Saturday, 3 October 2009

The keys are under the mat

I just checked out the latest on LinkedIn and saw a question on one of the many testing groups from someone wanting advice on how to write a test plan on security testing.

Nothing really new about this, as one of the moderators of The Software Testing Club and regular reader of SQA forums I'm used to people asking the most basic testing questions ( the 'remove post' function can get some heavy use ).

Wonder what will happen to the person asking the question ? He'll probably get told to use Google, he'll find some basic security plans there, incorporate them into his test plan, send them off to the CEO, CIO, CFO, Old Macdonald and the mild mannered janitor, gets it signed off and yet another app with security flaws hits the market.

A test plan for security testing should be very simple.
Find out how important security is to the stakeholders.
If it's important, get a security expert in.

Is that a cop-out ? Should all testers be able to do security testing ? Do you do security testing on top of the other testing activities you do - if so, how confident are you that have done it well enough ?

10 comments:

Yvette said...

Hi Phil,
I enjoy your blog and insights as you're obviously very involved with the QA community as well as the world of social media!

While perhaps putting myself at risk of asking a dumb question, I'm not really understanding why asking for a security plan template is inappropriate. If I have to create a type of test plan that I haven't created in the past, I often would go searching on the internet, and I would most likely ask the QA community at large for sample templates. Would this be considered unprofessional?

automationbeyond said...

Hi Phil and Yvette,

Let me jump in to your discussion.
I check LinkedIn groups daily, especially the one that I manage, and I see "give me..." kind of questions very often. Too often, I would say, for 2 reasons.

1) Problem solving is a fundamental QA skill. Yet if in any occasion the first thing a person does is going somewhere asking for help then I'm concerned in problem solving capabilities of that person. Moreover, usually if they don't get the answer they tend to ignore the problem - and Web can give answers to the common questions only. So the business-specific problems are at high risk to be disregarded.

2) When I see a person titled herself as "Senior QA Analyst" asking questions like "what is boundary testing" I see a major discrepancy. And so would any technical recruiter do.


Keep in mind, that the overall picture is heavily unbalanced: for 1 blogging professional tester there are 10 asking "professionals". No surprise that testers are referred as "data entry monkeys" and developers have attitude like the following: "I would hate to be a tester...To be honest they'd have to be there for at least 6 months before I could be bothered learning their names. Prior to that it was just too likely they'd move on that it simply wasn't worth the time investment to train them up." (http://stackoverflow.com/questions/495443/is-your-qa-team-effective/495453)


Thank you,
Albert Gareev

Yvette said...

Thanks, Albert. I can see how asking a basic question might reveal that you aren't much of an expert and haven't taken the time to try and find the answer before jumping in to ask others.

After re-reading Phil's post and your response, I'm guessing the issue here is that if the guy doesn't have a template, he probably has never done security testing before and having a novice provide the security testing, probably would not give this organization much sense of "security." Security testing requires a lot more than filling out a test plan.

I suppose this is a fair point and a good reminder that it might be best to think twice (or at least do a little research on our own) before asking a basic question to an expert community.

Philk said...

Hi Yvette,

Apologies for not responding sooner but it seems you now have got the intent of my post. Leaving security to a person who's following a plan he got off the internet doesn't sound very secure to me - or security testing to people who ask 'how to do security testing' questions on forums

Yvette said...

Hi Phil,
Yes, I get it now. It did leave me with a bit anxious, though, because I'd just had an interview where I'd been asked about creating a test plan if there wasn't yet one in place, and part of my answer included that I'd take advantage of re-usability and find templates on the Web. I blogged about this myself at: http://yvettefrancino.wordpress.com/2009/10/19/sqa-plan-templates/ I mentioned feeling worried when I read your blog post.

Maybe you can pop over and weigh in? Thanks for your blog and your insights!

Silverdew said...

Complaints are the greatest offerings that God obtains from human beings, as well as the most faithful prayers human beings might utter to God.


............................... ....

Silverdew said...

Complaints are the greatest offerings that God obtains from human beings, as well as the most faithful prayers human beings might utter to God.


............................... ....

Silverdew said...

Apart from tears, only time could wear everything away. While feeling is being processed by time, conflicts would be reconciled as time goes by, just like a cup of tea that is being continuously diluted.


.................................

Silverdew said...

Remember what should be remembered, and forget what should be forgotten. Alter what is changeable, and accept what is mutable.


........................................

jackmartin said...

it was just informative news and thanks for sharing such a useful information.
- resort booking