Ainars Galvans's Blog (81)

How to make better test estimates?

We had an interesting discussion (even dispute) about estimation in and internal workshop on that topic. I have been thinking about it since and want to share my conclusions.

 

Test estimation: the disagreement

The accuracy of an estimate increases and effort required to do that estimate reduced through the project, as I learn more about the business, customer expectation, technology, process, even developers and the mistakes they are usually making. It is wrong…

Continue

Added by Ainars Galvans on September 16, 2016 at 8:45 — 1 Comment

Test, check, audit, investigation: what do I do actually?

OK, this is indeed just another blog about terms test versus check, but with some reflections from security testing field. So only read if you are not sick already with the test VS check type of conversation.

Last time I described how i do security testing in my organization it got labeled "internal audit" by a person from audience (who as you may guess is doing external audits (audit as 3rd party service).

I also see that people in functional…

Continue

Added by Ainars Galvans on September 17, 2015 at 9:25 — 3 Comments

Will pentesting scope change soon?

I have an impression that penetration testing is mostly associated with things like port scanning, missing security patch seeking, breaking weak encryption and optionally social engineering. Web Application Penetration Testing is different, isn’t it? Having a lot of experienced, competent and certified pentesters/hackers/IS security professionals with little to no experience with web application security testing, what is going to happen in the industry moving to cloud and adding web access…

Continue

Added by Ainars Galvans on May 27, 2015 at 8:58 — 3 Comments

“attention to details” - might mean defocus

Inspired by Michael’s speech on TestBash I want to recall…

Continue

Added by Ainars Galvans on April 27, 2015 at 10:30 — No Comments

When worst practices are best

Last year I’ve been on the only conference in my life that really changed something for me. Sorry to say – it is not a testing conference, it’s a business one. So last year’s theme was about being indispensable. One of the notes I made on that conference was “be weird if you want to be remarkable”. I’ve just realized – it’s a way to say “follow the worst practices, not the best practices”, unless of course you want to be just another brick in…

Continue

Added by Ainars Galvans on March 27, 2015 at 12:00 — No Comments

What do you mean by “best practices”?

Yes, I know – yet another blog on the best practices, when we all know there is no best practices, even though please don’t give up using this term. I know at least one good reason why they use this term – it’s just the best term they have found to give short name to the their bigger issue. Or let me quote James Bach talking an a bit different subject:

A term can serve as a label indicating the presence of a bigger story under the surface.

I agree on that. Actually…

Continue

Added by Ainars Galvans on March 13, 2015 at 10:53 — 6 Comments

Security testing experiences: story 3

In this story I'll share how I missed an advanced  Insecure direct object reference vulnerability due to missing test data.

As described before for confidentiality reasons have made up a context, but the technical part of story is true.

So let’s assume I…

Continue

Added by Ainars Galvans on November 21, 2014 at 9:00 — No Comments

Security testing experiences: story 2

In this story I'll share how I missed an advanced XSS vulnerability and only discovered it after conversation with developers and doing extra tests based on that conversation. More over I had to analyze the defense control of an app to come up with custom test to break through.

As described …

Continue

Added by Ainars Galvans on October 31, 2014 at 11:30 — No Comments

Security testing experiences: story 1

In this story I'll tell you how an XXS tests discovered a significant repudiation issue which I was not really testing for. I've added some extra thoughts about XSS protection itself being the reason of a security issue.

I’ve decided to share same security bugs I’ve found in different web apps, but due to confidentiality reasons I will not tell you details of the web app. We actually I’ve decided to make up a context, where this experience would be relevant.

So let’s…

Continue

Added by Ainars Galvans on October 30, 2014 at 9:00 — No Comments

Tester maturity levels. Pentester maturity levels

When I was in functional testing for some 5 years I had this model of professional tester “maturity”:

  1. Tests somehow: Does some random tests and rarely discovers complicated bugs. Even if spot one can’t repeat and gives up.
  2. Tests more: Realizes how much more test ideas are there that could…
Continue

Added by Ainars Galvans on October 22, 2014 at 11:00 — 1 Comment

How boring is security testing?

For last few years I’ve been doing security testing and am finally ready to start blogging about it. So this is my first blog. Reason I write it is realization that in security testing just like in functional testing with experience your stack of test ideas grow so huge that you have to decide: either follow so called best practices or adjust them for your project context and do a lot of micro decisions of what tests will bring less value to the stakeholders..

My first impression…

Continue

Added by Ainars Galvans on September 17, 2014 at 8:00 — 7 Comments

People are not tools on a project! Are they ?

Perhaps I won’t say anything new, but I’ve read a blog where people are equated to tools and it reminded me of managers who believe that every person in a team is just a resource. No they don’t think everyone are the same. They know each individual person has their own skills, so you have to choose tasks you give them, best of…

Continue

Added by Ainars Galvans on September 13, 2012 at 8:33 — 2 Comments

Bugs I don't report (reconsidered)

Comments to my previous blog bugs I wouldn't report  helped me to realize I’ve failed to describe reasons for not reporting some bugs. I’ll try again. So, first of all there are:

Bugs I would always report

I’ve been avoiding reference to Michael Bolton’s …

Continue

Added by Ainars Galvans on July 11, 2012 at 12:30 — 3 Comments

Bugs I wouldn’t report

This is an illustration to my previous blog post. I realized I need to provide some examples.

My favorite example is a bug which is quite common in many applications. For example Facebook and skype has his problem in their registration forms. You have to enter a date and if you first enter date i.e. 31st and only then want to enter month and occasionally enter February, or – as in attached case you press down pace to scroll through the months – your once enter date is all…

Continue

Added by Ainars Galvans on June 28, 2012 at 12:25 — 7 Comments

Is it ethical to hide (unrepeatable or unimportant) bugs?

The other day I’ve been asked on a conference if it is ethical that I’m sometimes not reporting bugs. I compared this to ethics of a doctor who does not tell all the truth to a patient when there is nothing they cure, but only tell to the patients’ relatives. I want to expand this topic a bit.

What are the bugs I’m not reporting

So first of – it’s not a habit of mine to hide bugs. But neither it’s a tabu. However there should be a reason for me to do that. Have you ever…

Continue

Added by Ainars Galvans on June 21, 2012 at 13:14 — 6 Comments

Bug smells, quality – tastes

Bugs for me - a software tester – are the means to describe and impact quality of the software I tests. Most of the bugs just tell you what I did, what I get and what I expected instead. Some bugs are stronger, some weaker (not everyone expect what I do). But everyone could repeat my experience and understand what I mean.

Quality is not as simple. Quality is “how good they think it is”, not just how good it is. Depending on your context (mood, hunger,…) you could make different…

Continue

Added by Ainars Galvans on May 21, 2012 at 14:02 — 1 Comment

Subconscious, casual or even coincidental tests

A few days ago I discovered a bug, developer fixed it and I retested it. The only issue here is – I do not have a “test case” that covers this bug. So how I found it?

I’m testing web service and all my tests are automated, each have it’s setup (crate data), testing (do actions with data) and clean-up (delete data)…

Continue

Added by Ainars Galvans on April 18, 2012 at 15:00 — No Comments

Regression testing redefined

This comes from Wikipedia:

Regression testing is to determine whether a change in one part of the software affects other parts of the software

 

This is not wrong, but it’s incomplete. Discovering that “a change in one part of the software affects other parts of the software”…

Continue

Added by Ainars Galvans on March 19, 2012 at 16:58 — 3 Comments

My code of professional ethics

I have and follow my code of ethics in software testing, do you? My code is simple – I ever do only things that would let me be proud of what I’ve done. Perhaps everyone does so. So I decided to go into a little bit more details here because for me the ethics means that I am ready to (and I did a few times)  say NO to my boss or my customer if I don’t believe I could be proud about the results.

So reasons why I refuse to my boss, or my customer doing some tasks or even participating…

Continue

Added by Ainars Galvans on February 10, 2012 at 14:30 — 1 Comment

Software testing in banking industry: an uncommon story?

I’m confused when I see people from other industries taking banking industry as example of high quality software caused by high stake/risk. Banking software is far from perfect. Perfect software cost a lot and is illusion anyway. If internet banking sites are more or less user friendly, then back-office and teller software is not much better than green screens form 80ties. There are a lot of back office people doing workarounds, manual fixes, etc.  Why so? I think the reason is high…

Continue

Added by Ainars Galvans on February 7, 2012 at 8:06 — 2 Comments

Adverts

© 2017   Created by Rosie Sherry.   Powered by

Badges  |  Report an Issue  |  Terms of Service