"I keep six honest serving-men (They taught me all I knew); Their names are
What and Why and When and How and Where and Who."
- Rudyard Kipling

Lessons Learned in Software Testing

What I know about Software Testing comes from the School of Hard Knocks -- i.e. stuff I've read in books and on the internet, things I've tried (and failed and tried again), conferences I've attended, workshops and seminars that I've participated in, and from discussing ideas with some of the many smart people out there (consultants, authors, professors, fellow testers, my wife, and so on).

After a while you begin to see the patterns of what's likely to work and what won't in certain situations.  This page captures some of the things I've learned about Software Testing over the years and some of the links that I've found useful on past testing projects.

Ruby and WATiR (Test Script Automation)

I have been using Ruby and Watir (Web Application Testing In Ruby) for a few years now, and I am totally hooked on Ruby!  Never in my life have I been so productive in developing test automation scripts as I have been with Watir!  (Mercury who?)

>> Navigate to my Ruby page for more information, tips, tricks and references. <<

Ruby and Watir together provide a free, powerful test framework to help you test your web apps.  Where do you go from here?

The answer to that question is tricky.  Many people think that the answer lies in the programming side, but I think it's more important to understand the testing aspect first.  That is, do you really understand what it is you are asking the computer to automate?  Is the test really worth automating?  How will the computer detect errors or bugs?  How will it recover from unexpected events or errors?  What value will you get from running the exact same test repeatedly? and so on.

Final thought: Break free of the testing norms of specifying the exact steps and test data required to drive your test scripts.  Teach your automated scripts to perform exploratory scripting -- i.e. learn as it goes, and vary the inputs for each run! (more on this topic another time..)

Exploratory Testing (ET) and SBTM

>> Follow this link for a page dedicated to the SBTM and ET lessons that I've learned over the years and to download my Ruby SBTM tools <<

Lots to say here.  Where to begin?  In a nutshell, ET is a form of unscripted testing that requires skill, creativity and discipline to effectively go where no tester has gone before.  The productivity and effectiveness of an Exploratory Tester will greatly surpass that of any generic scripted testing approach any day.  The reason for this is simple - the focus of this approach is on the learning and iterative nature of testing to leverage the system feedback to maximum effect.  Traditional scripted tests put the focus on writing test documentation and test cases - which can be an incredibly huge waste of time, money and brain power.

There are few ET articles currently written that I really like.  I recommend starting with the basics and moving on from there.  It will likely be very difficult to learn to do this by reading alone, so I suggest you network and find people to share experiences and knowledge to help you pick it up quicker.  Try conferences, workshops, or presentations in your local Testing community.

Start with an introductory article: "What is Exploratory Testing?"  Exploratory Testing is defined here simply as the concurrent Learning, Test Design and Test Execution.

Once you accept the idea that unscripted testing can be more effective than the documentation-based alternative, you will need to find a Test Framework to help you manage your testing.  I've used the "Session-Based Test Management" (SBTM) framework that James and Jonathan Bach developed.  I've met some people who have used WIKI's as an alternative to SBTM.  The idea is the same, just the metrics and visibility to the test notes are different.

I find that this style of exploratory testing is a perfect complement to Agile Development projects where changing requirements are common and rapid feedback is desired.  ET is often my primary approach to testing new projects because it allows me the freedom to explore features and investigate ideas more rapidly than by other means.

Testing - Internationalisation and Localisation

Internationalisation (I18N) and Localisation (L10N) testing are a lot of fun!  I wrote an article titled "Testing with an Accent" which appeared in the February 2005 edition of Better Software magazine.

There are a lot of useful links on the web.  Here are a few:

• Sun Developer's page on Internationalization (I18N) Testing
• Download a Free book on Software Testing and Internationalization (My advice: Skip the first 5 chapters and go straight to Chapter 6.)
• Microsoft MSDN Library: Testing for Globalization and Localization

Here are some ideas for when you're actually testing:

• Inputting people names into fields?  Don't use ordinary names, use foreign-language names.  Google names in another language.
• Want to translate a few words or phrases?  Try Altavista's Babel Fish Translation tool.
• When saving files or printing output, always include characters in the extended ASCII character set.  In MS Windows, use the Character Map tool that comes with the Operating System (Start > All Programs > Accessories > System Tools).  Add a shortcut to your desktop or toolbar to help you find it faster.

Testing - Security

Fun, fun, fun!  When all is said and done, how safe and secure is your application or system?

For me, much of Security testing is like I18N testing - an integrated part of how I just regularly test software.  My focus lately has been on testing web applications. (Just the web application itself though, since the whole system is covered by a myriad of security protocols, audits, firewalls, and other barriers that are well beyond the scope of your average test team.)

Here are some helpful links:

• General:
  • SecurityFocus - The forefront of security information. Identifies the latest vulnerabilities and has some good information for beginners and experts alike.
  • SANS Top 20 Vulnerabilities - Do you know what the twenty most critical internet security vulnerabilities are?  Well, do you??
  • Penetration Testing Guide - Good introduction. Sure it's a marketing brochure, but it helps you identify some of the different types of tests.
  • Thomas Rude's site - I like people with a sense of humour.  Check out the "Papers" section and browse through the rest of the site.  I learned a few things I didn't know before.
• Application Security:
  • MSDN Security Developer Center - Some great testing ideas here.
  • Cgisecurity.com has great links to practical articles. I found some good articles there on Penetration Testing for Web Applications
  • Open Web Application Security Project (OWASP) is a great resource and community.  For example, check out the Top 10 Web application vulnerabilities for 2007
• Database Security:
  • Cgisecurity.com - Check out the  and Database Security and SQL Injection pages.
  • SQLSecurity.com - When you want to know about MS SQL and Security testing.
• Security-related Certifications(**):
  • Certified Ethical Hacker (CEH) - The goal of the ethical hacker is to help the organization take preemptive measures against malicious attacks by attacking the system him/herself; all the while staying within legal limits.  Boost your Testing Superpowers with this one!
    • Interested in an overview?  Check out the mind maps for the Certified Ethical Hacker at MindCert.com
  • Certified Information Systems Security Professional (CISSP) - This certification has been around for almost ten years and covers security from a 30,000 foot view - so Managers might prefer it. (See also the Wikipedia entry for CISSP)
  • (**NOTE: I am not endorsing any particular certification, and I don't know if these certifications have any real Professional credit associated with them.  Having said that, I believe that the knowledge, materials and skills to be gained by working towards either of these certs could be very beneficial if you find yourself seriously thinking about Software and System Security.)

Some starter books that might be of interest include:

• "How to Break Software Security" by James Whittaker (et al) (also read the StickyMinds review)
• "How to Break Web Software" by Mike Andrews
• IEEE Security & Privacy magazine - Broader issues.  Good coffee-table fare for the managers' lounge.
• (IN)SECURE Magazine - the online mag has some good, practical advice and articles. (It's funny too.)  Like the cover page says: "Open. Informative. To The Point."

Contact me at: paul [at] staqs [dot] c o m