I’ve seen many people over the years do a live blog at conferences, so figured I might as well give it a go. I’m hoping it will help me to actually listen to what’s being said, rather than just hearing it.
The story so far…
Yesterday was the start of Testbash for me and many others. Workshop day! My day started off by learning how to do 10minute test strategies with Bill Matthews and Pekka Marjamaki. A really interesting workshop from which I learned or relearned some very important things. Firstly, learn the language of your stakeholders; there is no point creating a test strategy using technical words or terms if they don’t have the skills to interpret the language, and this may lead to unnecessary conflict. Secondly, learn what the stakeholders want, and more importantly what their fears are. It is this latter one that I have not considered before, and one that may prove to be the most telling. By finding out the stakeholders fears, you can address the fear to then provide confidence, rather than trying to please their desires.
The afternoon was a more technical topic as we investigate web services and restful interfaces with Mark Winteringham. This is an area that is of particular interest to me at the moment as the project I’m on uses Restful communications between the various components. Mark introduced us to a tool, Postman, that is something I will certainly be using, plus gave an insight into methods of automating such testing. An enjoyable and informative workshop that will have direct benefit on Monday morning!
Ohso social club was again the venue for the pre-testbash meetup, and once again the meetup did not disappoint. I love coming to these events to not only catch up with the many interesting people I have met over the last few years, but to also meet new ones. The topic of labels and the connotations they have came up a few times in various conversations which was really interesting and something I’m putting a fair amount of thought into at the moment. Again it largely comes down to communication, appreciating the language of those your talking to and not relying on names or labels, but instead explaining intent and reason.
… And now to this morning…. First, must get a coffee…
There are some pretty sore heads this morning following the meetup last night! But I’m sue a few coffees and a comfy seat in the auditorium will either kill or cure!
So, we’re all nearly in… Looks like Vernon is hosting, this will be lively!
First order of the day, experienced testbashers have to look after the noobs! We are a community!
99sec talks are advertised… They lead to many opportunities at other events etc, and a great introduction to speaking.
Call out too the sponsors, Cambridge consultants! Whoop whoop! And important note… In case of emergency follow Vernon cause he’ll be the first one out! Same principle for lunch!
Testbash is going on tour, back to America, Philly! And a little closer to home with Testbash Manchester, and the CFP is open. I’m loving the fact that Testbash is growing, spreading the testing love.
Talk 1 – Building the right thing: how testers can help – Lisa Crispin & Emma Armstrong
First up, Lisa Crispin and Emma Armstrong, two powerhouses in the world of testing, so really looking forward to this one.
The talk is on ‘how do we build the right thing’, first up… Building something with paper that flies through the air… I suspect, knowing many of the testers here, that many will screw the paper into a ball… mvp! I like paper aeroplanes so…
How can we learn faster, learn to build the right thing. Lisa talks about the lean startup approach, building a thin slice, measure and learn from that experience to adapt and grow, reduce the feedback loop. Emma gives the henrikkniberg example of vehicle iteration to allow transportation at every point but improves based on feedback and desire.
This is opposed to the building the fully formed product, which only delivers very late on.
Testers are often able to think in the bigger picture, which can help to engage with the team, stakeholders and potentially helps to get clearer understanding of the feature, product, change.
Start with the why… What’s the purpose? Who is it important to? Why do they want it?
Accepting different perspectives can help to put together a much more cohesive solution, Emma gives the 6 blind men and the elephant example.
Getting everyone engaged and getting those perspectives can be done using the 3 amigos approach, having too many people in a discussion may not be the most productive way to elicit those perspectives. Chose a meeting format, a framework that will work within the current context.
The 7 product dimensions (gottesdiener and Gorman)
- Data – plan the time to get the test data
- Control – legal issues, check with the appropriate people
- Environment – where will it be used?
- Quality attributes – illities…
It’s a good cheatsheet to help keep the different perspectives in mind,
Examples can really help with understanding across all people involved and elicit discussions to get the examples right. They introduce “example mapping”, first developed by Brian marick. Stories, rules, examples, questions. Having this information gets everyone on the same page from the start.
Building the right thing means creating a shared understanding. Build what the customer really wants, not what they think they want. I couldn’t agree more, and this ties in real key well with some of the key points I picked up from the workshops yesterday. Speak the clients language, and get to know what really makes them tick, what they are afraid of and what they actually want to achieve.
Great talk and nicely done by Emma and Lisa!
Apparently drinking and food are good motivators to encourage participation in retrospective, who knew!
Wow, this live blogging thing is a challenge, but seems to be going ok so far…
Talk 2 – Testing or hacking? Real advice on effective security testing strategies – Dan Billing
Next up, Dan billing “testing or hacking”. He opens with the bold statement that “our applications are being hacked”. Over 220 million people’s data exposed last year… US pop is roughly 350 million… Wow that’s a big proportion of people!
Security should be par to find the testing conversation and represents one of the largest risks in the software development work. But we could learn from hackers to get better at testing … Adaptive, dedicated, meticulous…
Hackers quote from Keren Elazari (photo) that equates hackers to antibodies/immune system. Interesting analogy, sometimes they make us sick, sometimes they make us fix stuff.
Common statements “why do we need to do security testing”, “that’s out of scope”, “we are outsourcing that”, “that’s a non-functional requirement”. Dan suggests that security is a functional issue as it can directly affect the functionality of the product. “We don’t have the skills”, Dan calls out to Bill Matthews and his security testing workshop. “We need to deliver fast, not slow things down”.
More positive statements “I think we need to do security testing”, “where do we start”, ” how do we do it”, “what tools do we need”, “how do we know if we are secure” … We are never totally secure and that needs to be understood.
In reality, users do unexpected things, and hackers are users! They might attack at each level of privilege, so that’s a good place to start.
It helps to know your stack, as it will inform what weaknesses are present and that is certainly how the hackers will approach their work. Components and their implementations can lead to vulnerabilities, and knowing your environment will help with security testing and much more.
Armidillos are soft on the inside and crunchy on the outside! An example of how the armadillo knows its weakness so has the outer shell, but the predators also know this and have adapted their attacks accordingly.
It is important to power up your skills and learn more. A great place to start is the owasp website for cheat sheets and examples.
It is also important to use your tools effectively, learn them to avoid focus sing on false positives. (Talk talk hack used Sqlmap which is free…)
Dans model… Scan (zap, burpsuite), verify/challenge results, explore (bugmagnet, fuzzing tools on api’s) -> feeds back to scan phase.
Another strategy is “be occasionally evil”. Dan then shows some evil user stories from owasp.org; seems like a useful resource, I’ll certainly be looking at that later.
It is also important to think of testing in the big system picture, not just at the component level, and get feedback from others, testers, users. Balance the security against usability, assess the risk. Consider it within the context of the system.
Another common theme rears its head… How to communicate the results or need for security testing to others. Focus on the risk, or consequences.
Really interesting talk and an area I haven’t had much exposure to, but something I’d like to know more about! This talk was a good start!
The live blog is continued in part 2