it is a way of life. However, not many understand them and treat it to be negative. Instead one can say, “Do you like to speak in conferences” which can indirectly answer and can act as heuristics.

Five mantras to be a good team member

  • Inspire
  • Encourage
  • Motivate
  • Respect
  • Do not go personal

DISCLAIMER: This varies from organization to organization and depends on the people in the team. These are not strict rules, but context dependent [Example: Sometimes "Just Kidding" may not hurt and may actually improve the bonding between two persons or a group]. One needs to be conscious of how he / she is behaving.

NOTE: Also, on the other hand; you may want to become stronger to handle such people who irritate or who have cruel intentions whenever they speak or behave [You may ignore or speak out to them, it is your choice while both of them work]. That can help you to focus on your goals and not make the noise to enter you. Wishing you all a happy living.