Saturday 3 October 2009

The keys are under the mat

I just checked out the latest on LinkedIn and saw a question on one of the many testing groups from someone wanting advice on how to write a test plan on security testing.

Nothing really new about this, as one of the moderators of The Software Testing Club and regular reader of SQA forums I'm used to people asking the most basic testing questions ( the 'remove post' function can get some heavy use ).

Wonder what will happen to the person asking the question ? He'll probably get told to use Google, he'll find some basic security plans there, incorporate them into his test plan, send them off to the CEO, CIO, CFO, Old Macdonald and the mild mannered janitor, gets it signed off and yet another app with security flaws hits the market.

A test plan for security testing should be very simple.
Find out how important security is to the stakeholders.
If it's important, get a security expert in.

Is that a cop-out ? Should all testers be able to do security testing ? Do you do security testing on top of the other testing activities you do - if so, how confident are you that have done it well enough ?

16 comments:

My Carpe Diem Life said...

Hi Phil,
I enjoy your blog and insights as you're obviously very involved with the QA community as well as the world of social media!

While perhaps putting myself at risk of asking a dumb question, I'm not really understanding why asking for a security plan template is inappropriate. If I have to create a type of test plan that I haven't created in the past, I often would go searching on the internet, and I would most likely ask the QA community at large for sample templates. Would this be considered unprofessional?

Anonymous said...

Hi Phil and Yvette,

Let me jump in to your discussion.
I check LinkedIn groups daily, especially the one that I manage, and I see "give me..." kind of questions very often. Too often, I would say, for 2 reasons.

1) Problem solving is a fundamental QA skill. Yet if in any occasion the first thing a person does is going somewhere asking for help then I'm concerned in problem solving capabilities of that person. Moreover, usually if they don't get the answer they tend to ignore the problem - and Web can give answers to the common questions only. So the business-specific problems are at high risk to be disregarded.

2) When I see a person titled herself as "Senior QA Analyst" asking questions like "what is boundary testing" I see a major discrepancy. And so would any technical recruiter do.


Keep in mind, that the overall picture is heavily unbalanced: for 1 blogging professional tester there are 10 asking "professionals". No surprise that testers are referred as "data entry monkeys" and developers have attitude like the following: "I would hate to be a tester...To be honest they'd have to be there for at least 6 months before I could be bothered learning their names. Prior to that it was just too likely they'd move on that it simply wasn't worth the time investment to train them up." (http://stackoverflow.com/questions/495443/is-your-qa-team-effective/495453)


Thank you,
Albert Gareev

My Carpe Diem Life said...

Thanks, Albert. I can see how asking a basic question might reveal that you aren't much of an expert and haven't taken the time to try and find the answer before jumping in to ask others.

After re-reading Phil's post and your response, I'm guessing the issue here is that if the guy doesn't have a template, he probably has never done security testing before and having a novice provide the security testing, probably would not give this organization much sense of "security." Security testing requires a lot more than filling out a test plan.

I suppose this is a fair point and a good reminder that it might be best to think twice (or at least do a little research on our own) before asking a basic question to an expert community.

Phil said...

Hi Yvette,

Apologies for not responding sooner but it seems you now have got the intent of my post. Leaving security to a person who's following a plan he got off the internet doesn't sound very secure to me - or security testing to people who ask 'how to do security testing' questions on forums

My Carpe Diem Life said...

Hi Phil,
Yes, I get it now. It did leave me with a bit anxious, though, because I'd just had an interview where I'd been asked about creating a test plan if there wasn't yet one in place, and part of my answer included that I'd take advantage of re-usability and find templates on the Web. I blogged about this myself at: http://yvettefrancino.wordpress.com/2009/10/19/sqa-plan-templates/ I mentioned feeling worried when I read your blog post.

Maybe you can pop over and weigh in? Thanks for your blog and your insights!

Unknown said...

Complaints are the greatest offerings that God obtains from human beings, as well as the most faithful prayers human beings might utter to God.


............................... ....

Unknown said...

Complaints are the greatest offerings that God obtains from human beings, as well as the most faithful prayers human beings might utter to God.


............................... ....

Unknown said...

Apart from tears, only time could wear everything away. While feeling is being processed by time, conflicts would be reconciled as time goes by, just like a cup of tea that is being continuously diluted.


.................................

Unknown said...

Remember what should be remembered, and forget what should be forgotten. Alter what is changeable, and accept what is mutable.


........................................

jackmartin said...

it was just informative news and thanks for sharing such a useful information.
- resort booking

Madhu Bala said...

I am so impressed by reading your article. Keep sharing with us.
Software testing training institutes
Software Testing courses in chennai

Ishu Sathya said...

First of all Big thanks for sharing this with us. Excellent content with a cool idea, the great content of various kinds of the valuable information.
Selenium Training Chennai
software testing selenium training

Unknown said...


Thank you for taking the time to write about this much needed subject. I felt that your remarks on this technology is helpful and were especially timely.


devops course fees in chennai | devops training in chennai with placement | devops training in chennai omr | best devops training in chennai quora | devops foundation certification chennai

Rithi Rawat said...

Great efforts put it to find the list of articles which is very useful to know, Definitely will share the same to other forums.

machine learning training in Chennai
machine learning training in velachery
machine learning certification course in Chennai
machine learning certification in Chennai

Chris Hemsworth said...

The article is so informative. This is more helpful. Thanks for sharing.

Learn best software testing online certification course class in chennai with placement
Best selenium testing online course training in chennai
Best online software testing training course institute in chennai with placement
magento developer training

divi said...

very nice blogs!!! I have to learn for a lot of information about these sites...Sharing for wonderful information. Thanks for sharing this valuable information with our vision. You have posted a trust worthy blog keep sharing.web design company in velachery