You are on page 1of 40

September/October 2012

$9.95

www.TechWell.com

WEB APP SECURITY

Tools for your test strategy


OH, DEVOLVE

Governance and the happy medium

Attend Live, instructor-Led cLAsses viA Your computer.


NEW Live Virtual Courses:
Become a Test Automation Champion Mastering Test Automation Essential Test Management and Planning Finding Ambiguities in Requirements Getting Requirements Right the First Time Testing Under Pressure Performance, Load, and Stress Testing Generating Great Testing Ideas Agile Test Automation

Convenient, Cost Effective Training by Industry Experts


Live Virtual Package Includes:
Easy course access: You attend training right from your computer, and communication is handled by a phone conference bridge utilizing Ciscos WebEx technology. That means you can access your training course quickly and easily and participate freely. Live, expert instruction: See and hear your instructor presenting the course materials and answering your questions in real-time. Valuable course materials: Our live virtual training uses the same valuable course materials as our classroom training. Students will have direct access to the course materials. Hands-on exercises: An essential component to any learning experience is applying what you have learned. Using the latest technology, your instructor can provide students with hands-on exercises, group activities, and breakout sessions. Real-time communication: Communicate real-time directly with the instructor. Ask questions, provide comments, and participate in the class discussions. Peer interaction: Networking with peers has always been a valuable part of any classroom training. Live virtual training gives you the opportunity to interact with and learn from the other attendees during breakout sessions, course lecture, and Q&A. Convenient schedule: Course instruction is divided into modules no longer than three hours per day. This schedule makes it easy for you to get the training you need without taking days out of the office and setting aside projects. Small class size: Live virtual courses are limited to the same small class sizes as our instructor-led training. This provides you with the opportunity for personal interaction with the instructor.

SQE TRAINING
www.sqetraining.com

Level up your productivity Upgrade to Hansoft


Simplifying program management and day to day lean, agile and Gantt scheduling development.

Download a free 2-user trial at www.hansoft.se

>> Hansoft is an integrated solution for agile and lean development, collaborative scheduling, real-time reporting, bug tracking / QA, workload coordination, portfolio and document management, used by the most demanding software developers in Europe, Asia, Australia and North America. Hansoft does not only make team members and managers more productive in their everyday work, it also increases organizational productivity by enabling more efficient production methods and practices. Reduce your project risks with Hansoft, control your success. <<

Volume 14, Issue 5 September/October 2012

14
C O N TENTS

features
14
COVER STORY

THE SOFTWARE DEVELOPMENT GAME

Adapting your software development tools, practices, and processes can be difficult, even overwhelming. Where do you start? Jonathan Kohl and David McFadzean have studied and applied game-like processes and behaviors to help provide structure to software development adaptation. They propose a process strategy called the software development game to help teams who are faced with change. by Jonathan Kohl and David McFadzean

20

20

PRACTICAL SECURITY TESTING FOR WEB APPLICATIONS


Software security is vital, but security testing can take time to master. Scott Aziz offers some practical techniques that will help you get started. by Scott Aziz

24

WHAT'S GOVERNANCE GOT TO DO WITH EFFECTIVE SOFTWARE DEVELOPMENT?


Governance doesn't have to end in bureaucracy. Learn to maintain and refine your governance structures, and you'll reap the rewards of improved decision-making processes. by Graham Oakes

24

in every issue
Mark Your Calendar Contributors Editor's Note

columns
9 TECHNICALLY SPEAKING
SURPRISE! by Lee Copeland When we are surprised, its because we were oblivious to events in our world and we failed to observe relevant information. How oblivious are you?

4 6 7

From One Expert to Another 10 Virtual Resource Shelf 11 Product Announcements 27 FAQ 35 Ad Index 37
Better Software magazineThe print companion to TechWell.com brings you the hands-on, knowledge-building information you need to run smarter projects and deliver better products that win in the marketplace and positively affect the bottom line. Subscribe today to get six issues. Visit www.BetterSoftware.com or call 800.450.7854.

12

CAREER DEVELOPMENT
DONT BURY THE SURVIVORS: THE VALUE OF CLEAR COMMUNICATION by Lanette Creamer Whether youre discussing software defects with your test team, analyzing requirements with your BA, or programming in your favorite new language, communication is essential. Lanette Creamer has some tips to help you communicate clearly with any audience.

36

THE LAST WORD


NO ONE LEFT BEHIND by Rajini Padmanaban Ten percent of the world's population lives with some sort of disability. Is your product optimized to meet their needs?

www.TechWell.com

SEPTEMBER/OCTOBER 2012

BETTER SOFTWARE

MARK YOUR CALENDAR

SQE TRAINING
software tester certification
www.sqetraining.com/certification September 2527, 2012 Atlanta, GA Toronto, ON September 30October 2, 2012 Anaheim, CA October 911, 2012 Portland, OR St. Louis, MO October 1618, 2012 Austin, TX New York/New Jersey October 2224, 2012 Tampa, FL October 2325, 2012 Chicago, IL October 30November 1, 2012 Bethesda, MD Raleigh, NC Advanced Certification Training October 29November 2, 2012 Bethesda, MD
Publisher Software Quality Engineering, Inc. President/CEO Wayne Middleton Vice President of Communications Heather Buckman

training weeks
www.sqetraining.com/trainingweek Testing Training Weeks October 2226, 2012 Tampa, FL November 1216, 2012 San Francisco, CA Agile Software Development Training November 46, 2012 Orlando, FL

Publications Manager Heather Shanholtzer Editorial Managing Technical Editor Lee Copeland Online Editors Joseph McAllister Jonathan Vanian Community Manager David DeWald Production Coordinator Cheryl M. Burke

conferences
STARWEST 2012 www.sqe.com/StarWest September 30October 5, 2012 Disneyland Hotel Anaheim, CA Better Software Conference East 2012 www.sqe.com/BetterSoftwareEast November 49, 2012 Rosen Shingle Creek Orlando, FL Agile Development Conference East 2012 www.sqe.com/AgileDevelopmentEast November 49, 2012 Rosen Shingle Creek Orlando, FL STARCANADA 2013 www.sqe.com/StarCanada April 812, 2013 Delta Chelsea Toronto, ON STAREAST 2013 www.sqe.com/StarEast April 28May 3, 2013 Rosen Shingle Creek Orlando, FL Better Software Conference West 2013 www.sqe.com/BetterSoftwareWest June 27, 2013 Caesars Palace Las Vegas, NV Agile Development Conference West 2013 www.sqe.com/AgileDevelopmentWest June 27, 2013 Caesars Palace Las Vegas, NV

Design Creative Director Catherine J. Clinger Advertising Sales Consultants Daryll Paiva Kim Trott Production Coordinator Desiree Khouri

CONTACT US Editors: editors@bettersoftware.com Subscriber Services: info@bettersoftware.com Phone: 904.278.0524, 888.268.8770 Fax: 904.278.4380 Address: Better Software magazine Software Quality Engineering, Inc. 340 Corporate Way, Suite 300 Orange Park, FL 32073

BETTER SOFTWARE

SEPTEMBER/OCTOBER 2012

www.TechWell.com

Test Studio

Easily record automated tests for your modern HTML5 apps

Test the reliability of your rich, interactive JavaScript apps with just a few clicks. Benefit from built-in translators for the new HTML5 controls, crossbrowser support, JavaScript event handling, and codeless test automation of multimedia elements.

www.telerik.com/html5-testing

Contributors
Scott RobeRt Aziz is director of software quality services for QA labs at UST Global. In software quality assurance for twenty-four years, Scott has ten years of experience working with companies that have adopted SOA and web services. His expertise is in the formulation of a holistic SOA QA strategy that optimizes quality across an entire software development lifecycle. Scott can be reached at Scott.Aziz@ust-global.com.

With more than thirty years of experience, Lee copeLAnd has worked as a programmer, development director, process improvement leader, and consultant. Based on his experience, Lee has developed and taught a number of training courses and is the managing technical editor for Better Software magazine, a regular columnist for StickyMinds.com, and the author of A Practitioner's Guide to Software Test Design. Contact Lee at lcopeland@sqe.com.

LAnette cReAmeR likes testing software even more than Diet Coke and cats. After working for a decade at Adobe, Lanette jumped into independent consulting. Throughout her career, she has evangelized advancement of real-time human thought over process solutions in software quality. Lanette believes collaboration is a powerful solution when facing complex technical challenges. Find Lanette on her well-known TestyRedhead blog, on Twitter, and occasionally in industry magazines and technical papers.

jonAthAn kohL is an internationally recognized consultant and technical leader, popular author, and speaker. Based in Calgary, Alberta, Canada, he is the founder and principal software consultant of Kohl Concepts, Inc. Jonathan helps companies define and implement their ideas into products, coaches practitioners as they develop software on teams, and works with leaders to help them define and implement their strategic vision. Read more of Jonathans work at www.kohl.ca or contact him at jonathan@ kohl.ca.

Based in Calgary, Alberta, Canada, dAvid mcFAdzeAn has more than twenty-five years experience and is passionate about building technology that increases intelligence by enabling better decisions. With an academic background in artificial intelligence, David has worked for several technology startups, including two he cofounded, taking on the roles of coder, UX designer, software architect, product owner, trainer, development manager, and executive. He is especially interested in helping technology startups transition to commercial ventures.

GRAhAm oAkeS helps people untangle complex technology, relationships, processes, and governance. Graham can be contacted through www.grahamoakes.co.uk or at graham@grahamoakes.co.uk. He is the author of the book Project Reviews, Assurance and Governance.

As director of engagement, RAjini pAdmAnAbAn leads the engagement and relationship management for some of QA InfoTech's largest and most strategic accounts. Rajini has more than ten years of professional experience, primarily in the software quality assurance space. She actively advocates software quality assurance through evangelistic activities including blogging on test trends, technologies, and best practices. Read Rajini's official blogs at: www.qainfotech.com/blog and reach her at rajini.padmanaban@qainfotech.net.

dALe peRRy has more than thirty-four years of experience in information technology as a programmer/analyst, database administrator, project manager, development manager, tester, and test manager. A professional instructor for more than twenty years, he has presented at numerous industry conferences on development and testing. With Software Quality Engineering for fifteen years, Dale has specialized in training and consulting on testing, inspections and reviews, and other testing and quality-related topics.

With a background in commercial engineering and cultural science, zeGeR vAn heSe started his professional career in the motion picture industry, switching to IT in 1999. A test manager at CTG Belgium, Zeger has a passion for exploratory testing, testing in agile projects, and, above all, continuous learning from different perspectives. He is the program chair of Eurostar 2012 in Amsterdam and co-founder of the Dutch Exploratory Workshop on Testing (DEWT). Zeger muses about testing on his Test Side Story blog, is co-author of CTGs STBoX Agile flavor, and regularly speaks at conferences worldwide.

BETTER SOFTWARE

SEPTEMBER/OCTOBER 2012

www.TechWell.com

Editors Note

Im not one for video games, but I do enjoy a game of Boggle, dominos, or even badminton on occasion. Games can be relaxing, and they can also give you insight into the personality of your challenger. For example, Im a stickler for the rules and consider myself a good sport, but Ive played games with friends who think nothing of pushing the limits of legal play and others who have a very bad attitude about losing. Ive also played games with people who want to help everyone else do well, even to the detriment of their winning the game. Its fascinating to watch how competition and defined constraints affect people differently. There is a growing movement called the gamification of work that is becoming popular in many organizations. This method applies game-like activities to business situations to increase productivity and motivation. Much like I have experienced how different people behave while competing, researchers are examining how gamification can be used to improve business practices. Another area of study, game theory, is used to study decision-making strategies using mathematical models of cooperation and conflict. While game theory is normally applied to areas like economics, war, and even biology, when certain aspects of game theory are paired with gamification ideas and applied to software, the result is a strategy that Jonathan Kohl and David McFadzean call The Software Development Game. David has implemented this game on several projects with a lot of success. Their article explains the rules of the software development game and how you can apply it on your projects to manage decision making about processes, tools, and technology. Also in this issue, given the preponderance of apps in our daily lives, you shouldnt miss Scott Azizs exploration of some security testing tools in Practical Security Testing for Web Applications. And, finally, nothing screams red tape like the word governance. But what if you could refine your governance structures in a way that actually improves decision making instead of burying you under a pile of bureaucracy? Graham Oakes has a few ideas in his article, Whats Governance got to do with Effective Software Development? As always, I hope you enjoy this issue of Better Software magazine. Shoot me an email to let me know how you put the tools and techniques to work for you. Or look me up on Words With Friends.

Happy reading,

Heather Shanholtzer hshanholtzer@sqe.com

www.TechWell.com

SEPTEMBER/OCTOBER 2012

BETTER SOFTWARE

TesT at a HigHer LeveL

Mapping iT ouT
The Leading Conference on
S o f t wa r e t e S t i n g a n a lyS i S & r e v i e w

Choose from a full week of learning, networking, and more


sunday multi-day training Classes begin tuesday 9 in-depth Half- and full-day tutorials wednesdaythursday 3 Keynotes, 28 Concurrent Sessions, the eXPo, networking events, receptions, and more

apriL 711, 2013


T o r o n T o , o n Ta r i o
D e LTa C H e L s e a

regiSter by february 8, 2013

anD Save uP to $300


grouPS of 3+ Save even more!
w w w. s q e . c o m / s ta r c a n a d a
8
BETTER SOFTWARE BETTER SOFTWARE JULY/AUGUST 2012 MAY/JUNE 2011

www.TechWell.com www.StickyMinds.com

Technically Speaking

Surprise!
Surprises are the worlds invitation to learn. Let your surprises trigger an investigation of your observation, meaning, and significance processes.
by Lee Copeland | lcopeland@sqe.com
Recently, when we were discussing the wonders of butterflies, fail to accurately map, we later may be surprised. In our mapmy three-year-old granddaughter, Kendra, said, Grandpa, ping, we may misinterpret by assigning to our observation when I was younger I was surprised to hear someone of the worst possible meaning, or the best possible meaning, or her advanced age reminisce about her past. a meaning based on our past, unresolved experiences rather The word surprise means to discover suddenly, unexthan the present context. Biases, agendas, pressures, and expectedly, and without warning; to become aware of somepectations can cloud our assignment of meaning. If we are thing not previously perceived. Surprise is a manifestation of a not careful, we may assume that the first meaning that we asdiscontinuity in our awareness. sign is the correctand onlymeaning. And this may not be In my software development manager days, I hated surtrue. Weinbergs Rule of ThreeIf you cant think of at least prises. Surprises were almost always bad news. Now that Im three different meanings of what you observed, you havent a lot older and a little wiser, I realize that surprise is often an thought enough about itis a vital tool to help our mapping indicator that discovery, learning, or even delight may be just of meaning. around the corner. The surprise itself After we assign meaning, we can be amusing, enlightening, befuddetermine significance. We may dling, disconcerting, or frightening, observed well and assigned When we are surprised, it may have proper meaning, but if we but surprise should not be the end the of the experience; it should be the dont understand the significance, be that we have simply been beginning. Analyze the surprise to we may later be surprised. We may learn why you didnt see it coming not assign the proper significance oblivious to events in and what you gain from that. for a number of reasons: We just When we are surprised, it may be dont know how important it is; our world. that we have simply been oblivious to it simply does not fit into our preevents in our world. As humans, we vious experience; we may be operfail to observe huge amounts of inating under rules that dont serve formation. Thats understandablethere is simply too much of us well; we may not be paying attention; or, like the story of it. However, some individuals and software organizations mainthe little boy who cried wolf, we have been previously conditain what Jerry Weinberg calls an oblivious culture. [1] They tioned to minimize its significance. (Why is it that my grandchoose not to systematically observe anything about their prodkids only complain of stomach aches on school day mornings ucts, people, or processes. A second type of person observes and just before piano practice?) but quickly filters outdata that does not match his view of the Surprises are the worlds invitation to learn. Let your surworld. (That continued quarterly decline in profits must be an prises trigger an investigation of your observation, meaning, anomaly.) A third type of observer, to prevent having to deal and significance processes. Look for gaps in your observawith the realities of the world, actually prohibits observing tional process. Which kind of oblivious are you? Do you assign generally when information gained through past observation meaning in an inquisitive and generative way, or do you follow caused conflict. I once worked for an organization that, each preconceived notions? Finally, consider how you assign signifiyear, changed the way it measured programmer productivity, cance to observations and meanings. Let your surprises trigger defects, and client satisfaction. The stated reason was to beyour learning. Youll be surprised at how useful it is. {end} come more accurate. The real reason was so that years could not be compared with other years. An accurate comparison Thanks to Michael Bolton, who always guides me well. would have shown that we were getting worse. When surprised, you might first consider whether your surprise came from a self-inflicted lack of awareness. For more on the following topics go to As we view the world around us, we map observations www.StickyMinds.com/bettersoftware. n References onto our context, knowledge, experience, and feelings. If we

www.TechWell.com

SEPTEMBER/OCTOBER 2012

BETTER SOFTWARE

From One Expert to Another

Markus Grtner
Years in Industry: 6 Email: mgaertne@gmail.com Interviewed by: Zeger van Hese Email: zeger.vanhese@ctg.com

Jason Gorman announced the Software Craftsmanship conference in London back in December 2008 ... It was awesome, even for a tester like me. Starting from there, I tried to learn as much as possible about software craftsmanship as I couldnot from a technical point of view, but from a soft-skill point of view.

Long ago, I started digging into other topics than testing wisdomtopics like complexity science and psychologyand I found some pieces that are not very well known among testers. I see a lot of value in these fields, and I think we can learn a lot by combining these with our profession. I think in the years to come, testers will be very important to our field. We will teach testing to programmers, and we will have to seek testing skills in programmers, designers, and business experts and help them become better testers. My biggest challenge in teaching and mentoring testers right now is that I don't know what particularly I do that helps other testers grow ... I do some things that help other people while others refuse to listen to me. Of course, this is all right. I don't listen to anyone else on the street either.

I still think that testing is disrespected by others involved in software because there are too many out there who do a terrible job at it.

In the light of the new software development, we will have to find our spot. It will no longer be possible for a tester to hide behind test-case templates or foster following a test plan document only to find out that the product is unusable for everyone.

For the full interview, visit

http://well.tc/FOETA14-5

10

BETTER SOFTWARE

SEPTEMBER/OCTOBER 2012

www.TechWell.com

Author recommended books, blogs, gadgets, websites, and other tools for building better software

What are your favorite games to play with friends and family?
My favorite games to play with others are the team vs. team action and shooting genre, such as Halo and Call of Duty. They are a great release after a long day of developing QA and testing strategies and technical documentation. The competitiveness keeps everyone engaged and allows everyone to heckle each other in a friendly way, which provides for further entertainment.

Scott Aziz
My family has three different groups, each with its own unique culture. Craig and I love trivia, and we play Wordament together on his mobile phone, which means we never wait! We're learning new words together when we could be bored instead. My dad and stepmom like Rumikub and Mexican Train. I enjoy that those games are inclusive and allow for a good side conversation while playing them. My mom's side of the family is extroverted and very lively! We love to play Taboo, Cranium, and any game that is social, boisterous, and full of laughter. I like strategic games the best. I have fond memories of playing chess with my dad (a top-notch player) and learning that strategy could win out over experience and skill. I also played a lot of sports, so physical games can be a lot of fun with family because you have such a range of ages and skills.

Jonathan Kohl
Go Fishsometimes I can beat the grandkids.

Lee Copeland
My favorite game that I play quite often is a word-find game, where the player finds the word based on a limited set of clues that the other player provides. Although it calls for quick and deep thinking, I enjoy this because it makes you more agile and analytical, improving your problem-solving skills, so this a great game to hone ones testing skills in the process.

Lanette Creamer
I really enjoy playing massively multiplayer roleplaying games such as Lord of the Rings Online, Star Wars: The Old Republic, and Guild Wars 2. I've been a fan of role-playing games since the 80s because the story-telling aspect allows you to explore the moral dimension of your character's actions. The online versions allow me to play with the same group of friends even though we now live in different cities.

Rajini Padmanaban

David McFadzean
The game I and my family keep coming back to is Monopoly. It's a very social gamesimple rules with a lot of scope to negotiate local variations, make deals, etc. And there's a good balance between luck and strategy, between risk and reward.

Graham Oakes
www.TechWell.com
SEPTEMBER/OCTOBER 2012 BETTER SOFTWARE

11

Career Development

Dont Bury the Survivors: The Value of Clear Communication


Ultimately, the value that you provide is only realized when you can becomes invisible when insufficiently communicated.
by Lanette Creamer | lanette.creamer@gmail.com
how sophisticated, brilliant, and elegant the interpretation of After a plane crash, where should the survivors be buried? our favorite programming language may be. The computer Recent studies conducted by the Economic and Social Redoesnt correct our wrong commands with its own computer search Council (ESRC) [1] indicate that approximately half assumptions. of the participants asked this question reacted as if they were Some of the most common software issues arent even being asked about those who died in the plane crash rather in the existing code. Humans may have introduced them in than those who survived it. One person to whom I asked the the requirements. If you are lucky, the question said, "Since death customs vary, the wish of the individual as well people writing your requirements are Clarity is also essential skilled at writing requirements, familiar as the family of the deceased should choose where they are buried." It takes with the market, and knowledgeable when communicating a political talent to answer a question about industry vocabulary and the so thoroughly when you arent sure of culture of creating quality software. If the intent. I would expect a good tester about a software defect. they have experience communicating to clarify the meaning and ask queswith technical people and are also extionse.g., is the point of the survey While the impact to the cellent writers, then fewer requirements to trick us into burying survivors? In will be lost in translation. fact, this study was designed to help us Pair programming can increase your user may be subjective, understand more about how our brains odds of understanding a written reinterpret the words that we hear. the scope of the defect and quirement, by having two people transUnder pressure, our minds skip lating the incoming requirement and words. It makes sense that we wouldn't writing the outgoing code. In addition, how to reproduce it have you get a code review and possibly process every trivial, connecting word in a sentence. However, it is surprising refactoring while the programmers specific answers. to find that we also skip words that imwrite the code. Ive found similar adpact the meaning of the sentence. Revantages in pairing a programmer with search into brain activity from the ESRC study reveals that we a tester for a code walkthrough, where the tester can collabare more likely to use this type of shallow processing under oratively validate the meaning and intent of the requirements conditions of higher cognitive loadthat is, when the task we while the programmer implements the agreed upon changes. Diverse points of view may result in a different outcome from are faced with is more difficult or when we are dealing with the pair than they would reach on their own. more than one task at a time. Correct information is the most Many years ago, when I was a new tester, our biggest cusvital when we face complexity or multiple tasks, so that we tomer reported an urgent bug. When the team went to isolate can prioritize and deliver correct results. But, our brains atthe bug, it would only reproduce in their file. After learning tempt to speed up under stress undermines our accuracy at that this critical issue was file specific, I uploaded the file to absorbing data at critical moments. a shared server location and updated the bug so that those Clarity is also essential when communicating about a softinterested could access the file. I assumed that each person ware defect. While the impact to the user may be subjective, would copy down the file locally and then run the test on that the scope of the defect and how to reproduce it have speone file. Clearly, I should have given only read access to evcific answers. Testers and programmers who interact with eryone else. Instead, I made the file writable to everyone. computer systems all day may forget that every command a Once others were looking at the file, the problem failed computer receives is a series of on and off switches. We comto reproduce, because it happened only when the file first municate with our computers in interpreted binary, no matter

communicate it in a way that reaches your audience. Even genius work

12

BETTER SOFTWARE

SEPTEMBER/OCTOBER 2012

www.TechWell.com

Career Development

converted from an earlier version. The older version of the customer file had to go through a code path of forward conversion, which showed the bug. Once the file was saved, it no longer could reproduce the condition that was causing the unpredictable behavior. It appeared that my steps were very unreliable. The conversion issue was such a high priority that multiple developers would wait for the customer file to be posted and then convert and save it nearly instantly, making the problem we were trying to fix impossible to recreate. This not only cost us the ability to reproduce the issue but also caused confusion and damage to a customer relationship. Once I realized what had happened, I set up a locked copy that no one could accidentally edit. We then were able to reproduce the bug and figure out the cause. But, by the time we fixed the bug and deployed it out to customers, we had damaged so much trust due to miscommunication and invalid assumptions. Few professional publications would go to print without an editor, yet we still have many in software who question the need for professional testing. Many executives have had the bright idea to use cheap interns as editors in an attempt to save money, but they didnt expect to get the same result at the end. Ultimately, the value that you provide is only realized when you can communicate it in a way that reaches your audience. Even genius work becomes invisible when insufficiently communicated. What can a technical practitioner do to communicate clearly? One useful skill is to observe more carefully which communication styles work with different people. Which messages get through to the most important targets? Do they understand better after seeing a visual example? How much detail do they need? Consider the audience with whom you are communicating. Use words that are inclusive to beginners when they are part of the group receiving your message. Make your purpose clear and your writing concise, and address more advanced questions separately to avoid losing beginners in the details. Being sincere is absolutely essential, as smart people are generally perceptive about tone, body language, and sarcasm. Stretch the limits of your own style in order to be better understood. For some people, this kind of real-time style adaptation is a natural talent. The rest of us can improve through practice. As professional testers, we have opportunities to practice both on the job and in daily life. Some of the ways to practice testing are to run exploratory testing charters, brainstorm test ideas in a mind map, write a small script to get a new view of existing data, take a class on one aspect of testing, or explore new tools, blogs, tweets, or tutorials. Any of us can get out to a user group, a peer conference, or even an online presentation to keep our skills sharp. The same is true for communicating! Writing a blog is one way you can practice getting your point across with style and get feedback from others. Try asking your readers for peer

feedback. Have you read any of the testing books written in the past three years? Have you peer reviewed an article? If you want to start writing, there are a few established groups of writers in software you could join. And, if you are attending the 2012 Better Software Conference East or Agile Development Conference East, join us at the From Practitioner to Published Author bonus session to discuss communicating clearly on the written page. {end}

For more on the following topic go to www.StickyMinds.com/bettersoftware.


n

References

Software Quality Engineering Is Looking for Great Communicators If you are interested in writing or curating for one of our publications: Better Software magazine, StickyMinds.com, Agile Journal, CM Crossroads, or TechWell, we want to hear from you.

For more information, email Heather Shanholtzer at hshanholtzer@sqe.com and see our Call for Curators on page 19 of this issue.

www.TechWell.com

SEPTEMBER/OCTOBER 2012

BETTER SOFTWARE

13

ISTOCKPHOTO

14

BETTER SOFTWARE

SEPTEMBER/OCTOBER 2012

www.TechWell.com

any teams struggle to choose or adapt a software development process. Weve developed a process strategy called the software development game (SDG) for managing the mix of process, tools, and technology on

software development teams. SDG lets you pick a processany processand, using gaming concepts, helps you adapt it to your own needs.
How can serious software development be treated like a game? While you may play games for fun in your spare time, games are also serious business. Sports have professional leagues that support entire industries around their games. The military uses war games to test strategies and train soldiers. The SDG has been influenced by both game theory [1] (although we arent using any formal mathematical modeling) and a more recent concept called gamification [2]. Game theory is a mathematical discipline used for modeling areas as diverse as economics, war, business, artificial intelligence, and biological evolution. At its core, game theory views every situation involving cooperation and conflict as a game. Some games have a defined time limit of play and a clear winner and loser, while others are experience based and ongoinglike a quest. Recently, a movement called the gamification of work has become popular. Gamification involves imposing a game-like structure on certain aspects of professional situations to aid in productivity and motivation. Gamification can be as simple as offering rewards for completing certain tasks, or as complex as transforming an entire business practice into a game-like system. Because we can be so productive while performing repetitive tasks within social or gaming situations, researchers are trying to figure out how to tap into that potential to motivate within the workplace. (Gamification of work and game theory are not necessarily related, but there is an overlap. Understanding game theory can help gamification efforts, and gamification ideas can enhance game theory implementation.) On software development teams, the team vision, purpose, rules of conduct, and informal practices are often created and enforced informally. This can result in confusion about the mission and purpose of the development team within the organization. At best, this informality leads to misunderstandings and communication breakdown; at worst, it results in a poor alignment to leaderships goals for the organization. Either way, both the team members and the organizations lose out when there is wasted effort that isnt contributing to value creation. While formal game theory involves the use of mathematical models, analyzing gaming behavior is also effective. We have studied one aspect of game theory that looks at how people optimize their decision processes. In the SDG, we use game-like processes to help teams align with goals, provide clarity and coherence on issues, and offer visibility into the decision-making process. The SDG provides structure and accountability on a process that is frequently ad hoc, political, and unclear to team members. By gamifying decision making, the SDG helps software development teams determine and record their internal practices and their mix of technology, process, and tools. It can also serve as a framework to adapt existing policy and practices or to implement suggested changes for improvement after a team retrospective. While both of us have been influenced by game theory concepts when leading software development efforts, it was David who decided to create a software development game framework based on the game Nomic by Peter Suber [3]. Nomic is a game about decision making where players agree on an initial rule set to govern game play, then they raise and vote on proposals to change the rules. So, changing the rules of the game is considered a valid move. Nomic is frequently played online, and games adapt over time as the players incorporate new ideas and changes. This is a great fit for dynamic software development teams that are frequently confronted with changing environments.

Rules of Play
To implement an SDG instance, a software development team starts with a minimal set of rules and an initial goal to create a learning organizationa group of people who continually enhance their capabilities to create what they want to create [4]. Where the game evolves from there is entirely up to the players (team members), but if it goes well, they become more productive and efficient and make better decisions as the game progresses. The SDG can start at any levelexecutive, management, teams, or individuals. Later, the game can expand to include more players and teams as it proves its usefulness. David started as the facilitator. He created the game concept and educated team members on the process and the goals of the game. Once David had management buy in and the team agreed to try it out, he explained the initial rule set to govern game play and set up a meeting to see if all team members agreed to the rule set. A game page was created on the development team wiki describing the initial rule set.

Explanation of rulEs:
Rule 1: The initial goal of the game is to create a learning organization that enables the players to make high-quality choices and decisions. This rule should likely be refined to integrate the mission of the organization playing the game, as we specified above.
SEPTEMBER/OCTOBER 2012 BETTER SOFTWARE

www.TechWell.com

15

If a proposal is vague, team members will offer up ideas and alternatives, and proposal clarification is a natural outcome. A proposal can become more concrete through discussion and debate.
Rule 2: All players must unanimously agree to all rule changes. The voting rule initially specifies unanimity to pass any proposal. Most games amend this early on to specify some sort of majority vote in order to avoid stalemates, but the initial rule errs on the side of caution so that the foundations can be laid out carefully. Rule 3: Proposals may add, amend, or repeal a rule. This describes the initial set of moves that can be made in the gameintroducing a new rule, changing an existing rule, or removing an existing rule. The game will usually evolve more sophisticated rules, such as giving certain classes of players the right to veto vote under some conditions; creating a category of immutable rules that cannot be amended (unless they are removed from that category); and introducing new types of acts such as resolutions, goals, standards, and guidelines. Rule 4: All rules should be logically self-consistent. Ensuring that rules are logically self-consistent helps encourage fair play and motivates the players to keep the rule set sane. Whenever an inconsistency is introduced (accidentally or by design), the players will be motivated to resolve the inconsistency by amendment or repeal. David then guided the team through initial game play. After agreeing on the initial rule set, the team set to work on solving a difficult issue: determining C++ coding standards for the team. Choosing coding standards can be one of the most contentious issues any development team can face. (Those of you who code for a living understand how difficult this can be; those of you who dont, imagine trying to find compromise between opposing political parties or religions.) A proposal for a coding standard was put forward and voted in with a majority. After the vote and resolution, meeting details and the coding standard resolution were recorded on the development team wiki. By bringing the coding standards into the game, they now became rules of the game itself. By bringing software development policy and practices into the game, the team created a mechanism to follow and govern changes. For example, if a team member was complaining to colleagues about a lack of standards around builds, David would ask that person if the issue was important enough to be solved by the team. If it was, then he encouraged the team member to bring a proposal to the team so they could vote on it. A proposal could be as simple as: Broken builds are a serious productivity issue. Some of us are spending hours trying to fix the build instead of completing tasks. We need to agree to fix the build problem and come up with ideas to address the problem. While that might seem like a simple proposition to pass because its easy to agree to solve a problem, the hard part is actually doing something about it. If a proposal is vague, team members will offer up ideas and alternatives, and proposal clarification is a natural outcome. A proposal can become more concrete through discussion and debate. Ideally, the team will generate proposals with ownership and responsibility assigned to team members. From our prior example, a more specific proposal that would be actionable is: Broken builds must be fixed before any new code is committed to the version control system. Thinking up solutions for problems can take time and can cause a face-to-face meeting to drag out. Furthermore, some personality types think better outside of a group and may approach team members after a face-to-face meeting. The team agreed to use technology to make the process more efficientproposals and votes on them could be initiated and executed electronically. If a proposal required more information than could be conveyed in email or was of a serious nature, the facilitator could initiate a face-to-face meeting to hear the proposal and hold a vote. Now, imagine that you are the DevOps team member who has come up with a proposal to fix the build problem. Youre the team member who feels the broken build pain the most, and your potential solution works well. Youve tested it out and your findings are positive. You explain your proposal to adopt a solution within the SDG, but you fail to get a majority vote. You are disappointed, and no other alternatives received a majority vote. You know this is the right way to go, so what do you do? If you want the vote, you will need to do what people in politics do and lobby for support. Educate team members on the merits of your proposal. Try to get key, influential people on your side to vote for the proposal. Appeal to the skeptics: How about a proposal to identify measurable outcomes and do periodic checks on the system to see if it is solving problems or not? Make a formal proposal and vote.

Evolving the Game


The SDG requires a framework for communication, raising issues, creating proposals to vote on, holding votes, and tallying results. David used a combination of a wiki, faceto-face meetings, email, and in-office instant messaging. In his role as facilitator, he answered questions, explained concepts, and watched for potential team issues that could be brought under the SDG.

16

BETTER SOFTWARE

SEPTEMBER/OCTOBER 2012

www.TechWell.com

Hope your lobbying efforts pay off and the proposal passes. Once team members are comfortable with the process, it doesnt take long for them to realize that any proposal can be brought forwardeven the most self-serving ones. If there is team consensus to implement a change, the motivation behind it doesnt matter. It might be as simple as one team member becoming bored with the current technology and wanting to move to something new. It might seem selfish to say, I dont want to work on Java web apps that much anymore. Id love to work on mobile projects. But if it is brought up in a forum, youd be surprised how many others on the team feel the same way, including managers and product managers. Management may feel the organization needs to move to new technology to not fall behind, and product managers may be researching what competitors are doing, but neither group wants to bother the busy development team about it right now. Without a forum to raise an issue openly and honestly, this kind of idea goes underground. In the worst case, it festers as a frustrated team member complains to others or attempts to use subversive or manipulative methods to try out a new technology platform. Once the right stakeholders are informed and they buy in to a proposal, it can be a powerful technique to introduce change, even with self-serving motivations. Once Davids team had proposed and voted on a number of resolutions, the rule set expanded. This required categorization. Two potential categories are rules that govern the game itself, and rules that govern software development activities. In addition to the initial SDG rules, rules were added to govern rule changes, proposals (create or withdraw proposals), voting rules (what constitutes majority), and multivotes (tie breakers, etc.). For the software development activities, rules were grouped according to team policies (vision statement, processes to follow) and development standards (coding standards, code reviews, and build and testing activities). As the rule set expanded, roles were added so that team players could have ownership in certain areas of the game based on their expertise and interest level. For example, roles can involve facilitating game play itself, overseeing technical components of the software development system, and guiding product direction. Roles were expanded to include managers and other stakeholders when their participation was needed. The SDG evolved further to include gamification aspects for repeated tasks. Achievements for repeated tasks that might not be that pleasant were added as quests in the game. For example, business travel can be difficult and tiring, so the team decided to reward the top travelers on the team by giving them a shout out on the team wiki. There also were humorous booby prizes awarded to the last person who set off the building alarm or to the person who broke the build the most frequently. This particular SDG instance has evolved to incorporate more and more of the daily life of the development team, while providing structure around communicating issues and making decisions on how to move forward.

Why It Works
This isnt a one-team, one-time success story. David has implemented several SDG instances on different teams at different companies over the past few years. We have found that making the problem-solving and decision-making processes visible helps improve communication and reduces confusion. Much misunderstanding on development teams stems from differing expectations about what the team or individuals should accomplish and a lack of alignment toward organizational goals. Since decisions are democraticanyone can table an issue, the team votes on all changes, and decisions are bindingteam members feel included and valued as integral parts of the process. The SDG provides a framework for raising concerns and changing existing practices and tools in a way that helps teams cope with the changes in their external environment by adapting their internal practices as needed. Furthermore, if the team finds that the game framework itself isnt working for them anymore, they change the rules to improve it. Using game-like concepts in the workplace is a way to harness the natural behavioral dynamics that occur within groups. Since the game itself can be adapted, teams dont find themselves stuck with a rigid process that isnt appropriate for their new circumstances. Rules can be amended or even repealed if they no longer add value. Management and other leaders might be nervous about the SDG at first. It should be clear for both management and team members that the game only applies to areas over which the development team has ownership. The team shouldnt

ImplementIng Your own Software Development game

1. Start off with simple game play rules (feel free to use our example). 2. Use a facilitator to guide game play, manage meetings, tally scores, and record and update rules. 3. Start simple, and let the game evolve. Dont try to do too much. Develop team policy and alignment to organizational goals. Consider using the game to help implement retrospective ideas. 4. Use the game to discover what your existing processes are, record and ratify them, and make them visible to all team members. 5. Dont let the rules become unwieldy: Try to keep rules brief and lightweight. If rules are too numerous, work on scaling them back. 6. As the game expands, introduce additional roles to help with administration.

www.TechWell.com

SEPTEMBER/OCTOBER 2012

BETTER SOFTWARE

17

contradict existing corporate policies or try to overturn decisions made by leadership. For example, team members cant just go and vote themselves raises and bonuses or decide on their own to scrap the existing product line. For areas that are governed by other stakeholders, the team can bring issues to their attention, but the existing organizational structure and policies should remain intact. (If leaders want to add the game to other areas, that is fine, but dont try to use the game to undermine them.) Leaders will find that the game can create clarity and coherence of their vision of the company and their product and service mix. Team alignment on actions and goals may increase, and the transparency on decisions means

YoUR time to SHiNE


ALPIS TrAInIng OfferS:
Technology and Methodology Courses
HP: Quality Center, QuickTest Professional, and LoadRunner Microsoft: Test Manager, Coded UI , and Load Test

its

management can review when and why certain technical directions were taken when proposals were voted in. An SDG helps teams make decisions, particularly if the teams are self-organizing. It also helps build team cohesion and encourages diversity of opinion and healthy dissent. If there are serious problems, an SDG can provide a framework to help a team change course on projects and tasks to reach organizational goals. A fabulous place to start using an SDG is to help implement changes after a retrospective. How many times do we have a great meeting after a release, outlining problems we encountered and possible solutions, only to forget about them until the next retrospective? In the meantime, we didnt do anything; we were too busy working on tasks. We had great intentions, but without a system to help us decide on courses of action and to measure progress, we forgot about our solution ideas. With an SDG, retrospective ideas can be implemented through the game, rather than forgotten until next time.

Conclusion
Software development processes can be difficult concepts to apply broadly. What worked for one team in its unique context may not work for your team. Adaptation is important in cases when a team tries out a process and finds that some practices dont work or that key components are completely absent. When processes fail, a convenient response is You need to do what works for you and your team. That makes sense, but what specific, concrete practices do you use to find out what process works for you? Weve had good success figuring that out for our teams by using the software development game. {end}

Distinguish yourself from your peers and gain a competitive edge

Test Process Improvement: Certification, IV&V, Test Metrics, and Testing to CMMI & ISO Standards

Interactive Learning Method


Bring your Workplace to the Classroom & Take the Classroom to your Workplace

Post Training Support


Refresher courses at no additional cost Consulting services to help you quickly implement the test tools and processes

Bulk Training Program


Savings of up to 40% on training courses Credits good for one year

jonathan@kohl.ca davidmc@gmail.com

For more on the following topics go to www.StickyMinds.com/ bettersoftware.


n

Since 1993, ALPI has empowered clients with innovative solutions delivered by our staff of flexible and creative professionals. Trainings are held at our state-of-the-art facility, located just outside of the Nations Capital, or onsite at your company location.

References Further reading

Contact training@alpi.com or 301.654.9200 ext. 403 for additional information and registration details

www.alpi.com
18
BETTER SOFTWARE SEPTEMBER/OCTOBER 2012

www.TechWell.com

So,

You Want to be a TechWell Curator?

What Is a TechWell Curator?


TechWell curators are software professionals who are knowledgeable, enthusiastic, and engaged in the latest industry trends, tools, and technology. Using content sourced from around the Internet, our curators compose short stories that are interesting, entertaining, sometimes thought provoking, and occasionally opinionated.

What Do I Have to Do?


Each curator is responsible for submitting a minimum of five to ten stories a month. Stories should run 300-600 words, with 400 words being ideal. Stories are built around and should link to articles, videos, blog posts, or other online contentboth from our TechWell Community sites and anywhere in the Internetthat the curator considers interesting and applicable to our audience. You should expect to spend one to two hours developing and writing a story. Because audience engagement is key to the success of a curated site, we ask curators to respond to reader comments and questions.

Whats in It for Me?


Stories you write will feature your byline with a link to a profile page containing your photo, bio, and links to your blog , Twitter, LinkedIn, etc. Readers will come to know you, your stories, and your personality. Thought leaders are born this way. TechWell curators receive $500 per month for five stories and $100 per additional story written each month up to a total of ten stories ($1,000) per month. In addition, active TechWell curators receive free Wednesday-Thursday conference passes to any SQE conference and half price on pre- and post-conference event sessions (tutorials + summit).

What Is the Publishing Process?


Curators submit stories to the TechWell editors, who check them for grammar, style, and punctuation, and then publish them to the siteusually within two business days.

What If I Cant Write for a While or Want to Stop Curating?


We understand life can get hectic. So, if you need to take a temporary break from curating, we ask that you give us two weeks notice. In the event you decide curating is not for you, please let us know thirty days in advance so we can look for a replacement.

How Do I Get Started?


To apply for a TechWell curator position, please contact Heather Shanholtzer at hshanholtzer@sqe.com with the following information: Name Company affiliation Interest area(s) Approximate stories per month you are available to curate Heather will share examples and you will be asked to write several sample stories in the curation style, then we will mutually determine if this is a good fit for each of us.
340 Corporate Way | Suite 300 | Orange Park, FL | 32073 | 904.278.0524 | www.TechWell.com

www.TechWell.com

SEPTEMBER/OCTOBER 2012

BETTER SOFTWARE

19

I
ISTOCKPHOTO

t seems like every week the press has yet another story about security breaches or stolen data at some of the worlds largest companies or government agencies. Sometimes the responsibility for ensuring thorough security resides with an IT security group, and other times it gets outsourced altogether. The responsibility seldom falls to testing teams. However, this is changing. Having trained and experienced testers hunt for security bugs will make web applications safer from hackers and will further protect consumers, corporate assets, and brands. Security testing techniques are not well known to many traditional functional testing teams because there are relatively few opportunities to learn them compared to learning functional testing. And, security testing is more difficult to perform than functional testing for reasons including: vague security requirements for many applications; low-level, technically challenging testing approaches; and security testing tools that are difficult to set up and configure. A major consideration for any security testing strategy is that every architectural layer of an application is vulnerable in different wayssome are more easily penetrated and
20
BETTER SOFTWARE SEPTEMBER/OCTOBER 2012

exploited than others. These layers are known as the attack surface and will be different for different web applications because of the varying architecture, frameworks, and languages in use to develop them. Hackers trying to penetrate your web applications must know as much as possible about your applications attack surface. The attackers methods are numerous and constantly evolving, so testers need to think in similar ways when approaching security testing. Approaching testing in a progressive and creative manner is perhaps one of the greatest challenges for security testers. To keep up with the efforts of hackers, testers must utilize not only traditional and time-tested tools but also the newest tools available. This can be a daunting task because of the nature, variety, and number of tools available for security testing. This article covers a few of the basic freeware tools available for web application security testing. These tools can stand alone or serve as a foundation for the adoption of more mature tools within your organization. Building upon this small set of tools over time will ensure the widest possible set of protective mechanisms for your security testing certification processthe rigor that must be executed and passed prior to release.

www.TechWell.com

Just as with other types of testing, it is important to know that you cannot prove the nonexistence of security defects. Exhaustive security testing is impossible, due to the diverse nature of the attack surface and the number of possible variables that can be manipulated across that surface. However, there are categories of attacks that tend to be more popular due to their effectiveness. Two specific web application vulnerabilities that you should be aware of are SQL injection and cross-site scripting (XSS). An excellent primer to these vulnerabilities can be found at the Open Web Application Security Project (OWASP) [1]. The OWASP testing guide [2] is one of the best resources available on web application security and vulnerability testing. It is several hundred pages long, so do not expect to master every testing mechanism right away. Preparing for an effective security testing strategy includes getting familiar with a few core tools, such as the Firefox browseryes, the same Firefox browser you use to verify the functional behavior of web applications. This browser is perhaps the best all-around beginners tool that can be used to test the security of a web application. This is largely due to an ecosystem of browser plug-ins specifically built for security

testing tasks, including two free Firefox add-ons that every security tester hunting for web-based vulnerabilities must have: SQL Inject Me and XSS Me. SQL Inject Me allows you to test for SQL injection vulnerabilities that hackers can use to hijack your data and modify the contents of a database. Some of these vulnerabilities will even allow an attacker to execute administrative operations on the database, which is disastrous. Typically, the web applications that are the most vulnerable to SQL Injection are those written in PHP or ASP, but this vulnerability affects other languages as well. The XSS Me tool will check for XSS vulnerabilities that can allow a hacker to gain elevated privileges within your web application or within other applications connected to your web application. These two tools alone will not allow you to test for every type of SQL injection and XSS vulnerability, but they will allow you to establish foundational testing practices for both categories of vulnerabilities. Once you have mastered the functionality of these tools, you can adopt tools that expand this functionality, such as Metasploit and Nexpose, both of which have freeware versions available. Once you have prepared a tool to perform SQL injection
SEPTEMBER/OCTOBER 2012 BETTER SOFTWARE

www.TechWell.com

21

testing, you need to determine how best to formulate attack strings that you can feed through the tool. Some tools already have a library of such strings that the tools automatically feed into your application under test. For the tools that do not, you must prepare your own SQL language attacks. This is not a trivial task, as there are many types of SQL injection attacks. The SQL injection attack is a form of a code injection attack, which means that rogue or malicious code is injected into the database layer through the client application. There are many resources on the web for advice on how to test for SQL injection vulnerabilities. (ITSecTeam.com has a very good paper on it [3]). The testing of XSS involves checking whether a malicious

GET A TESTING

RESULT YOUR

CEO WILL LOVE.

script can be injected into the parameter of a web request, such as an HTTP GET request. Initially, this attack is typically performed right in the browsers URL bar, which allows a hacker to determine quickly if your application is susceptible or not. There are actually two types of XSS attacks, reflected and stored. A reflected attack means that the injected code is reflected off of the web server and back to the user, typically via an email link that the user clicks. A stored attack means that the injected code is already sitting in a database or some other repository and the user inadvertently retrieves it when he fetches data from the database. The XSS Me tool will only help you test for reflected attacks. It will not help with stored attacks, so keep that in mind when planning your security testing strategy as you will want to adopt some other tool or penetration testing method to check for stored attacks. When you are ready to adopt some advanced security testing tools, you should take advantage of another freeware tool called WebScarab. This tool is part of OWASP and has multiple features that will allow you to test for various categories of vulnerabilities. Its non-intuitive user interface is somewhat difficult to use, but it is a popular tool among the web application security testing community. The main benefit is that it allows for the interception and manipulation of HTTP traffic. This class of testing falls under the Your CEO will love you when you show them category of fault injection, which simply how you can achieve an outstanding testing means that you are manually injecting ROI with ISTQB Software Tester Certication. carefully crafted faults into a request or a data stream. While WebScarab offers With the average cost of a software defect in the range many diverse features for security testing, [1] of $4,000 $5,000 , if ISTQB Certication helps your be aware that it will take some time to tester eliminate even just one defect, the result is get familiar with and understand many of nothing less than, well, loveable: an ROI of up to 2000%. the features. ISTQB Software Tester Certication is the most widely Many of these tools have features recognized and fastest-growing software tester that need to be studied and understood certication in both the U.S. and the world. Discover before trying to utilize them. There is no how ISTQB certication can pay for itself in a matter sense trying to apply an advanced testing of days: Thats a testing result any CEO will love. mechanism without knowing how to interpret the testing results on your particular application. It is best to start slow Want an even better ROI? Learn more and master one or two testing features at Take advantage of our new now at a time before moving on. Volume Purchase Program. Another free OWASP tool is Mantra, www.astqb.org an open source, browser-based framework for penetration testing. Mantra offers a large number of plug-ins that can be used for various categories of testing, such as information gathering and application auditing. Both SQL Inject Me and XSS Me plug into the Mantra framework as well. In addition, Mantra offers tools [1] Capers Jones, A Short History Of The Cost Per Defect Metric, Randall Rice, that can interrogate network and proxy The Value of ISTQB Certication
BETTER SOFTWARE SEPTEMBER/OCTOBER 2012

22

www.TechWell.com

information. There are approximately fifty tools available as plug-ins to the Mantra framework. The best part about Mantra is that OWASP provides some very good documentation supporting the proper usage of each tool, which is valuable for beginning and intermediate testers alike. Additionally, there are a number of free web application vulnerability scanners, such as Websecurify, Netsparker Community Edition, and w3af. These scanners allow you to identify common vulnerabilities through a scanning mechanism, interpret the results, and perform some deeper tests to further explore the vulnerabilities discovered. There are varying features across these tools and, again, it will take the beginner a while to come up to speed. Do the proper due diligence around each category of vulnerability that each tool helps identify so that you understand the severity and the risks. Thorough security testing is a complicated and technical undertaking, but with some incremental first steps, testers can begin to master some critically important techniques and tools that increase the security of web applications and make it more difficult for hackers to gain access. Over time, your organization can develop a secure testing methodology that is complemented by a set of tools that act as a line of defense for your applications prior to release to production. As with many other aspects of testing, security testing is most effective when done by different individuals who specialize in certain types of testing methods. This allows for the development of a diverse set of tests from a diverse set of testers. The main

objective for those taking on a security testing role is to develop a set of comprehensive security regression tests that can be iterated on and expanded over time to further protect your users and corporate brand from the risks of insecure software. Security testing is a comprehensive discipline that requires a great deal of study and experimentation to master and, as noted above, there are literally hundreds of tools available to help. While you can achieve a foundational level of effectiveness by using the tools presented here, you will need to supplement them with a more comprehensive strategy. This could include outsourcing some security testing tasks to an expert testing organization or through your internal corporate IT security group. Learning a new testing discipline is a journey. Once you become familiar with some of the foundational techniques of security testing and the right tools, your testing organization will be well on its way to providing another safety net protecting your organizations consumers and corporate assets. {end}

scott.aziz@ust-global.com

For more on the following topics go to www.StickyMinds.com/bettersoftware.


n n

References Security testing tools

www.TechWell.com

SEPTEMBER/OCTOBER 2012

BETTER SOFTWARE

23

hat springs to mind when you hear the word governance? For many people, its bureaucracy. They see a thick manual of policies and checklists, a central committee that delays decisions, or an endless round of audits and compliance checks. The next thing that comes to mind is skunkworkshow do we go underground to avoid the governance police? It doesnt have to be like that. Governance isnt about compliance. Its about making good decisions in an efficient way.

What Is Governance?
My preferred definition comes from the Institute on Governance [1]. Theyve defined governance as the process whereby societies or organizations make important decisions, determine whom they involve and how they render account. This identifies four key aspects to governance: 1. Defining which decisions are importantSome decisions have a large impact on whether we achieve our goals. Most dont. Good governance ensures we focus our energy on the important decisions.
24
BETTER SOFTWARE SEPTEMBER/OCTOBER 2012

2. Defining who makes these decisionsHow much time have you seen wasted on demarcation disputes? How many decisions have you seen fall through the cracks because no one took responsibility for them? Good governance ensures that lines of authority are clear. 3. Defining due processIf the decision-making process is clear, we dont need to spend time making it up as we go along. We can focus our energy on analyzing our options and balancing trade-offs. If people can see that weve followed the agreed process, then theyre less likely to challenge the resulting decision and we wont waste time revisiting old decisions. 4. Accounting for outcomesAccountability is not the same as blame. Good governance builds in feedback loops. It ensures that we track the outcomes of decisions and, hence, refine those decisions as we learn more. Equally, it ensures that we monitor and refine the decision-making process itself. Software development is knowledge work. Its all about decisionswhich features to prioritize and which to delay,

ISTOCKPHOTO

www.TechWell.com

which design trade-offs to emphasize, where to allocate our effort, and so on. Good governance ensures that we make these decisions as effectively as possible. We involve the right people in the right way, and we learn and refine as we go along. Conversely, poor governance leads to poor decision making. We waste time on trivial decisions. We involve people who lack the necessary expertise and understanding. We define bespoke processes for every decision. We get bogged down in politicking and infighting as people argue about decision rights. And, at the end of all this, were left with decisions that dont stick, either because they lack legitimacy in the eyes of key stakeholders or because they arent grounded in solid evidence and analysis. The sad fact is that organizations that dont address governance end up spending a lot of time on it. They discuss it afresh for each decision as they design the decision-making process and argue about decision rights. Theyre then left with little time to gather data, analyze options, and make the decision, so they make bad decisions.

Central or Devolved?
How is it that governance often turns into bureaucracy? This tends to happen when people equate governance with centralized control. They reason that centrally enforced policies, priorities, and standards make it easier to ensure that everyone acts in a way that aligns to corporate goals. Further, they reckon that centralization builds consistency, making it easier to coordinate distributed teams and move work or people between teams. Theres some truth in this, but there are also countervailing pressures. For example, devolving decision making to individuals and teams ensures that decisions will be more closely attuned to local circumstances. It also shortens the chain of command, allowing people to make decisions more rapidly. Such speed and situational awareness are often key requirements for good decision making. Many executives find devolved decision making scary. Things move quickly and not always in the direction they expect, but this may just reflect the realities of software development. Local nuances can have a large impact on the effectiveness of a team or the validity of a solution. In such cirSEPTEMBER/OCTOBER 2012 BETTER SOFTWARE

www.TechWell.com

25

cumstances, centralization merely gives the illusion of control. Defining appropriate governance structures, then, is about balance. We need to balance the benefits of centralized and devolved control. Here are some factors to consider when doing this: ConsistencyIs it important to make consistent decisions across multiple teams? Centralized governance mechanisms make this easier. For example, a central body might set standards for user interface design. AlignmentDo you want to ensure that everyone is focused on common priorities and objectives? Again, centralized decision making can make this easier. So, you might set up a central portfolio management office to decide which projects to prioritize. ExpertiseDo you need specialist expertise to make certain decisions or to carry them out? If that expertise is rare, then you might put people into a central pool where you can manage their utilization carefully. This is common for groups like legal teams and things like specialist equipment and tools. SpeedIf decisions need to be made quickly, then you want to reduce the length of the chain of command. So, devolved governance mechanisms make a lot of sense. Situational awarenessMany decisions are influenced by contextdifferent customers need different types of support, different teams have different strengths and weaknesses, etc. People who are close to the situation are better able to weigh the factors and make appropriate decisions. This favors devolved governance. Scope for consultation and guidanceIt doesnt have to be all or nothing, central or devolved. You can create intermediate structures by centralizing some aspects of a decision and devolving others. For example, people may make decisions locally but use centrally defined guidelines. Or, an organization might decide centrally after consulting with teams and individuals locally. The balance point will vary from organization to organization, as factors such as culture, market environment, and the mix of products and technologies come into play. It will also vary from decision to decision within a single organization. Good governance builds a range of decision-making mechanisms, each tuned to different circumstances. The balance point might also be dynamic. For example, if youre experimenting with a new technology, then it probably makes sense to devolve decisions initially while teams learn how to handle it. But, as understanding grows, you might want to centralize some decisions in order to ensure consistent application of your newfound knowledge. It can even make sense to rotate between the two poles. This can help transfer knowledge. People bring local knowledge from the field and share it more widely when they centralize. They then build specialist skills to take back into the field when they next decentralize. I havent seen many organizations that are smart enough to do this consciously, but it might be the main benefit they get from their regular reorganizations.
26
BETTER SOFTWARE SEPTEMBER/OCTOBER 2012

Other Decision Attributes


This trade-off between central and devolved control is at the heart of good governance. However, its also worth considering some other attributes of your decisions: Routine versus one-offRoutine decisions benefit from clear policies and guidance. You want to make them as efficiently as possible. On the other hand, trying to write policies that cover every possible oneoff decision and exceptional case is a fools errand. Its unlikely that you can accurately predict every possible circumstance, and the weighty policies will just bog down routine decision making. When an exception arises, set up a specialist team to deal with it. Complex versus complicatedComplicated decisions are amenable to analysis. It might take time, but a team of experts can eventually think through the situation and decide. Complex decisions arise when everything is so interconnected that such analysis simply isnt tractable. In such cases, you need to experiment to learn what works, so your governance structures must support experimentation and phased decision making. ReversibilityIf decisions can be reversed easily, then controls can be made more lightweight. Thus, for example, you can make the decision within a devolved team and then review it centrally later. This may incur added costs when you reverse a decision, but the benefit of rapid decision making often outweighs this (provided that the devolved team gets it right most of the time). The important thing is to think clearly about your situation and the decision-making mechanisms that fit it. If you only start thinking about decision making when in the midst of a crisis, then youre unlikely to make good decisions. And remember the fourth aspect from my definition of governance: accounting for outcomes. Monitor the effectiveness of your decision making, and work to improve it as you learn more. Governance is an ongoing process, not a one-off. If we dont look after our governance structures, then they tend to degenerate, either toward anarchy or toward bureaucracy. Conversely, if we maintain them carefully, refining them as we learn, then well be rewarded with flexible decision-making processes that consider all the important factors and win the buy-in of all key stakeholders. The price of good governance is eternal vigilance. {end}

graham@grahamoakes.co.uk

For more on the following topic go to www.StickyMinds.com/bettersoftware.


n

References

www.TechWell.com

Product Announcements
TeamForge ALM
CollabNet, an enterprise cloud development and agile ALM products and services company, announced a new release of its TeamForge ALM platform. The new version incorporates new tools and functionality to help IT organizations better manage, collaborate, and drive value using hybrid development processes and environments. TeamForge now offers the industrys only combined platform for Git and Subversion usage and management. Other new features include integrated code review and search, and enterprise planning and reporting to help orchestrate hybrid development processes and DevOps both on-premise or across any cloudprivate, public, or internal. Using TeamForge, enterprise IT organizations can leverage a mix of technology processes, commercial and open source tools, and deployment applications through both onpremise deployments or as an offering within its CloudForge enterprise cloud platform. TeamForge now natively embeds a number of newly added open source tools, including Git, Gerrit, and ReviewBoard, commercial partner tools, including Black Duck Code Sight(TM), as well as enhancing its Jenkins/Hudson integration. These newly added tools work completely within the TeamForge platform to orchestrate and integrate cloud services, such as build, test, and code sharing, into a teams development processesfrom public or private clouds, such as Amazon EC2 and CloudForge. recovery policies and processes for dynamic management of deployment failures.

www.electric-cloud.com/deploy Management Analytics Solution


Acunote, an online project management and collaboration software provider, launched its Management Analytics solution as part of its new breed of business software, Management Intelligence. Acunote Management Analytics gives executives and managers real-time data insights that increase productivity, save time and costs, and improve collaboration among software development, I.T., marketing, and customer service teams in a wide range of industries. Many companies fail to capture and analyze quality data to help them uncover faster, easier, and more accurate ways to manage and predict how and when complex projects will be completed across one or more teams. The end results are inefficient teams, higher costs and, in many cases, competitive disadvantages. Acunote solves this problem by automatically capturing and analyzing execution data in real-time to create burndown charts that predict and track the progress of individuals and entire teams for each project. Individual team members, project managers, and executives alike can view which tasks need to be completed by whom and by what date, even if plans change during a project.

www.acunote.com/plans-and-prices

www.collab.net/products ElectricDeploy
Electric Cloud, a DevOps automation company, announced ElectricDeploy(TM), a solution that automates application deployments with built-in fail-safe capabilities, helping customers deploy applications faster and with higher quality. ElectricDeploy is built and tightly integrated to Electric Clouds ElectricCommander platform providing end-to-end application delivery automation. The new product automates and standardizes application deployments across all environmentsDev, QA, pre-production, and production by modeling applications, related environments, and processes that deploy and recover applications. This model-driven approach reduces the variability of deployments across multiple environments, enabling teams to reliably and more rapidly deploy applications. ElectricDeploy also provides centralized visibility and control of deployments, allowing teams to manage and track release processes across the application delivery lifecycle. Additionally, ElectricDeploy reduces the occurrences and impacts of deployment failures in production environments through its fail-safe features by refining deployment processes throughout the application delivery pipeline from development to operations. These fail-safe features integrate three distinct capabilities: Code-Safe offers run-time debugging capabilities to interactively refine deployment processes; RunSafe lets teams define success and failure thresholds for application deployments so that deployments can account for real-world solutions; Recover-Safe enables teams to define

www.accurev.com | info@accurev.com

SCM

S OFTWARE C ONFIGURATION M ANAGEMENT FOR


Agile, Waterfall, & Everything in Between

Top 5 Software Development Process Challenges


Download White Paper: www.accurev.com/top512

www.TechWell.com

SEPTEMBER/OCTOBER 2012

BETTER SOFTWARE

27

Product Announcements

Kendo UI Complete
Kendo UI, a new product from developer tools and solutions provider Telerik, unveiled its next major release of Kendo UI Complete, a collection of Web, DataViz and management tools for professional software developers. With this release, Kendo UI adds support for tablet UIs and debuts server-side wrappers for ASP.NET MVC in order to extend and simplify development of HTML5 and JavaScript mobile apps and sites. This new release also adds server-side helpers for ASP. NET MVC, enabling developers to incorporate and configure Kendo UI via familiar server-side programming, while still producing apps that benefit from the client-side power of Kendo UI and HTML5. While Kendo UI works with any server-side technology, some developers are less comfortable in JavaScript and CSS, but feel very capable when working inside of a server-side language. These wrappers ensure that developers who prefer to build apps from their own server-side language, can do so quickly. Developers using the new ASP. NET MVC wrappers can take full advantage of server-side framework features and coding conveniences, while targeting both desktop and mobile devices using the cross-platform power of modern HTML5, CSS3 and JavaScript. Kendo UI Complete for ASP.NET MVC is the first of what the company plans to be a collection of server-side helpers for different

platforms, including Java and PHP, all designed to maximize developer productivity with HTML5.

www.kendoui.com GUIdancer and Jubula


BREDEX GmbH announced the latest release of its automated GUI test tools, GUIdancer and Jubula in versions 6.0.1 and 1.2.1. The new standalone versions of both tools contain an integration with Chronon, which records the entire execution of a Java program and allows it to be played back anywhere. The replayed program can be analyzed using Chronons Time Travelling Debugger to quickly identify and solve any problems or bugs that might have occurred in the original program. The release of GUIdancer and Jubula coincides with the Eclipse Juno release, which also sees the Eclipse Jubula feature updated to include features that were made available in the standalone versions in spring. When the Chronon recorder is active, debug information is collected while the applica- tion is running. In the GUIdancer and Jubula context, this means that an application being tested automatically can also be collecting debug information. Once the test is finished, the recorded file can be imported into the Chronon Time Travelling Debugger to step through the source code to easily identify and analyze problems. The standalone versions of GUIdancer and Jubula also come with the Chronon recorder embedded in themselves, which allows users of the tools to report any troubles with the tools themselves back to BREDEX GmbH by sending them as a Chronon recording. Jubula offers cross-platform test automation for Swing, SWT/RCP/GEF and HTML applications and can be downloaded from the Eclipse Jubula Project Page. GUIdancer is based on Jubula and extends Jubula to offer a range of professional features for testers such as Code Coverage analysis, reporting, a web-based Dashboard, test quality assurance (Teststyle), and context-based working with Mylyn.

et Agile w. G o aining N Tr
CollabNet has an unparalleled track record of success helping enterprises successfully adopt Agile. Our trainers and coaches, internationally recognized as leading experts in the Agile community, have trained more Certified ScrumMasters than anyone in the industry. Agile Process Scrum Certification Private Agile Coaching View our free agile training: www.collab.net/getagilevideos

www.bredexsw.com Terraform
UrbanCode, an enterprise build, deploy, and release automation company, announced the launch of Terraform. The open source software, made available under the Apache 2.0 license, allows for one-click provisioning of environments for IT teams. Terraform lets teams slash environment provisioning times from weeks to minutes by automating time-consuming operations. Terraform currently works on top of Amazon EC2 and VMWarevSphere, with integrations for additional providers planned for future releases. Terraform exposes provisioning of an environment as a self-service. By reducing the time needed to provision environments, teams are now able to test scenarios faster. saving money by detecting issues sooner, and delivering more often. Terraform also lets users track changes easier and promote topology changes just like code changes. Other features include: open source, free software; the ability to works on top of Amazon EC2 and VMWarevSphere, with additional pro-

VIEW FREE AGILE VIDEOS!

WWW.COLLAB.NET | +1 650-228-2500 | 888-778-9793

28

BETTER SOFTWARE

SEPTEMBER/OCTOBER 2012

www.TechWell.com

Product Announcements

viders on the way; configuration management via integrations with Puppet and Chef; and virtual environment provisioning with the push of a button.

www.urbancode.com/html/products/terraform Rally Acquires Agile Advantage


Rally, an agile software development company, has acquired Agile Advantage, a product and services company that helps organizations maximize the financial return of agile software development projects. The acquisition adds integrated schedule and cost measurement to Rally Portfolio Manager, enabling accurate and objective evaluation of portfolio performance so companies can determine where they should steer their technology investments for higher returns. Built on Rallys enterprise-class platform, Rally Portfolio Manager offers the following: a business view of agile development status; development aligned with portfolio investment plans; fact-based governance; value-driven prioritization; and realistic roadmaps. Agile Advantage is a software products and services company focused on bridging the gap between agile and traditional business planning processes. Its products translate the results of agile teams into something consumable by business stakeholders and provide business-level forecasting of schedule and budget. Experienced members of the agile community, Brent Barton (CEO) and Chris Sterling (CTO) founded the company to help organizations solve the business challenges of moving to agile.

dashboards that are specifically designed for application lifecycle management (ALM) and IT Service Management (ITSM) processes. With this release, customers now have an enterprise dashboard tying together all Serena technologies, including performance metrics of both mainframe and distributed systems. The new Serena IT Dashboard offers built-in best practices, along with easily configurable views, so IT executives can avoid the let-down of BI initiatives, and instead quickly deploy an enterprise IT intelligence solution that easily adapts to their changing environment. Integrating with the mainframe, and now also available on tablets, smartphones and laptops, Serena IT Dashboard delivers IT intelligence with BYOD (bring-your-own-device) efficiency.

www.serena.com/products/alm-dashboard/index.html Cloud Summer 2012


Informatica Corporation, an independent provider of data integration software, introduced Informatica Cloud Summer 2012, the latest release in its family of cloud-based data integration services, with a focus on making cloud integration easier to develop, configure, and consume. Informatica Cloud Summer 2012 increases the functionality and power of the Informatica Cloud Platform by allowing developers to encapsulate integration process logic in templates that can be

www.rallydev.com MonkeyTalk
Gorilla Logic, an enterprise application development and testing company, released its latest version of MonkeyTalk, which provides open source application testing. MonkeyTalk Beta 5 features comprehensive script recording and playback support for testing any HTML-based browser application,and any Adobe Flex application. This new version of MonkeyTalk now makes it possible for QA analysts and developers to perform functional tests of their apps for iOS, Android, HTML5, and Adobe Flex with one tool. Released in March of this year, MonkeyTalk has been downloaded more than 10,000 times and is being used to automate application testing and ensure the quality of iOS, Android, and mobile web applications that businesses depend on to make great impressions on their customers. MonkeyTalk records and plays back all user interactions on iOS, Android, and now desktop-browser apps.

www.gorillalogic.com Serena IT Dashboard


Orchestrated IT solutions company Serena Software announced the new release of Serena IT Dashboard, providing improved visibility into end-to-end IT process performance and new accessibility on mobile devices. The new Serena IT Dashboard provides key performance indicators (KPIs) and

www.TechWell.com

SEPTEMBER/OCTOBER 2012

BETTER SOFTWARE

29

Product Announcements

consumed and dynamically configured by end-users at run time. Cloud Integration Templates are a key component of the Informatica Cloud Developer Edition, and will be made available along with other productivity assets on the new Cloud Integration Developer site. This release also increases the number of native cloud connectors and broadens support for the Informatica Cloud Data Loader Service. Informatica Cloud Summer 2012 introduces new enhancements to the Cloud Connector Toolkit for building and delivering high-performance native connectivity to cloud or onpremise business and social applications. Customers, ISVs, and SIs can now take advantage of new connectors for Eloqua, Workday, Netsuite, and Web Services. The Cloud Connector Toolkit also supports new advanced hierarchical data modeling, which allows applications with complex object relationships to make use of new data integration scenarios.

With CloudForge, developers and operations teams alike can migrate their projects and data to the cloud, and deploy to their PaaS or datacenter. For the first time, development teams can instantly provision and integrate their tool stack of choice, including hosted tools like Apache Subversion (SVN), Git, Trac and TeamForge, and integrated applications like Atlassian JIRA, Basecamp and Rally Software. Administrators gain a single-pane view of cloud resource consumption, activity and project progress, and critical data needed to manage team-based development.

www.cloudforge.com OpenStack
Rackspace, a cloud computing company, announced the availability of cloud databases and cloud servers powered by OpenStack, along with a new control panel. Customers can now select from private, public, or hybrid offerings and can deploy their solutions in a Rackspace data center or another data center of their choice. All of Rackspaces open cloud products can be accessed through the new control panel. The control panel allows customers to manage both existing and new cloud products as they emerge. In addition, customers now have the ability to use the open Rackspace cloud in hybrid or private cloud instances. Customers can choose the best platform for their applications by realizing the power of hybrid computing through RackConnect. This solution allows the flexibility and elasticity of the open cloud, as well as the enhanced security and performance characteristics of traditional hosting on dedicated hardware. RackConnect provides integration between public and private clouds within Rackspace and the open cloud provides open standards to help customers use hybrid hosting between clouds located anywhere.

www.informatica.com/us CloudForge
CollabNet, an enterprise cloud development and agile ALM products and services company, launched the commercial version of its CloudForge development-Platform-as-a-Service (dPaaS). The new CloudForge interface combines a consumerlike user experience with the security and management needed to bring cloud development to the enterprise.

www.rackspace.com/cloud Insight 9.6


Klocwork Inc., an automated source code analysis solutions company, announced the latest release of its source code analysis tool, Klocwork Insight 9.6. This release introduces multiple capabilities that allow software development teams to reduce their development time while ensuring their code is secure and reliable. Klocwork Insight 9.6 is also fully localized for the Japanese market. To accelerate the Klocwork build process, Klocwork Insight now includes integration with the Xoreax IncrediBuild native build environment. This integration allows joint Klocwork and Xoreax customers to run IncrediBuild in tandem with Klocwork Insight analysis, enabling tight process integration and ensuring accurate analysis results.

www.klocwork.com/products/insight

30

BETTER SOFTWARE

SEPTEMBER/OCTOBER 2012

www.TechWell.com

DUO

DYNAMIC

TwO COnferenCes in One LOCaTiOn


O n e R e g i s t R at i O n g e t s yO u t wO C O n f e R e n C e s

november 49, 2012 Orlando, fL


early Bird savings!
RegisteR by OCt. 5 and
explORe the full pROgRam at

www.sqe.com/betteragileeast
PMI members can earn PDUs at both events
JULY/AUGUST 2012 BETTER SOFTWARE

save Up TO $200
The Larger The group The More You Save
www.TechWell.com

31

Conference schedule
Build your own conferencemulti-day training classes, tutorials, keynotes, conference classes, Summit sessions, and morepacked with information covering the latest technologies, trends, and practices in agile methods and software development.

94 sessions offer PMI PDUs

sunday
Software Tester CertificationFoundation Level Training (3 days) Certified ScrumMaster Training (CSM) + PMI-ACP (2 days) Product Owner Certification (2 days) Agile Testing Practices (2 days) Fundamentals of Agile Certification (2 days) Bonus session: From Practitioner to Published Author: A Workshop About Writing About Software

MondayTuesday
36 In-depth half- and full-day Tutorials Multi-day training classes continue

wednesdayThursday
4 Keynotes 48 Conference Classes Networking EXPO Special Events and More!

who should attend?


Software managers, directors, CTOs, and CIOs Project managers and leads Measurement and process improvement specialists Requirements and business analysts Software architects Security engineers Test and QA managers Developers and engineers Technical project leaders Testers Process improvement staff Auditors Business managers

The eXpO
Visit top industry providers Offering the latest in software solutions

November 78, 2012

TOOLS TECHNIQUES SERVICES DEMOS SOLUTIONS


Looking for answers? Take time to explore the Better Software Conference and Agile Development Conference EXPO, designed to bring you the latest solutions in technologies, software, and tools covering all aspects of software development.

www.sqe.com/betteragileeast RegisteR eaRly and save up to $200! 32 BETTER SOFTWARE JULY/AUGUST 2012 www.TechWell.com

keynOTes by International Experts


Games software People Play: reasoning, Tactics, Biases, Fallacies
Philippe Kruchten, Kruchten Engineering Services, Ltd.

embracing uncertainty: a Leap of Faith


Dan North, Lean Technology Specialist

adaptive Leadership: accelerating enterprise agility


Jim Highsmith, ThoughtWorks

Form Follows Function: The architecture of a Congruent organization


Ken Pugh, Net Objectives

One AmAzing DestinAtiOn


One registration gets you into all sessions! One registration gets you into all sessions!

Two GreaT ConferenCes


Rob frisbie, software project engineer, gentex Rob frisbie, software project engineer, gentex

From beginner to expert there was something for everyone. From beginner to expert there was something for everyone.

Friday agile Leadership summit


Join your peers and agile industry veterans to explore the unique challenges facing software development leaders as they transform organizations to support agile methods. Youll hear whats workingand not workingfor them and have the opportunity to share your experiences and successes

Kicking and screaming: Moving to Business agility


Sue McKinney, VP, Pitney Bowes

agile Reality Bites: the stories of the struggle


Robert Begg, VP, Bluecat Networks

proactive Risk Management: Calming nervous Managers


Niel Nickolaisen, CIO, Western Governors University

think tank discussion

Pollyanna Pixton
Program Chair

www.sqe.com/betteragileeast www.TechWell.com

RegisteR eaRly and save up to $200!


JULY/AUGUST 2012 BETTER SOFTWARE

33

on your ConferenCe reGisTraTion


early Bird savings!

Ways save

save BiG wHen yOU pUrCHase THe vip paCkaGe!


Choose the VIP package for maximum savings and receive:
two tutorial or workshop days all Keynotes Conference sessions bonus sessions the expO on wednesday and thursday all continental breakfasts, lunches, breaks, and receptions agile leadership summit on friday all networking opportunities plus, complete access to both conferences

Register for either conference, remit payment on or before October 5, 2012, and save up to $200 off your registration fees (depending on conference package selected). Call the Client Support Group at 888.268.8770 or 904.278.0524, email them at sqeinfo@sqe.com, or register now online.

Training + Conference
Attend any of the training courses + the conference and save $300 (already reflected in conference pricing).

The Larger the Group the More you save!


See the chart below for an example of how much savings groups of 3+ can enjoy on one of our most popular conference packagesConference + Two Tutorial Days. To take advantage of this offer, please call the Client Support Group at 888.268.8770 or 904.278.0524 or email sqeinfo@sqe.com, and reference promo code Grp3.

number of Team Members 1-2 3-9 10-19 20+

regular pricing $2,495 $1,996 $1,871 $1,746

early Bird pricing


(By 10/5/12)*

Group savings

$2,345 $1,876 $1,759 $1,641

20% 25% 30%

*Full payment must received by deadline date

Please Note: We will always provide the highest possible discount and allow you to use the two largest discounts that apply to your registration.

Silver Sponsors: Platinum Sponsor:

Silver Sponsors:

RegisteR eaRly and save up to $200! www.sqe.com/betteragileeast 34 BETTER SOFTWARE SEPTEMBER/OCTOBER 2012 www.TechWell.com

Why Is Extrapolation of Results in Performance Testing a Bad Idea?


In the discussions I have on performance testing, the topic of extrapolation always seems to come up. This is especially true when the person asking the question is relatively new to the performance testing area. When I refer to extrapolation, I am looking at the normal use of data points to create or predict other data points based on an analysis of a series of sample tests. This can be, for instance, a series of incremental load levels or increases in infrastructure areas. The sample size must be sufficient to create a set of data points to create the predictive model. Performance testing extrapolation is used as a form of behavioral projection. Specifically, we are looking at the linear extrapolation of results from a series of tests run on a scale model of the system architecture. By using linear extrapolation, we theoretically can predict what the larger systems behavior will bewe can extrapolate the unknown from the known. There are two reasons that extrapolation in performance testing is problematic. First, there is the accuracy of the data gained from the initial set of tests. If the initial data are compromised, the projected results are automatically suspect. The primary area of concern here is the scalability factor of the system used to generate the data for the projection. The scalability factor is the ratio of the equipment or architecture used in the test compared to the real system. Some believe that a model of the architecture up to a ratio of 10:1 can be used, but I prefer to stop at a lower ratio. In my experience, with a scalability factor greater than 5:1, the results can be very misleading when used as a projection. The general ratio of the equipment involved in the test (physical boxes, etc.) is just one concern. The internal ratios of the scale model as they compare to the target system also must be accurately balanced (number of CPUs, memory, etc.) The secondand most importantreason extrapolation in performance testing is a bad idea is that the method is essentially linear in nature, and many elements within the system under test are non-linear. When you use a linear model to predict the behavior of something that is non-linear, the data can be extremely misleading. In the performance world, there may be some limited areas where extrapolation can be appliede.g., you can extrapolate the consumption of data storage space if you know the size of each element written to the data store and the frequency of additions and deletions as well as how the storage system manages its space (compression, etc.). This is a linear activity and so may be extrapolated with some degree of confidence. Linear extrapolation is a risky endeavor and tends to be conjectural in nature. The larger the system to be extrapolated, the degree of validity or accuracy of the sample data, and the greater the issues with the scalability factorboth external and internalthe more likely the projected number will be of little value. You might as well get a crystal ball.

by Dale Perry
dperry@sqe.com

www.TechWell.com

SEPTEMBER/OCTOBER 2012

BETTER SOFTWARE

35

The Last Word

No One Left Behind


With 10 percent of the world's population living with some sort of disability, we must develop products with all users in mind.
by Rajini Padmanaban | rajini.padmanaban@qainfotech.net
You might be surprised to know that currently 650 million hensive accessibility support for your product from the early stages? peopleor 10 percent of the worlds populationlive with Understand the Accessibility Guidelines and Standards: some form of disability [1]. With the growing use of software These guidelines set by governmental agencies and consorin all walks of life, this is a major segment of the population tiumsincluding World Wide Web Consortiums (W3C) Web that cannot be left behind. Content Accessibility Guidelines 1.0 and 2.0, Section 508 [2] Disabilities and associated accessibility problems largely outline critical checklist points that you can extract and incorfall into four categories: porate in your test effort. Visual Impairments: partial or complete loss of vision. Understand Accessibility from a Usage Standpoint: DisLow or no vision affects the users ability to discern or see the cuss your inputs with your product team up front. If your screen. Core assistive tools and technologies for the visually team has done usability tests in the past leveraging real endimpaired include screen readers, Braille terminals, and screen users or is open to allowing you to interact with real-time magnification tools. users with accessibility issues, grab the opportunity. Interact Mobility Impairments: conditions that affect movement of with your users, observe them playing around with the the limbs. This category includes conditions that cause difficulty product, and carefully make note of the kinds of issues they or inability to use ones hands, including face from UI, functionality, and ustremors, muscle slowness, and loss of fine ability angles. If you have a usability Accessibility is about muscle control. Due to their restricted expert on the team, work with him to movement, users with mobility impairanalyze your observations. These findpromoting access to a ments might find the links in your appliings go a long way to help you design cation too close or too difficult to access. not product and its contents the right product. Even if you do yet, Some assistive technologies that promote have a product to demonstrate as accessibility in such cases include speech talk to users to understand their pain to a group of people recognition tools and head mouse wirepoints and what they would like to see less pointing devices. in a product such as yours. who might otherwise be Auditory Impairments: partial or Manual Accessibility Testing: Some complete loss of hearing. Hearing loss content simply cannot be tested using affects the users ability to discern or deprived of the same. automated accessibility validators and hear audio. In some cases, hearing aids tools. As an example, an image of a are a useful tool along with enhancements to your product, such tiger could have its alt text set to mouse, which is clearly as video transcription (a text equivalent for the video content). inappropriate. There is currently no automated tool that can Cognitive Impairments: mental disorders that affect cogrecognize the contents of an image and determine whether the nitive functions. These disorders range from developmental alt text is correct. Ensure you chalk out a clear test plan with disabilities to learning disabilities to cognitive disabilities of areas that you want to test manually to extensively cover the various origins, affecting memory, attention, developmental accessibility guidelines. Use assistive technology tools in the maturity, and problem-solving and logic skills. Screen test efforts to simulate a disabled users experience in verificareaders come in handy in the testing process, but a lot of tion efforts. For instance, use screen readers such as NVDA or manual intervention focusing on site design, flow of informaJaws in a combination of operating systems, browsers, and detion, and content intuitiveness is required in testing for acvices to test for both accessibility and compatibility scenarios. commodating users with cognitive impairments. Automated Accessibility Testing: There are several tools Special attention needs to be given to the products archithat scan through the source code as well as analyze the aptecture, implementation, and quality assurance phases from plications UI to report core accessibility issues. Such findings an accessibility standpoint. Identifying lack of support in greatly supplement the manual test efforts in reaching out to these areas later in the game makes it very difficult to fix isall corners of the code, which may be difficult in manual code sues, leading to the possible alienation of a large set of your reviews. See the StickyNotes for links to some tools that weve products users. used in our test efforts. So, what can you as a tester do proactively to ensure compreUse the VPAT: The Voluntary Product Accessibility Tem36
BETTER SOFTWARE SEPTEMBER/OCTOBER 2012

www.TechWell.com

The Last Word

plate (VPAT) is a great resource for the entire product development team, especially the test team. Developed in 2009 and owned by the Information Technology Industry Council, the VPAT lists the requirements for Section 508 to accommodate for accessibility in the product under development. The tester should ensure this template is discussed up front with the business, design, and development teams so everyone is on the same page about incorporating the requirements in the product. When included in your accessibility test efforts, VPAT is almost like a certification for your products compliance with Section 508. Consider Collaboration: To elicit valuable feedback, you can work with organizations that support people with accessibility issues. At our company, we work with the Blind Relief Association in India to engage the visually challenged in our accessibility test efforts. This has helped us not only evaluate a products accessibility by the visually impaired but also provided equal employment opportunities for the disabled. As a side benefit, such collaborations have gone a long way in encouraging our employees to actively participate in our corporate social responsibility mission. As you read about accessibility testing, it is important to understand and differentiate accessibility from usability, at

least at a high level. Accessibility is about promoting access to a product and its contents to a group of people who might otherwise be deprived of the same. On the other hand, usability is about promoting a products user experience and intuitiveness. It is really difficult to say that one is more important than another. What is important is to understand the underlying differences and work toward building a product that is both accessible and usable. Take a moment to ponder the points listed above. Some are pure science on specific disabilities that need to be accommodated, some are pure art in terms of working with end-users to elicit feedback, and some are a combination of art and science with your hands-on accessibility testing efforts. When you arrive at the right balance in your overall accessibility test efforts and collaborate with your product development team and end-users, you are in a position to create a product that is accessible to one and allleaving no one behind! {end}

For more on the following topics go to www.StickyMinds.com/bettersoftware.


n n

References Links to tools

index to advertisers
AccuRev Agile Development Conference East 2012 Alp International ASTQB Better Software Conference East 2012 CollabNet Hansoft Hewlett-Packard Polarion SQESTAR Canada 2012 SQE TrainingLive Virtual TechExcel Telerik VaraLogix Wipro www.accurev.com www.sqe.com/AgileDevPracticesEast www.alpi.com www.astqb.org www.sqe.com/BetterSoftwareEast www.collab.net/getagilevideos www.hansoft.se www.hp.com/go/cloudservices www.polarion.com/qa www.sqe.com/StarCanada www.sqetraining.com/VirtualTraining www.techexcel.com www.telerik.com/html5-testing www.varalogix.com www.wipro.com 27 3134 18 22 3134 28 1 Back Cover 29 8 Inside Front Cover 2 5 30 23

Display Advertising advertisingsales@sqe.com All Other Inquiries info@bettersoftware.com


Better Software (USPS: 019-578, ISSN: 1553-1929) is published six times per year January/February, March/April, May/June, July/August, September/October, November/ December. Subscription rate is US $19.95 per year. A US $35 shipping charge is incurred for all non-US addresses. Payments to Software Quality Engineering must be made in US funds drawn from a US bank. For more information, contact info@bettersoftware.com or call 800.450.7854. Back issues may be purchased for $15 per issue (plus shipping). Volume discounts available. Entire contents 2012 by Software Quality Engineering (340 Corporate Way, Suite 300, Orange Park, FL 32073), unless otherwise noted on specific articles. The opinions expressed within the articles and contents herein do not necessarily express those of the publisher (Software Quality Engineering). All rights reserved. No material in this publication may be reproduced in any form without permission. Reprints of individual articles available. Call for details. Periodicals Postage paid in Orange Park, FL, and other mailing offices. POSTMASTER: Send address changes to Better Software, 340 Corporate Way, Suite 300, Orange Park, FL 32073, info@bettersoftware.com.

www.TechWell.com

SEPTEMBER/OCTOBER 2012

BETTER SOFTWARE

37

How do you feel about the title Cloud Master?


No matter where you are in your cloud journey, unleash the power of cloud computing with HP.
Build, manage, secure, and consume cloud services with HP Converged Cloud across public, private, and hybrid models. Its the industrys first hybrid delivery approach, based on a common architecture. It features HP CloudSystem, the industrys most integrated, open system for building and managing cloud services. Learn more by downloading the HP white paper today. Brought to you by HP and Intel.

The power of HP Converged Infrastructure is here.


Get the HP white paper Cloud ComputingIts All About the Service at hp.com/go/cloudservices

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries. 38 BETTER SOFTWARE JULY/AUGUST 2012 www.TechWell.com