September, 2008

Traits of good software testers

I read a post this week on the Software, Technology and More blog about the four unlikely traits of good developers. And some of the traits the writer describes — creativity, curiosity, finding fault with almost everything, working hard to facilitate laziness — seem to match the traits of a good software tester.

1. 1. Creativity – Creativity is absolutely a trait of a good software tester. Testers need to think beyond what is expected of the software and its users and think about how users will misuse the software or do things that are not spelled out in the requirements. There’s always one person who tries to see just how much they can do and how far they can push it.

2. 2. Curiosity – The curiosity of a good tester is like that of a user who wants to see how far he can push the software. What else can happen with the software? Additionally, that curiosity will get testers asking questions that can help them do their jobs better. (Scott Barber wrote about that in his recent column.)

3. 3. Find fault with things – And good software testers, like good copy editors in the journalism world, have the ability find fault with things and improve them. They have eagle eyes that enable them to see things that regular people do not. And to leave those things unfixed is hard for them to understand.

4. 4. Working hard to facilitate laziness – This doesn’t apply to testers. I have yet to meet a lazy tester; most work tirelessly to complete projects. And when they have free time, they’re offering to help other testers. As for testing tools, testers use them to do their jobs better, not so they have more time to laze about.

What do you think? Are there other traits that you think good software testers possess?

Addressing software performance issues

In order to maximize software performance, you need to be able to measure that software’s performance — response time, throughput, etc. The Computer Measurement Group is one group that takes this seriously. It is a non-profit organization whose members write articles and give presentations on capacity and performance management for computers, as well as software performance engineering.

The organization has a yearly conference, which this year will focus on the increased use of virtualization. But it also has a track dedicated to computer performance evaluation.

The organization also publishes an eZine called MeasureIT. In it you’ll find technical advice for improving software and system performance and career advice.

Dr. Michael Salsburg, a director for CMG, said the content contributors produce focuses on how to measure performance, analytics, and modeling and forecasting. “They look into how you would consider solving the problem,” he said.

If you’re looking for advice in that area, it’s worth checking out the CMG’s site.

Web app security mythbusters

There are many misconceptions and myths about application security, and Cenzic is looking to debunk them in its new mythbuster podcast series.

In its first podcast, Cenzic, a provider of Web application security solutions, talks with Jason Lam, a SANS instructor, about topics such as the ability of network tools to address application security, when security testing should be done and who should do it, and how far PCI compliance goes toward security apps.

Those who have been doing application security will be familiar with the topics. The first podcast, in particular, does not reveal anything new. But still there are many who don’t know what needs to be done to ensure an application’s security — or who don’t understand the importance of those practices — and these podcasts are for them.

Software security is everyone’s problem

Good news about Web security is much rarer than it should be. There was some encouraging news recently, however. A report from WhiteHat Security found that over the course of a year, 66% of known vulnerabilities were corrected. When one considers how terrifying security reports usually are, happy surprises such as these are to be celebrated.

But before you break out the champagne, it might be prudent to read about the report’s other, terrifying findings. Spoiler alert: CSRF attacks are primed and ready for massive destruction. As you can see, application security is a moving target. Once you’ve protected against one threat, attackers come at you using a different weapon.

Sadly, a small percentage of software professionals realize how important requirements gathering is for security. Business analysts can educate themselves with Kevin Beaver’s tip on writing software requirements that address security issues and Rob Apmann’s Q&A on how to address security during requirements gathering. And project managers should check out a free chapter from Software Security Engineering: A Guide for Project Managers. Requirements Engineering for Secure Software offers a gentle introduction to the subject.

We receive many questions from readers about requirements gathering for applications that need protection built into them. A site that processes credit cards or any other kind of sensitive information must be created with security as a major priority. Rob Apmann recently advised how to gather requirements for a payroll application. The first thing to do, he said, is to gather non-functional requirements such as the scale of the system and whether it is Web-based “so that you start with an architecture that will be secure and meet your deployment needs.”

Like industry experts have been saying for years, security needs to be addressed at every part of the development life cycle — requirements, design and architecture, programming, testing, and QA.

Virtual labs: Are they for you?

The buzz about cloud computing has people talking about services such as virtual test environments. With such test services, organizations forgo the expense and time involved with setting up test environments. You don’t have to worry about the hardware or software — just pick what you want to include in the environment and your test lab can be ready in a matter of minutes. And then you pay as you go, running the environment for only as long as you need it.

Recently I talked with Shannon Martin, manager of technical training at both VDIworks and ClearCube, about how those companies use virtual labs from Skytap when developing and testing software, as well as when training customers how to use their software. Martin had nothing but good things to say about the virtual lab platform. She found it easy to use and liked the low costs associated with it.

This month Skytap started reaching out to enterprises that want what they call “hybrid cloud computing.” Via a VPN, companies can connect their virtual environments with their in-house resources.

For many companies, such services are ideal. But there are still concerns among many, including security and uptime. Scott Roza, CEO of Skytap, said in their virtual environments, people are given rights to access the environments and the data in them. Regarding uptime, he said customers pay as they go. So if by chance Skytap ceases to exist, customers pay only for the services they received.

Understandably companies may still have a problem with that if, for example, they’re in the middle of testing a project and their test lab disappears on them. It’s more than just the cost of the service; it’s the cost of their not making their deadlines.

What do you think about virtual test environments? Are they worth pursuing or should organizations create their own test labs?

Introducing the SearchSoftwareQuality.com Blog

After encouraging readers of SearchSoftwareQuality.com to start blogs and write about their experiences in QA, software testing, requirements management, and project management, we editors at SearchSoftwareQuality.com have decided to get into the game. And so we have launched the Software Quality Insights blog.

Our goal is to update you on issues being discussed among testers, business analysts, project managers, and so forth, as well as let you know about products being released and trends we’re seeing. Look for quick updates and tips here, and turn to SearchSoftwareQuality.com for the in-depth articles, expert advice, and technical tips we’ve always given you.

We’ll also use this venue to offer our opinions on subjects and to provide a space for you to share what you think about those subjects. It’s one way for us to get to know you better and, in turn, provide content that suits you.

And as always, if you have any suggestions or comments, you can email me at mdavidson@techtarget.com.

Thanks for reading, and I look forward to hearing from you.

Michelle Davidson
Editor in Chief, SearchSoftwareQuality.com