WEB APP SECURITYTools for your

test strategy

OH, DEVOLVEGovernance and

the happy medium

September/October 2012 $9.95 www.TechWell.com

Convenient, Cost Effective Training by Industry ExpertsLive Virtual Package Includes:• Easy course access: You attend training right from your computer, and communication is handled by a phone conference bridge

utilizing Cisco’s WebEx technology. That means you can access your training course quickly and easily and participate freely.

• Live, expert instruction: See and hear your instructor presenting the course materials and answering your questions in real-time.

• Valuable course materials: Our live virtual training uses the same valuable course materials as our classroom training. Students will have direct access to the course materials.

• Hands-on exercises: An essential component to any learning experience is applying what you have learned. Using the latest technology, your instructor can provide students with hands-on exercises, group activities, and breakout sessions.

• Real-time communication: Communicate real-time directly with the instructor. Ask questions, provide comments, and participate in the class discussions.

• Peer interaction: Networking with peers has always been a valuable part of any classroom training. Live virtual training gives you the opportunity to interact with and learn from the other attendees during breakout sessions, course lecture, and Q&A.

• Convenient schedule: Course instruction is divided into modules no longer than three hours per day. This schedule makes it easy for you to get the training you need without taking days out of the office and setting aside projects.

• Small class size: Live virtual courses are limited to the same small class sizes as our instructor-led training. This provides you with the opportunity for personal interaction with the instructor.

SQE TRAINING

Attend Live, instructor-Led cLAsses viA Your computer.

NEW Live Virtual Courses: » Become a Test Automation Champion

» Mastering Test Automation

» Essential Test Management and Planning

» Finding Ambiguities in Requirements

» Getting Requirements Right the First Time

» Testing Under Pressure

» Performance, Load, and Stress Testing

» Generating Great Testing Ideas

» Agile Test Automation

www.sqetraining.com

>> Hansoft is an integrated solution for agile and lean development, collaborative scheduling, real-time reporting, bug tracking / QA, workload coordination, portfolio and document management, used by the most demanding software developers in Europe, Asia, Australia and North America. Hansoft does not only make team members and managers more productive in their everyday work, it also increases organizational productivity by enabling more efficient production methods and practices. Reduce your project risks with Hansoft, control your success. <<Download a free 2-user trial at www.hansoft.se

Level up your productivity – Upgrade to Hansoft

Simplifying program management and day to day lean, agile and Gantt scheduling development.

http://www.techexcel.com

20 20 PRACTICAL SECURITY TESTING FOR WEB APPLICATIONSSoftware security is vital, but security testing can take time to master. Scott Aziz offers some practical techniques that will help you get started. by Scott Aziz

WHAT'S GOVERNANCE GOT TO DO WITH EFFECTIVE SOFTWARE DEVELOPMENT? Governance doesn't have to end in bureaucracy. Learn to maintain and refine your governance structures, and you'll reap the rewards of improved deci-sion-making processes. by Graham Oakes

24

24

CONTENTS

Volume 14, Issue 5 • September/October 2012

featuresCOVER STORYTHE SOFTWARE DEVELOPMENT GAMEAdapting your software development tools, practices, and processes can be difficult, even overwhelming. Where do you start? Jonathan Kohl and David McFadzean have studied and applied game-like processes and behaviors to help provide structure to software development adaptation. They propose a process strategy called the software development game to help teams who are faced with change. by Jonathan Kohl and David McFadzean

14

36 THE LAST WORDNO ONE LEFT BEHIND • by Rajini PadmanabanTen percent of the world's population lives with some sort of disability. Is your product optimized to meet their needs?

Better Software magazine—The print companion to TechWell.com brings you the hands-on, knowledge-building information

you need to run smarter projects and deliver better products that win in the marketplace

and positively affect the bottom line. Subscribe today to get six issues.

Visit www.BetterSoftware.comor call 800.450.7854.

14

Mark Your Calendar

Contributors

Editor's Note

From One Expert to Another

Virtual Resource Shelf

Product Announcements

FAQ

Ad Index

in every issue467

1011

273537

www.TechWell.com SEPTEMBER/OCTOBER 2012 BETTER SOFTWARE 3

columns9 TECHNICALLY SPEAKING

SURPRISE! • by Lee CopelandWhen we are surprised, it’s because we were oblivious to events in our world and we failed to observe relevant information. How oblivious are you?

12 CAREER DEVELOPMENTDON’T BURY THE SURVIVORS: THE VALUE OF CLEAR COMMUNICATION • by Lanette CreamerWhether you’re discussing software defects with your test team, analyzing requirements with your BA, or programming in your favorite new language, communication is essential. Lanette Creamer has some tips to help you communicate clearly with any audience.

software tester certificationwww.sqetraining.com/certification

September 25–27, 2012Atlanta, GAToronto, ON

September 30–October 2, 2012Anaheim, CA

October 9–11, 2012Portland, ORSt. Louis, MO

October 16–18, 2012Austin, TXNew York/New Jersey

October 22–24, 2012Tampa, FL

October 23–25, 2012Chicago, IL

Publisher

Software Quality Engineering, Inc.

President/CEO

Wayne Middleton

Vice President of Communications

Heather Buckman

Publications Manager

Heather Shanholtzer

Editorial

Managing Technical Editor

Lee Copeland

Online Editors

Joseph McAllister

Jonathan Vanian

Community Manager

David DeWald

Production Coordinator

Cheryl M. Burke

Design

Creative Director

Catherine J. Clinger

Advertising

Sales Consultants

Daryll Paiva

Kim Trott

Production Coordinator

Desiree Khouri

CONTACT USEditors: editors@bettersoftware.com

Subscriber Services: info@bettersoftware.com

Phone: 904.278.0524, 888.268.8770

Fax: 904.278.4380

Address:Better Software magazine Software Quality Engineering, Inc.340 Corporate Way, Suite 300Orange Park, FL 32073

MARK YOUR CALENDAR

STARWEST 2012www.sqe.com/StarWestSeptember 30–October 5, 2012Disneyland HotelAnaheim, CA

Better Software Conference East 2012 www.sqe.com/BetterSoftwareEastNovember 4–9, 2012Rosen Shingle CreekOrlando, FL

Agile Development Conference East 2012 www.sqe.com/AgileDevelopmentEastNovember 4–9, 2012Rosen Shingle CreekOrlando, FL

STARCANADA 2013 www.sqe.com/StarCanadaApril 8–12, 2013Delta ChelseaToronto, ON

STAREAST 2013 www.sqe.com/StarEastApril 28–May 3, 2013Rosen Shingle CreekOrlando, FL

Better Software Conference West 2013 www.sqe.com/BetterSoftwareWestJune 2–7, 2013Caesars PalaceLas Vegas, NV

Agile Development Conference West 2013 www.sqe.com/AgileDevelopmentWestJune 2–7, 2013Caesars PalaceLas Vegas, NV

conferences

SQE TRAINING

4 BETTER SOFTWARE SEPTEMBER/OCTOBER 2012 www.TechWell.com

training weekswww.sqetraining.com/trainingweek

Testing Training WeeksOctober 22–26, 2012Tampa, FL

November 12–16, 2012San Francisco, CA

Agile Software Development TrainingNovember 4–6, 2012Orlando, FL

October 30–November 1, 2012Bethesda, MDRaleigh, NC

Advanced Certification TrainingOctober 29–November 2, 2012Bethesda, MD

Test StudioEasily record automated tests for your modern HTML5 apps

Test the reliability of your rich, interactive JavaScript apps with just a few clicks. Benefit from built-in translators for the new HTML5 controls, cross-browser support, JavaScript event handling, and codeless test automation of multimedia elements.

www.telerik.com/html5-testing

6 BETTER SOFTWARE SEPTEMBER/OCTOBER 2012 www.TechWell.com

Scott RobeRt Aziz is director of software quality services for QA labs at UST Global. In software quality assurance for twenty-four years, Scott has ten years of experience working with companies that have adopted SOA and web services. His expertise is in the formulation of a holistic SOA QA strategy that optimizes quality across an entire software development lifecycle. Scott can be reached at Scott.Aziz@ust-global.com.

LAnette cReAmeR likes testing software even more than Diet Coke and cats. After working for a decade at Adobe, Lanette jumped into independent consulting. Throughout her career, she has evangelized advancement of real-time human thought over process solutions in software quality. Lanette believes collaboration is a powerful solution when facing complex technical challenges. Find Lanette on her well-known TestyRedhead blog, on Twitter, and occasionally in industry magazines and technical papers.

With more than thirty years of experience, Lee copeLAnd has worked as a programmer, development director, process improvement leader, and consultant. Based on his experience, Lee has developed and taught a number of training courses and is the managing technical editor for Better Software magazine, a regular columnist for StickyMinds.com, and the author of A Practitioner's Guide to Software Test Design. Contact Lee at lcopeland@sqe.com.

dALe peRRy has more than thirty-four years of experience in information technology as a programmer/analyst, database adminis-trator, project manager, development manager, tester, and test manager. A professional instructor for more than twenty years, he has presented at numerous industry conferences on development and testing. With Software Quality Engineering for fifteen years, Dale has specialized in training and consulting on testing, inspections and reviews, and other testing and quality-related topics.

As director of engagement, RAjini pAdmAnAbAn leads the engagement and relationship management for some of QA InfoTech's largest and most strategic accounts. Rajini has more than ten years of professional experience, primarily in the software quality assurance space. She actively advocates software quality assurance through evangelistic activities including blogging on test trends, technologies, and best practices. Read Rajini's official blogs at: www.qainfotech.com/blog and reach her at rajini.padmanaban@qainfotech.net.

Contributors

GRAhAm oAkeS helps people untangle complex technology, relationships, processes, and governance. Graham can be contacted through www.grahamoakes.co.uk or at graham@grahamoakes.co.uk. He is the author of the book Project Reviews, Assurance and Governance.

Based in Calgary, Alberta, Canada, dAvid mcFAdzeAn has more than twenty-five years’ experience and is passionate about building technology that increases intelligence by enabling better decisions. With an academic background in artificial intelligence, David has worked for several technology startups, including two he cofounded, taking on the roles of coder, UX designer, software architect, product owner, trainer, development manager, and executive. He is especially interested in helping technology startups transition to commercial ventures.

jonAthAn kohL is an internationally recognized consultant and technical leader, popular author, and speaker. Based in Calgary, Alberta, Canada, he is the founder and principal software consultant of Kohl Concepts, Inc. Jonathan helps companies define and implement their ideas into products, coaches practitioners as they develop software on teams, and works with leaders to help them define and implement their strategic vision. Read more of Jonathan’s work at www.kohl.ca or contact him at jonathan@kohl.ca.

With a background in commercial engineering and cultural science, zeGeR vAn heSe started his professional career in the motion picture industry, switching to IT in 1999. A test manager at CTG Belgium, Zeger has a passion for exploratory testing, testing in agile projects, and, above all, continuous learning from different perspectives. He is the program chair of Eurostar 2012 in Amsterdam and co-founder of the Dutch Exploratory Workshop on Testing (DEWT). Zeger muses about testing on his Test Side Story blog, is co-author of CTG’s STBoX Agile flavor, and regularly speaks at conferences worldwide.

I’m not one for video games, but I do enjoy a game of Boggle, dominos, or

even badminton on occasion. Games can be relaxing, and they can also give

you insight into the personality of your challenger. For example, I’m a stickler

for the rules and consider myself a good sport, but I’ve played games with

friends who think nothing of pushing the limits of “legal play” and others who

have a very bad attitude about losing. I’ve also played games with people who want to

help everyone else do well, even to the detriment of their winning the game. It’s fascinating to watch how competi-

tion and defined constraints affect people differently.

There is a growing movement called the gamification of work that is becoming popular in many organizations. This

method applies game-like activities to business situations to increase productivity and motivation. Much like I have

experienced how different people behave while competing, researchers are examining how gamification can be

used to improve business practices.

Another area of study, game theory, is used to study decision-making strategies using mathematical models of coop-

eration and conflict. While game theory is normally applied to areas like economics, war, and even biology, when

certain aspects of game theory are paired with gamification ideas and applied to software, the result is a strategy

that Jonathan Kohl and David McFadzean call ‘The Software Development Game.”

David has implemented this game on several projects with a lot of success. Their article explains the rules of the

software development game and how you can apply it on your projects to manage decision making about processes,

tools, and technology.

Also in this issue, given the preponderance of apps in our daily lives, you shouldn’t miss Scott Aziz’s exploration of

some security testing tools in “Practical Security Testing for Web Applications.”

And, finally, nothing screams red tape like the word governance. But what if you could refine your governance struc-

tures in a way that actually improves decision making instead of burying you under a pile of bureaucracy? Graham

Oakes has a few ideas in his article, “What’s Governance got to do with Effective Software Development?”

As always, I hope you enjoy this issue of Better Software magazine. Shoot me an email to let me know how you put

the tools and techniques to work for you. Or look me up on Words With Friends.

Happy reading,

Heather Shanholtzer

hshanholtzer@sqe.com

Editor’s Note

www.TechWell.com SEPTEMBER/OCTOBER 2012 BETTER SOFTWARE 7

8 BETTER SOFTWARE JULY/AUGUST 2012 www.TechWell.com8 BETTER SOFTWARE MAY/JUNE 2011 www.StickyMinds.com

TesT at a HigHer LeveL

a p r i L 7 – 1 1 , 2 0 1 3T o r o n T o , o n Ta r i o

D e L Ta C H e L s e a

The Leading Conference on

Software teSting analySiS & review

w w w. s q e . c o m / s ta r c a n a d a

regiSter by february 8, 2013

anD Save uP to $300grouPS of 3+ Save even more!

Choose from a full week of learning, networking, and more

sunday

multi-day training Classes begin

tuesday

9 in-depth Half- and full-day tutorials

wednesday–thursday

3 Keynotes, 28 Concurrent Sessions, the eXPo, networking events, receptions, and more

Mapping iT ouT

www.TechWell.com SEPTEMBER/OCTOBER 2012 BETTER SOFTWARE 9

TesT at a HigHer LeveL

a p r i L 7 – 1 1 , 2 0 1 3T o r o n T o , o n Ta r i o

D e L Ta C H e L s e a

The Leading Conference on

Software teSting analySiS & review

w w w. s q e . c o m / s ta r c a n a d a

regiSter by february 8, 2013

anD Save uP to $300grouPS of 3+ Save even more!

Choose from a full week of learning, networking, and more

sunday

multi-day training Classes begin

tuesday

9 in-depth Half- and full-day tutorials

wednesday–thursday

3 Keynotes, 28 Concurrent Sessions, the eXPo, networking events, receptions, and more

Mapping iT ouT

fail to accurately map, we later may be surprised. In our map-ping, we may misinterpret by assigning to our observation the worst possible meaning, or the best possible meaning, or a meaning based on our past, unresolved experiences rather than the present context. Biases, agendas, pressures, and ex-pectations can cloud our assignment of meaning. If we are not careful, we may assume that the first meaning that we as-sign is the correct—and only—meaning. And this may not be true. Weinberg’s Rule of Three—“If you can’t think of at least three different meanings of what you observed, you haven’t thought enough about it”—is a vital tool to help our mapping of meaning.

After we assign meaning, we determine significance. We may have observed well and assigned the proper meaning, but if we don’t understand the significance, we may later be surprised. We may not assign the proper significance for a number of reasons: We just don’t know how important it is; it simply does not fit into our pre-vious experience; we may be oper-ating under rules that don’t serve

us well; we may not be paying attention; or, like the story of the little boy who cried wolf, we have been previously condi-tioned to minimize its significance. (Why is it that my grand-kids only complain of stomach aches on school day mornings and just before piano practice?)

Surprises are the world’s invitation to learn. Let your sur-prises trigger an investigation of your observation, meaning, and significance processes. Look for gaps in your observa-tional process. Which kind of oblivious are you? Do you assign meaning in an inquisitive and generative way, or do you follow preconceived notions? Finally, consider how you assign signifi-cance to observations and meanings. Let your surprises trigger your learning. You’ll be surprised at how useful it is. {end}

Thanks to Michael Bolton, who always guides me well.

Recently, when we were discussing the wonders of butterflies, my three-year-old granddaughter, Kendra, said, “Grandpa, when I was younger …” I was surprised to hear someone of her “advanced” age reminisce about her past.

The word “surprise” means to discover suddenly, unex-pectedly, and without warning; to become aware of some-thing not previously perceived. Surprise is a manifestation of a discontinuity in our awareness.

In my software development manager days, I hated sur-prises. Surprises were almost always bad news. Now that I’m a lot older and a little wiser, I realize that surprise is often an indicator that discovery, learning, or even delight may be just around the corner. The surprise itself can be amusing, enlightening, befud-dling, disconcerting, or frightening, but surprise should not be the end of the experience; it should be the beginning. Analyze the surprise to learn why you didn’t see it coming and what you gain from that.

When we are surprised, it may be that we have simply been oblivious to events in our world. As humans, we fail to observe huge amounts of in-formation. That’s understandable—there is simply too much of it. However, some individuals and software organizations main-tain what Jerry Weinberg calls an “oblivious culture.” [1] They choose not to systematically observe anything about their prod-ucts, people, or processes. A second type of person observes—but quickly filters out—data that does not match his view of the world. (That continued quarterly decline in profits must be an anomaly.) A third type of observer, to prevent having to deal with the realities of the world, actually prohibits observing—generally when information gained through past observation caused conflict. I once worked for an organization that, each year, changed the way it measured programmer productivity, defects, and client satisfaction. The stated reason was to be-come more accurate. The real reason was so that years could not be compared with other years. An accurate comparison would have shown that we were getting worse. When sur-prised, you might first consider whether your surprise came from a self-inflicted lack of awareness.

As we view the world around us, we map observations onto our context, knowledge, experience, and feelings. If we

Surprise!Surprises are the world’s invitation to learn. Let your surprises trigger an

investigation of your observation, meaning, and significance processes.

by Lee Copeland | lcopeland@sqe.com

Technically Speaking

“When we are surprised, it may

be that we have simply been

oblivious to events in

our world.”

For more on the following topics go to www.StickyMinds.com/bettersoftware.n References

Long ago, I started digging

into other topics than testing

wisdom—topics like complexity

science and psychology—and I

found some pieces that are not

very well known among testers.

I see a lot of value in these

fields, and I think we can learn

a lot by combining these with

our profession.

From One Expert to Another

10 BETTER SOFTWARE SEPTEMBER/OCTOBER 2012 www.TechWell.com

Interviewed by: Zeger van Hese

Email: zeger.vanhese@ctg.com

Markus GärtnerYears in Industry: 6

Email: mgaertne@gmail.com

For the full interview, visit

http://well.tc/FOETA14-5

In the light of the new software development, we will

have to find our spot. It will no longer be possible for

a tester to hide behind test-case templates or foster

following a test plan document only to find out that

the product is unusable for everyone.

I still think that testing is

disrespected by others involved in

software because there are too many

out there who do a terrible job at it.

Jason Gorman announced the Software

Craftsmanship conference in London back

in December 2008 ... It was awesome, even

for a tester like me. Starting from there, I tried

to learn as much as possible about software

craftsmanship as I could—not from a technical

point of view, but from a soft-skill point of view.

I think in the years to come,

testers will be very important to

our field. We will teach testing

to programmers, and we will

have to seek testing skills in

programmers, designers, and

business experts and help them

become better testers.

My biggest challenge in teaching and

mentoring testers right now is that I don't know

what particularly I do that helps other testers

grow ... I do some things that help other people

while others refuse to listen to me. Of course,

this is all right. I don't listen to anyone else on

the street either.

www.TechWell.com SEPTEMBER/OCTOBER 2012 BETTER SOFTWARE 11

What are your favorite games to play with friends and family?

My favorite games to play with others are the team vs. team action and

shooting genre, such as Halo and Call of Duty. They are a great release

after a long day of developing QA and testing strategies and technical

documentation. The competitiveness keeps everyone engaged and

allows everyone to heckle each other in a friendly way, which provides

for further entertainment.

–Scott Aziz

Author recommended books, blogs, gadgets, websites, and other tools for building better software

The game I and my family keep coming back to

is Monopoly. It's a very social game—simple rules

with a lot of scope to negotiate local variations,

make deals, etc. And there's a good balance

between luck and strategy, between risk and

reward.

–Graham Oakes

My family has three different groups, each with its

own unique culture. Craig and I love trivia, and we

play Wordament together on his mobile phone,

which means we never wait! We're learning new

words together when we could be bored instead.

My dad and stepmom like Rumikub and Mexican

Train. I enjoy that those games are inclusive and

allow for a good side conversation while playing

them. My mom's side of the family is extroverted

and very lively! We love to play Taboo, Cranium,

and any game that is social, boisterous, and full of

laughter.

–Lanette Creamer

I really enjoy playing massively multiplayer role-

playing games such as Lord of the Rings Online,

Star Wars: The Old Republic, and Guild Wars 2.

I've been a fan of role-playing games since the

80s because the story-telling aspect allows you to

explore the moral dimension of your character's

actions. The online versions allow me to play with

the same group of friends even though we now

live in different cities.

–David McFadzean

I like strategic games the best. I have fond

memories of playing chess with my dad

(a top-notch player) and learning that strategy

could win out over experience and skill. I also

played a lot of sports, so physical games can be

a lot of fun with family because you have such

a range of ages and skills.

–Jonathan Kohl

My favorite game that I play quite often is a

word-find game, where the player finds the

word based on a limited set of clues that the

other player provides. Although it calls for quick

and deep thinking, I enjoy this because it makes

you more agile and analytical, improving your

problem-solving skills, so this a great game to

hone one’s testing skills in the process.

–Rajini Padmanaban

Go Fish—sometimes I can beat the grandkids.

–Lee Copeland

After a plane crash, where should the survivors be buried? Recent studies conducted by the Economic and Social Re-search Council (ESRC) [1] indicate that approximately half of the participants asked this question reacted as if they were being asked about those who died in the plane crash rather than those who survived it. One person to whom I asked the question said, "Since death customs vary, the wish of the individual as well as the family of the deceased should choose where they are buried." It takes a political talent to answer a question so thoroughly when you aren’t sure of the intent. I would expect a good tester to clarify the meaning and ask ques-tions—e.g., is the point of the survey to trick us into burying survivors? In fact, this study was designed to help us understand more about how our brains interpret the words that we hear.

Under pressure, our minds skip words. It makes sense that we wouldn't process every trivial, connecting word in a sentence. However, it is surprising to find that we also skip words that im-pact the meaning of the sentence. Re-search into brain activity from the ESRC study reveals that we are more likely to use this type of shallow processing under conditions of higher cognitive load—that is, when the task we are faced with is more difficult or when we are dealing with more than one task at a time. Correct information is the most vital when we face complexity or multiple tasks, so that we can prioritize and deliver correct results. But, our brain’s at-tempt to speed up under stress undermines our accuracy at absorbing data at critical moments.

Clarity is also essential when communicating about a soft-ware defect. While the impact to the user may be subjective, the scope of the defect and how to reproduce it have spe-cific answers. Testers and programmers who interact with computer systems all day may forget that every command a computer receives is a series of on and off switches. We com-municate with our computers in interpreted binary, no matter

how sophisticated, brilliant, and elegant the interpretation of our favorite programming language may be. The computer doesn’t correct our wrong commands with its own computer assumptions.

Some of the most common software issues aren’t even in the existing code. Humans may have introduced them in

the requirements. If you are lucky, the people writing your requirements are skilled at writing requirements, familiar with the market, and knowledgeable about industry vocabulary and the culture of creating quality software. If they have experience communicating with technical people and are also ex-cellent writers, then fewer requirements will be lost in translation.

Pair programming can increase your odds of understanding a written re-quirement, by having two people trans-lating the incoming requirement and writing the outgoing code. In addition, you get a code review and possibly refactoring while the programmers write the code. I’ve found similar ad-vantages in pairing a programmer with

a tester for a code walkthrough, where the tester can collab-oratively validate the meaning and intent of the requirements while the programmer implements the agreed upon changes. Diverse points of view may result in a different outcome from the pair than they would reach on their own.

Many years ago, when I was a new tester, our biggest cus-tomer reported an urgent bug. When the team went to isolate the bug, it would only reproduce in their file. After learning that this critical issue was file specific, I uploaded the file to a shared server location and updated the bug so that those interested could access the file. I assumed that each person would copy down the file locally and then run the test on that one file. Clearly, I should have given only read access to ev-eryone else. Instead, I made the file writable to everyone.

Once others were looking at the file, the problem failed to reproduce, because it happened only when the file first

Career Development

12 BETTER SOFTWARE SEPTEMBER/OCTOBER 2012 www.TechWell.com

“Clarity is also essential

when communicating

about a software defect.

While the impact to the

user may be subjective,

the scope of the defect and

how to reproduce it have

specific answers.”

Don’t Bury the Survivors: The Value of Clear CommunicationUltimately, the value that you provide is only realized when you can

communicate it in a way that reaches your audience. Even genius work

becomes invisible when insufficiently communicated.

by Lanette Creamer | lanette.creamer@gmail.com

www.TechWell.com SEPTEMBER/OCTOBER 2012 BETTER SOFTWARE 13

converted from an earlier version. The older version of the customer file had to go through a code path of forward con-version, which showed the bug. Once the file was saved, it no longer could reproduce the condition that was causing the unpredictable behavior.

It appeared that my steps were very unreliable. The con-version issue was such a high priority that multiple developers would wait for the customer file to be posted and then con-vert and save it nearly instantly, making the problem we were trying to fix impossible to recreate. This not only cost us the ability to reproduce the issue but also caused confusion and damage to a customer relationship.

Once I realized what had happened, I set up a locked copy that no one could accidentally edit. We then were able to re-produce the bug and figure out the cause. But, by the time we fixed the bug and deployed it out to customers, we had damaged so much trust due to miscommunication and invalid assumptions.

Few professional publications would go to print without an editor, yet we still have many in software who question the need for professional testing. Many executives have had the bright idea to use cheap interns as editors in an attempt to save money, but they didn’t expect to get the same result at the end. Ultimately, the value that you provide is only real-ized when you can communicate it in a way that reaches your audience. Even genius work becomes invisible when insuffi-ciently communicated.

What can a technical practitioner do to communicate clearly? One useful skill is to observe more carefully which communication styles work with different people. Which messages get through to the most important targets? Do they understand better after seeing a visual example? How much detail do they need? Consider the audience with whom you are communicating. Use words that are inclusive to begin-ners when they are part of the group receiving your message. Make your purpose clear and your writing concise, and ad-dress more advanced questions separately to avoid losing be-ginners in the details.

Being sincere is absolutely essential, as smart people are generally perceptive about tone, body language, and sarcasm. Stretch the limits of your own style in order to be better un-derstood. For some people, this kind of real-time style adapta-tion is a natural talent. The rest of us can improve through practice.

As professional testers, we have opportunities to practice both on the job and in daily life. Some of the ways to practice testing are to run exploratory testing charters, brainstorm test ideas in a mind map, write a small script to get a new view of existing data, take a class on one aspect of testing, or explore new tools, blogs, tweets, or tutorials. Any of us can get out to a user group, a peer conference, or even an online presenta-tion to keep our skills sharp.

The same is true for communicating! Writing a blog is one way you can practice getting your point across with style and get feedback from others. Try asking your readers for peer

Career Development

feedback. Have you read any of the testing books written in the past three years? Have you peer reviewed an article? If you want to start writing, there are a few established groups of writers in software you could join. And, if you are at-tending the 2012 Better Software Conference East or Agile Development Conference East, join us at the From Practi-tioner to Published Author bonus session to discuss commu-nicating clearly on the written page. {end}

For more on the following topic go to www.StickyMinds.com/bettersoftware.n References

Software Quality Engineering Is Looking for Great Communicators

If you are interested in writing or curating

for one of our publications:

Better Software magazine,

StickyMinds.com, Agile Journal,

CM Crossroads, or TechWell,

we want to hear from you.

For more information,

email Heather Shanholtzer at

hshanholtzer@sqe.com and

see our Call for Curators on

page 19 of this issue.

ISTO

CKPH

OTO

14 BETTER SOFTWARE SEPTEMBER/OCTOBER 2012 www.TechWell.com

and unclear to team members. By gamifying decision making, the SDG helps software development teams determine and re-cord their internal practices and their mix of technology, pro-cess, and tools. It can also serve as a framework to adapt ex-isting policy and practices or to implement suggested changes for improvement after a team retrospective.

While both of us have been influenced by game theory concepts when leading software development efforts, it was David who decided to create a software development game framework based on the game Nomic by Peter Suber [3]. Nomic is a game about decision making where players agree on an initial rule set to govern game play, then they raise and vote on proposals to change the rules. So, changing the rules of the game is considered a valid move. Nomic is frequently played online, and games adapt over time as the players incor-porate new ideas and changes. This is a great fit for dynamic software development teams that are frequently confronted with changing environments.

Rules of PlayTo implement an SDG instance, a software development

team starts with a minimal set of rules and an initial goal to create a learning organization—a group of people who con-tinually enhance their capabilities to create what they want to create [4]. Where the game evolves from there is entirely up to the players (team members), but if it goes well, they be-come more productive and efficient and make better decisions as the game progresses. The SDG can start at any level—ex-ecutive, management, teams, or individuals. Later, the game can expand to include more players and teams as it proves its usefulness.

David started as the facilitator. He created the game con-cept and educated team members on the process and the goals of the game. Once David had management buy in and the team agreed to try it out, he explained the initial rule set to govern game play and set up a meeting to see if all team mem-bers agreed to the rule set. A game page was created on the development team wiki describing the initial rule set.

Explanation of rulEs:Rule 1: The initial goal of the game is to create a learning

organization that enables the players to make high-quality choices and decisions. This rule should likely be refined to integrate the mission of the organization playing the game, as we specified above.

How can serious software development be treated like a game? While you may play games for fun in your spare time, games are also serious business. Sports have professional leagues that support entire industries around their games. The military uses war games to test strategies and train soldiers. The SDG has been influenced by both game theory [1] (al-though we aren’t using any formal mathematical modeling) and a more recent concept called gamification [2].

Game theory is a mathematical discipline used for mod-eling areas as diverse as economics, war, business, artificial intelligence, and biological evolution. At its core, game theory views every situation involving cooperation and conflict as a game. Some games have a defined time limit of play and a clear winner and loser, while others are experience based and ongoing—like a quest.

Recently, a movement called the gamification of work has become popular. Gamification involves imposing a game-like structure on certain aspects of professional situations to aid in productivity and motivation. Gamification can be as simple as offering rewards for completing certain tasks, or as complex as transforming an entire business practice into a game-like system. Because we can be so productive while performing re-petitive tasks within social or gaming situations, researchers are trying to figure out how to tap into that potential to mo-tivate within the workplace. (Gamification of work and game theory are not necessarily related, but there is an overlap. Un-derstanding game theory can help gamification efforts, and gamification ideas can enhance game theory implementation.)

On software development teams, the team vision, purpose, rules of conduct, and informal practices are often created and enforced informally. This can result in confusion about the mis-sion and purpose of the development team within the organiza-tion. At best, this informality leads to misunderstandings and communication breakdown; at worst, it results in a poor align-ment to leadership’s goals for the organization. Either way, both the team members and the organizations lose out when there is wasted effort that isn’t contributing to value creation.

While formal game theory involves the use of mathe-matical models, analyzing gaming behavior is also effective. We have studied one aspect of game theory that looks at how people optimize their decision processes. In the SDG, we use game-like processes to help teams align with goals, provide clarity and coherence on issues, and offer visibility into the decision-making process. The SDG provides structure and ac-countability on a process that is frequently ad hoc, political,

www.TechWell.com SEPTEMBER/OCTOBER 2012 BETTER SOFTWARE 15

Many teams struggle to choose or adapt a software development process.

We’ve developed a process strategy called the software development

game (SDG) for managing the mix of process, tools, and technology on

software development teams. SDG lets you pick a process—any process—and, using

gaming concepts, helps you adapt it to your own needs.

Rule 2: All players must unanimously agree to all rule changes. The voting rule initially specifies unanimity to pass any proposal. Most games amend this early on to specify some sort of majority vote in order to avoid stalemates, but the initial rule errs on the side of caution so that the founda-tions can be laid out carefully.

Rule 3: Proposals may add, amend, or repeal a rule. This describes the initial set of “moves” that can be made in the game—introducing a new rule, changing an existing rule, or removing an existing rule. The game will usually evolve more sophisticated rules, such as giving certain classes of players the right to veto vote under some conditions; creating a category of immutable rules that cannot be amended (unless they are removed from that category); and introducing new types of acts such as resolutions, goals, standards, and guidelines.

Rule 4: All rules should be logically self-consistent. En-suring that rules are logically self-consistent helps encourage fair play and motivates the players to keep the rule set sane. Whenever an inconsistency is introduced (accidentally or by design), the players will be motivated to resolve the inconsis-tency by amendment or repeal.

David then guided the team through initial game play. After agreeing on the initial rule set, the team set to work on solving a difficult issue: determining C++ coding standards for the team. Choosing coding standards can be one of the most contentious issues any development team can face. (Those of you who code for a living understand how difficult this can be; those of you who don’t, imagine trying to find compro-mise between opposing political parties or religions.)

A proposal for a coding standard was put forward and voted in with a majority. After the vote and resolution, meeting details and the coding standard resolution were re-corded on the development team wiki. By bringing the coding standards into the game, they now became rules of the game itself. By bringing software development policy and practices into the game, the team created a mechanism to follow and govern changes.

Evolving the GameThe SDG requires a framework for communication,

raising issues, creating proposals to vote on, holding votes, and tallying results. David used a combination of a wiki, face-to-face meetings, email, and in-office instant messaging. In his role as facilitator, he answered questions, explained concepts, and watched for potential team issues that could be brought under the SDG.

For example, if a team member was complaining to col-leagues about a lack of standards around builds, David would ask that person if the issue was important enough to be solved by the team. If it was, then he encouraged the team member to bring a proposal to the team so they could vote on it. A proposal could be as simple as: “Broken builds are a serious productivity issue. Some of us are spending hours trying to fix the build instead of completing tasks. We need to agree to fix the build problem and come up with ideas to address the problem.” While that might seem like a simple proposi-tion to pass because it’s easy to agree to solve a problem, the hard part is actually doing something about it. If a proposal is vague, team members will offer up ideas and alternatives, and proposal clarification is a natural outcome. A proposal can become more concrete through discussion and debate. Ideally, the team will generate proposals with ownership and respon-sibility assigned to team members. From our prior example, a more specific proposal that would be actionable is: “Broken builds must be fixed before any new code is committed to the version control system.”

Thinking up solutions for problems can take time and can cause a face-to-face meeting to drag out. Furthermore, some personality types think better outside of a group and may ap-proach team members after a face-to-face meeting.

The team agreed to use technology to make the process more efficient—proposals and votes on them could be initi-ated and executed electronically. If a proposal required more information than could be conveyed in email or was of a serious nature, the facilitator could initiate a face-to-face meeting to hear the proposal and hold a vote.

Now, imagine that you are the DevOps team member who has come up with a proposal to fix the build problem. You’re the team member who feels the broken build pain the most, and your potential solution works well. You’ve tested it out and your findings are positive. You explain your proposal to adopt a solution within the SDG, but you fail to get a ma-jority vote. You are disappointed, and no other alternatives received a majority vote. You know this is the right way to go, so what do you do? If you want the vote, you will need to do what people in politics do and lobby for support.

• Educateteammembersonthemeritsofyourproposal.• Trytogetkey,influentialpeopleonyoursidetovote

for the proposal.• Appealtotheskeptics:How about a proposal to iden-

tify measurable outcomes and do periodic checks on the system to see if it is solving problems or not?

• Makeaformalproposalandvote.

16 BETTER SOFTWARE SEPTEMBER/OCTOBER 2012 www.TechWell.com

“If a proposal is vague, team members will offer up ideas and

alternatives, and proposal clarification is a natural outcome.

A proposal can become more concrete through

discussion and debate.”

• Hopeyour lobbying effortspayoff and theproposalpasses.

Once team members are comfortable with the process, it doesn’t take long for them to realize that any proposal can be brought forward—even the most self-serving ones. If there is team consensus to implement a change, the motivation behind it doesn’t matter. It might be as simple as one team member becoming bored with the current technology and wanting to move to something new. It might seem selfish to say, “I don’t want to work on Java web apps that much anymore. I’d love to work on mobile projects.” But if it is brought up in a forum, you’d be surprised how many others on the team feel the same way, including managers and product managers. Management may feel the organization needs to move to new technology to not fall behind, and product managers may be researching what competitors are doing, but neither group wants to bother the busy development team about it right now.

Without a forum to raise an issue openly and honestly, this kind of idea goes underground. In the worst case, it festers as a frustrated team member complains to others or attempts to use subversive or manipulative methods to try out a new tech-nology platform. Once the right stakeholders are informed and they buy in to a proposal, it can be a powerful technique to introduce change, even with self-serving motivations.

Once David’s team had proposed and voted on a number of resolutions, the rule set expanded. This required catego-rization. Two potential categories are rules that govern the game itself, and rules that govern software development ac-tivities. In addition to the initial SDG rules, rules were added to govern rule changes, proposals (create or withdraw pro-posals), voting rules (what constitutes majority), and multi-votes (tie breakers, etc.). For the software development ac-tivities, rules were grouped according to team policies (vision statement, processes to follow) and development standards (coding standards, code reviews, and build and testing activi-ties). As the rule set expanded, roles were added so that team players could have ownership in certain areas of the game based on their expertise and interest level. For example, roles can involve facilitating game play itself, overseeing technical components of the software development system, and guiding product direction. Roles were expanded to include managers and other stakeholders when their participation was needed.

The SDG evolved further to include gamification aspects for repeated tasks. Achievements for repeated tasks that might not be that pleasant were added as quests in the game. For example, business travel can be difficult and tiring, so the team decided to reward the top travelers on the team by giving them a shout out on the team wiki. There also were humorous booby prizes awarded to the last person who set off the building alarm or to the person who broke the build the most frequently.

This particular SDG instance has evolved to incorporate more and more of the daily life of the development team, while providing structure around communicating issues and making decisions on how to move forward.

www.TechWell.com SEPTEMBER/OCTOBER 2012 BETTER SOFTWARE 17

Why It WorksThis isn’t a one-team, one-time success story. David has

implemented several SDG instances on different teams at dif-ferent companies over the past few years. We have found that making the problem-solving and decision-making processes visible helps improve communication and reduces confusion. Much misunderstanding on development teams stems from differing expectations about what the team or individuals should accomplish and a lack of alignment toward organi-zational goals. Since decisions are democratic—anyone can table an issue, the team votes on all changes, and decisions are binding—team members feel included and valued as inte-gral parts of the process. The SDG provides a framework for raising concerns and changing existing practices and tools in a way that helps teams cope with the changes in their external environment by adapting their internal practices as needed. Furthermore, if the team finds that the game framework itself isn’t working for them anymore, they change the rules to im-prove it. Using game-like concepts in the workplace is a way to harness the natural behavioral dynamics that occur within groups. Since the game itself can be adapted, teams don’t find themselves stuck with a rigid process that isn’t appropriate for their new circumstances. Rules can be amended or even repealed if they no longer add value.

Management and other leaders might be nervous about the SDG at first. It should be clear for both management and team members that the game only applies to areas over which the development team has ownership. The team shouldn’t

ImplementIng Your own Software Development game

1. Start off with simple game play rules (feel free to use our example).

2. Use a facilitator to guide game play, manage meetings, tally scores, and record and update rules.

3. Start simple, and let the game evolve. Don’t try to do too much.• Developteampolicyandalignmentto

organizational goals.• Considerusingthegametohelpimplement

retrospective ideas.4. Use the game to discover what your existing

processes are, record and ratify them, and make them visible to all team members.

5. Don’t let the rules become unwieldy:• Trytokeeprulesbriefandlightweight.• Ifrulesaretoonumerous,workonscaling

them back.6. As the game expands, introduce additional roles to

help with administration.

management can review when and why certain technical di-rections were taken when proposals were voted in.

An SDG helps teams make decisions, particularly if the teams are self-organizing. It also helps build team cohesion and encourages diversity of opinion and healthy dissent. If there are serious problems, an SDG can provide a framework to help a team change course on projects and tasks to reach organizational goals.

A fabulous place to start using an SDG is to help imple-ment changes after a retrospective. How many times do we have a great meeting after a release, outlining problems we encountered and possible solutions, only to forget about

them until the next retrospective? In the meantime, we didn’t do anything; we were too busy working on tasks. We had great intentions, but without a system to help us decide on courses of action and to measure progress, we forgot about our solution ideas. With an SDG, ret-rospective ideas can be implemented through the game, rather than forgotten until next time.

ConclusionSoftware development processes can

be difficult concepts to apply broadly. What worked for one team in its unique context may not work for your team. Adaptation is important in cases when a team tries out a process and finds that some practices don’t work or that key components are completely absent. When processes fail, a convenient response is “You need to do what works for you and your team.” That makes sense, but what specific, concrete practices do you use to find out what process works for you? We’ve had good success figuring that out for our teams by using the software de-velopment game. {end}

jonathan@kohl.cadavidmc@gmail.com

18 BETTER SOFTWARE SEPTEMBER/OCTOBER 2012 www.TechWell.com

For more on the following topics go to www.StickyMinds.com/bettersoftware.n Referencesn Further reading

contradict existing corporate policies or try to overturn deci-sions made by leadership. For example, team members can’t just go and vote themselves raises and bonuses or decide on their own to scrap the existing product line. For areas that are governed by other stakeholders, the team can bring issues to their attention, but the existing organizational structure and policies should remain intact. (If leaders want to add the game to other areas, that is fine, but don’t try to use the game to undermine them.) Leaders will find that the game can create clarity and coherence of their vision of the company and their product and service mix. Team alignment on actions and goals may increase, and the transparency on decisions means

Contact training@alpi.com or 301.654.9200 ext. 403 for additional information and registration details

www.alpi.com

YoUR SHiNEtime to

it’s

Technology and Methodology CoursesHP: Quality Center, QuickTest Professional, and LoadRunner

Microsoft: Test Manager, Coded UI , and Load Test

Test Process Improvement: Certification, IV&V, Test Metrics, and Testing to CMMI & ISO Standards

Interactive Learning Method™

Bring your Workplace to the Classroom & Take the Classroom to your Workplace™

Post Training SupportRefresher courses at no additional cost

Consulting services to help you quickly implement the test tools and processes

Bulk Training ProgramSavings of up to 40% on training courses

Credits good for one year

ALPI’S TrAInIng OfferS:

Since 1993, ALPI has empowered clients with innovative solutions delivered by our staff of flexible and creative professionals. Trainings are held at our state-of-the-art facility, located just outside of the Nation’s Capital, or onsite at your company location.

Distinguish yourself from your peers and gain a competitive edge

www.TechWell.com SEPTEMBER/OCTOBER 2012 BETTER SOFTWARE 19

340 Corporate Way | Suite 300 | Orange Park, FL | 32073 | 904.278.0524 | www.TechWell.com

What Is a TechWell Curator?TechWell curators are software professionals who are knowledgeable, enthusiastic, and engaged in the latest industry trends, tools, and technology. Using content sourced from around the Internet, our curators compose short stories that are interesting, entertaining, sometimes thought provok-ing, and occasionally opinionated.

What Do I Have to Do?Each curator is responsible for submitting a minimum of five to ten stories a month. Stories should run 300-600 words, with 400 words being ideal. Stories are built around and should link to articles, videos, blog posts, or other online content—both from our TechWell Community sites and anywhere in the Internet—that the curator considers interesting and applicable to our audience. You should expect to spend one to two hours developing and writing a story. Because audience engagement is key to the success of a curated site, we ask curators to respond to reader comments and questions.

What’s in It for Me?Stories you write will feature your byline with a link to a profile page containing your photo, bio, and links to your blog , Twitter, LinkedIn, etc. Readers will come to know you, your stories, and your per-sonality. Thought leaders are born this way. TechWell curators receive $500 per month for five sto-ries and $100 per additional story written each month up to a total of ten stories ($1,000) per month. In addition, active TechWell curators receive free Wednesday-Thursday conference passes to any SQE conference and half price on pre- and post-conference event sessions (tutorials + summit).

What Is the Publishing Process?Curators submit stories to the TechWell editors, who check them for grammar, style, and punctua-tion, and then publish them to the site—usually within two business days.

What If I Can’t Write for a While or Want to Stop Curating?We understand life can get hectic. So, if you need to take a temporary break from curating, we ask that you give us two weeks’ notice. In the event you decide curating is not for you, please let us know thirty days in advance so we can look for a replacement.

How Do I Get Started?To apply for a TechWell curator position, please contact Heather Shanholtzer at hshanholtzer@sqe.com with the following information:

NameCompany affiliationInterest area(s)Approximate stories per month you are available to curate

Heather will share examples and you will be asked to write several sample stories in the curation style, then we will mutually determine if this is a good fit for each of us.

You Want to be a TechWell Curator?So,

ISTO

CKPH

OTO

It seems like every week the press has yet another story about security breaches or stolen data at some of the world’s largest companies or government agencies. Sometimes the responsibility for ensuring thorough se-

curity resides with an IT security group, and other times it gets outsourced altogether. The responsibility seldom falls to testing teams. However, this is changing. Having trained and experienced testers hunt for security bugs will make web applications safer from hackers and will further protect con-sumers, corporate assets, and brands.

Security testing techniques are not well known to many traditional functional testing teams because there are rela-tively few opportunities to learn them compared to learning functional testing. And, security testing is more difficult to perform than functional testing for reasons including: vague security requirements for many applications; low-level, tech-nically challenging testing approaches; and security testing tools that are difficult to set up and configure.

A major consideration for any security testing strategy is that every architectural layer of an application is vulner-able in different ways—some are more easily penetrated and

20 BETTER SOFTWARE SEPTEMBER/OCTOBER 2012 www.TechWell.com

exploited than others. These layers are known as the attack surface and will be different for different web applications because of the varying architecture, frameworks, and lan-guages in use to develop them. Hackers trying to penetrate your web applications must know as much as possible about your application’s attack surface. The attackers’ methods are numerous and constantly evolving, so testers need to think in similar ways when approaching security testing. Approaching testing in a progressive and creative manner is perhaps one of the greatest challenges for security testers. To keep up with the efforts of hackers, testers must utilize not only traditional and time-tested tools but also the newest tools available.

This can be a daunting task because of the nature, variety, and number of tools available for security testing. This article covers a few of the basic freeware tools available for web ap-plication security testing. These tools can stand alone or serve as a foundation for the adoption of more mature tools within your organization. Building upon this small set of tools over time will ensure the widest possible set of protective mecha-nisms for your security testing certification process—the rigor that must be executed and passed prior to release.

www.TechWell.com SEPTEMBER/OCTOBER 2012 BETTER SOFTWARE 21

Just as with other types of testing, it is important to know that you cannot prove the nonexistence of security defects. Exhaustive security testing is impossible, due to the diverse nature of the attack surface and the number of possible vari-ables that can be manipulated across that surface. However, there are categories of attacks that tend to be more popular due to their effectiveness. Two specific web application vul-nerabilities that you should be aware of are SQL injection and cross-site scripting (XSS). An excellent primer to these vulner-abilities can be found at the Open Web Application Security Project (OWASP) [1]. The OWASP testing guide [2] is one of the best resources available on web application security and vulnerability testing. It is several hundred pages long, so do not expect to master every testing mechanism right away.

Preparing for an effective security testing strategy includes getting familiar with a few core tools, such as the Firefox browser—yes, the same Firefox browser you use to verify the functional behavior of web applications. This browser is per-haps the best all-around beginner’s tool that can be used to test the security of a web application. This is largely due to an ecosystem of browser plug-ins specifically built for security

testing tasks, including two free Firefox add-ons that every se-curity tester hunting for web-based vulnerabilities must have: SQL Inject Me and XSS Me.

SQL Inject Me allows you to test for SQL injection vulner-abilities that hackers can use to hijack your data and modify the contents of a database. Some of these vulnerabilities will even allow an attacker to execute administrative operations on the database, which is disastrous. Typically, the web ap-plications that are the most vulnerable to SQL Injection are those written in PHP or ASP, but this vulnerability affects other languages as well. The XSS Me tool will check for XSS vulnerabilities that can allow a hacker to gain elevated privi-leges within your web application or within other applications connected to your web application. These two tools alone will not allow you to test for every type of SQL injection and XSS vulnerability, but they will allow you to establish foundational testing practices for both categories of vulnerabilities. Once you have mastered the functionality of these tools, you can adopt tools that expand this functionality, such as Metasploit and Nexpose, both of which have freeware versions available.

Once you have prepared a tool to perform SQL injection

testing, you need to determine how best to formulate attack strings that you can feed through the tool. Some tools already have a library of such strings that the tools automatically feed into your application under test. For the tools that do not, you must prepare your own SQL language attacks. This is not a trivial task, as there are many types of SQL injection at-tacks. The SQL injection attack is a form of a code injection attack, which means that rogue or malicious code is injected into the database layer through the client application. There are many resources on the web for advice on how to test for SQL injection vulnerabilities. (ITSecTeam.com has a very good paper on it [3]).

The testing of XSS involves checking whether a malicious

script can be injected into the parameter of a web request, such as an HTTP GET request. Initially, this attack is typi-cally performed right in the browser’s URL bar, which allows a hacker to determine quickly if your application is suscep-tible or not. There are actually two types of XSS attacks, re-flected and stored. A reflected attack means that the injected code is reflected off of the web server and back to the user, typically via an email link that the user clicks. A stored attack means that the injected code is already sitting in a database or some other repository and the user inadvertently retrieves it when he fetches data from the database. The XSS Me tool will only help you test for reflected attacks. It will not help with stored attacks, so keep that in mind when planning your

security testing strategy as you will want to adopt some other tool or penetration testing method to check for stored at-tacks.

When you are ready to adopt some advanced security testing tools, you should take advantage of another free-ware tool called WebScarab. This tool is part of OWASP and has multiple features that will allow you to test for various cat-egories of vulnerabilities. Its non-intuitive user interface is somewhat difficult to use, but it is a popular tool among the web application security testing community. The main benefit is that it allows for the interception and manipulation of HTTP traffic. This class of testing falls under the category of fault injection, which simply means that you are manually injecting carefully crafted faults into a request or a data stream. While WebScarab offers many diverse features for security testing, be aware that it will take some time to get familiar with and understand many of the features.

Many of these tools have features that need to be studied and understood before trying to utilize them. There is no sense trying to apply an advanced testing mechanism without knowing how to interpret the testing results on your par-ticular application. It is best to start slow and master one or two testing features at a time before moving on.

Another free OWASP tool is Mantra, an open source, browser-based frame-work for penetration testing. Mantra of-fers a large number of plug-ins that can be used for various categories of testing, such as information gathering and appli-cation auditing. Both SQL Inject Me and XSS Me plug into the Mantra framework as well. In addition, Mantra offers tools that can interrogate network and proxy

22 BETTER SOFTWARE SEPTEMBER/OCTOBER 2012 www.TechWell.com

GET A TESTING RESULT YOURCEO WILL LOVE.

Learn more now at

www.astqb.org

YOURLOVE.

Your CEO will love you when you show them how you can achieve an outstanding testing

ROI with ISTQB Software Tester Certifi cation.

With the average cost of a software defect in the range of $4,000 – $5,000[1], if ISTQB Certifi cation helps your tester eliminate even just one defect, the result is nothing less than, well, loveable: an ROI of up to 2000%.

ISTQB Software Tester Certifi cation is the most widely recognized and fastest-growing software tester certifi cation in both the U.S. and the world. Discover how ISTQB certifi cation can pay for itself in a matter of days: That’s a testing result any CEO will love.

Want an even better ROI? Take advantage of our new Volume Purchase Program.

[1] Capers Jones, “A Short History Of The Cost Per Defect Metric”, Randall Rice, “The Value of ISTQB Certifi cation”

information. There are approximately fifty tools available as plug-ins to the Mantra framework. The best part about Mantra is that OWASP provides some very good documenta-tion supporting the proper usage of each tool, which is valu-able for beginning and intermediate testers alike.

Additionally, there are a number of free web application vulnerability scanners, such as Websecurify, Netsparker Com-munity Edition, and w3af. These scanners allow you to iden-tify common vulnerabilities through a scanning mechanism, interpret the results, and perform some deeper tests to further explore the vulnerabilities discovered. There are varying fea-tures across these tools and, again, it will take the beginner a while to come up to speed. Do the proper due diligence around each category of vulnerability that each tool helps identify so that you understand the severity and the risks.

Thorough security testing is a complicated and technical undertaking, but with some incremental first steps, testers can begin to master some critically important techniques and tools that increase the security of web applications and make it more difficult for hackers to gain access. Over time, your organization can develop a secure testing methodology that is complemented by a set of tools that act as a line of defense for your applications prior to release to production. As with many other aspects of testing, security testing is most effective when done by different individuals who specialize in certain types of testing methods. This allows for the development of a diverse set of tests from a diverse set of testers. The main

objective for those taking on a security testing role is to de-velop a set of comprehensive security regression tests that can be iterated on and expanded over time to further protect your users and corporate brand from the risks of insecure software.

Security testing is a comprehensive discipline that requires a great deal of study and experimentation to master and, as noted above, there are literally hundreds of tools available to help. While you can achieve a foundational level of effec-tiveness by using the tools presented here, you will need to supplement them with a more comprehensive strategy. This could include outsourcing some security testing tasks to an expert testing organization or through your internal corpo-rate IT security group. Learning a new testing discipline is a journey. Once you become familiar with some of the founda-tional techniques of security testing and the right tools, your testing organization will be well on its way to providing an-other safety net protecting your organization’s consumers and corporate assets. {end}

scott.aziz@ust-global.com

For more on the following topics go to www.StickyMinds.com/bettersoftware.n Referencesn Security testing tools

www.TechWell.com SEPTEMBER/OCTOBER 2012 BETTER SOFTWARE 23

3

ISTO

CKPH

OTO

What springs to mind when you hear the word “governance”? For many people, it’s bureaucracy. They see a thick manual of policies and checklists, a cen-

tral committee that delays decisions, or an endless round of audits and compliance checks. The next thing that comes to mind is skunkworks—how do we go underground to avoid the governance police?

It doesn’t have to be like that. Governance isn’t about com-pliance. It’s about making good decisions in an efficient way.

What Is Governance?My preferred definition comes from the Institute on Gov-

ernance [1]. They’ve defined governance as “the process whereby societies or organizations make important decisions, determine whom they involve and how they render account.” This identifies four key aspects to governance:

1. Defining which decisions are important—Some deci-sions have a large impact on whether we achieve our goals. Most don’t. Good governance ensures we focus our energy on the important decisions.

24 BETTER SOFTWARE SEPTEMBER/OCTOBER 2012 www.TechWell.com

2. Defining who makes these decisions—How much time have you seen wasted on demarcation disputes? How many decisions have you seen fall through the cracks because no one took responsibility for them? Good governance ensures that lines of authority are clear.

3. Defining “due process”—If the decision-making pro-cess is clear, we don’t need to spend time making it up as we go along. We can focus our energy on analyzing our options and balancing trade-offs. If people can see that we’ve followed the agreed process, then they’re less likely to challenge the resulting decision and we won’t waste time revisiting old decisions.

4. Accounting for outcomes—Accountability is not the same as blame. Good governance builds in feedback loops. It ensures that we track the outcomes of deci-sions and, hence, refine those decisions as we learn more. Equally, it ensures that we monitor and refine the decision-making process itself.

Software development is knowledge work. It’s all about decisions—which features to prioritize and which to delay,

www.TechWell.com SEPTEMBER/OCTOBER 2012 BETTER SOFTWARE 25

which design trade-offs to emphasize, where to allocate our effort, and so on. Good governance ensures that we make these decisions as effectively as possible. We involve the right people in the right way, and we learn and refine as we go along.

Conversely, poor governance leads to poor decision making. We waste time on trivial decisions. We involve people who lack the necessary expertise and understanding. We define bespoke processes for every decision. We get bogged down in politicking and infighting as people argue about decision rights. And, at the end of all this, we’re left with decisions that don’t stick, either because they lack le-gitimacy in the eyes of key stakeholders or because they aren’t grounded in solid evidence and analysis.

The sad fact is that organizations that don’t address gov-ernance end up spending a lot of time on it. They discuss it afresh for each decision as they design the decision-making process and argue about decision rights. They’re then left with little time to gather data, analyze options, and make the decision, so they make bad decisions.

Central or Devolved?How is it that governance often turns into bureaucracy?

This tends to happen when people equate governance with centralized control. They reason that centrally enforced poli-cies, priorities, and standards make it easier to ensure that ev-eryone acts in a way that aligns to corporate goals. Further, they reckon that centralization builds consistency, making it easier to coordinate distributed teams and move work or people between teams.

There’s some truth in this, but there are also countervailing pressures. For example, devolving decision making to indi-viduals and teams ensures that decisions will be more closely attuned to local circumstances. It also shortens the chain of command, allowing people to make decisions more rapidly. Such speed and situational awareness are often key require-ments for good decision making.

Many executives find devolved decision making scary. Things move quickly and not always in the direction they expect, but this may just reflect the realities of software de-velopment. Local nuances can have a large impact on the ef-fectiveness of a team or the validity of a solution. In such cir-

cumstances, centralization merely gives the illusion of control.Defining appropriate governance structures, then, is about

balance. We need to balance the benefits of centralized and devolved control. Here are some factors to consider when doing this:

• Consistency—Is it important to make consistent deci-sions across multiple teams? Centralized governance mechanisms make this easier. For example, a central body might set standards for user interface design.

• Alignment—Do you want to ensure that everyone is fo-cused on common priorities and objectives? Again, cen-tralized decision making can make this easier. So, you might set up a central portfolio management office to decide which projects to prioritize.

• Expertise—Do you need specialist expertise to make certain decisions or to carry them out? If that expertise is rare, then you might put people into a central pool where you can manage their utilization carefully. This is common for groups like legal teams and things like specialist equipment and tools.

• Speed—If decisions need to be made quickly, then you want to reduce the length of the chain of command. So, devolved governance mechanisms make a lot of sense.

• Situational awareness—Many decisions are influenced by context—different customers need different types of support, different teams have different strengths and weaknesses, etc. People who are close to the situation are better able to weigh the factors and make appro-priate decisions. This favors devolved governance.

• Scope for consultation and guidance—It doesn’t have to be all or nothing, central or devolved. You can create intermediate structures by centralizing some aspects of a decision and devolving others. For example, people may make decisions locally but use centrally defined guidelines. Or, an organization might decide centrally after consulting with teams and individuals locally.

The balance point will vary from organization to organiza-tion, as factors such as culture, market environment, and the mix of products and technologies come into play. It will also vary from decision to decision within a single organization. Good governance builds a range of decision-making mecha-nisms, each tuned to different circumstances.

The balance point might also be dynamic. For example, if you’re experimenting with a new technology, then it probably makes sense to devolve decisions initially while teams learn how to handle it. But, as understanding grows, you might want to centralize some decisions in order to ensure consistent application of your newfound knowledge.

It can even make sense to rotate between the two poles. This can help transfer knowledge. People bring local knowl-edge from the field and share it more widely when they cen-tralize. They then build specialist skills to take back into the field when they next decentralize. I haven’t seen many organizations that are smart enough to do this consciously, but it might be the main benefit they get from their regular reorganizations.

26 BETTER SOFTWARE SEPTEMBER/OCTOBER 2012 www.TechWell.com

Other Decision AttributesThis trade-off between central and devolved control is at

the heart of good governance. However, it’s also worth con-sidering some other attributes of your decisions:

• Routine versus one-off—Routine decisions benefit from clear policies and guidance. You want to make them as efficiently as possible. On the other hand, trying to write policies that cover every possible one-off decision and exceptional case is a fool’s errand. It’s unlikely that you can accurately predict every possible circumstance, and the weighty policies will just bog down routine decision making. When an exception arises, set up a specialist team to deal with it.

• Complex versus complicated—Complicated decisions are amenable to analysis. It might take time, but a team of experts can eventually think through the situ-ation and decide. Complex decisions arise when ev-erything is so interconnected that such analysis simply isn’t tractable. In such cases, you need to experiment to learn what works, so your governance structures must support experimentation and phased decision making.

• Reversibility—If decisions can be reversed easily, then controls can be made more lightweight. Thus, for ex-ample, you can make the decision within a devolved team and then review it centrally later. This may incur added costs when you reverse a decision, but the ben-efit of rapid decision making often outweighs this (pro-vided that the devolved team gets it right most of the time).

The important thing is to think clearly about your situa-tion and the decision-making mechanisms that fit it. If you only start thinking about decision making when in the midst of a crisis, then you’re unlikely to make good decisions.

And remember the fourth aspect from my definition of governance: accounting for outcomes. Monitor the effective-ness of your decision making, and work to improve it as you learn more.

Governance is an ongoing process, not a one-off. If we don’t look after our governance structures, then they tend to degenerate, either toward anarchy or toward bureaucracy. Conversely, if we maintain them carefully, refining them as we learn, then we’ll be rewarded with flexible decision-making processes that consider all the important factors and win the buy-in of all key stakeholders. The price of good governance is eternal vigilance. {end}

graham@grahamoakes.co.uk

For more on the following topic go to www.StickyMinds.com/bettersoftware.n References

www.TechWell.com SEPTEMBER/OCTOBER 2012 BETTER SOFTWARE 27

Product Announcements

TeamForge ALMCollabNet, an enterprise cloud development and agile ALM products and services company, announced a new release of its TeamForge® ALM platform. The new version incorpo-rates new tools and functionality to help IT organizations better manage, collaborate, and drive value using hybrid de-velopment processes and environments. TeamForge now of-fers the industry’s only combined platform for Git and Sub-version usage and management. Other new features include integrated code review and search, and enterprise planning and reporting to help orchestrate hybrid development pro-cesses and DevOps both on-premise or across any cloud—pri-vate, public, or internal.

Using TeamForge, enterprise IT organizations can le-verage a mix of technology processes, commercial and open source tools, and deployment applications through both on-premise deployments or as an offering within its CloudForge enterprise cloud platform. TeamForge now natively embeds a number of newly added open source tools, including Git, Gerrit, and ReviewBoard, commercial partner tools, including Black Duck® Code Sight(TM), as well as enhancing its Jen-kins/Hudson integration. These newly added tools work com-pletely within the TeamForge platform to orchestrate and in-tegrate cloud services, such as build, test, and code sharing, into a team’s development processes—from public or private clouds, such as Amazon EC2 and CloudForge.

www.collab.net/products

ElectricDeployElectric Cloud, a DevOps automation company, announced ElectricDeploy(TM), a solution that automates application deployments with built-in fail-safe capabilities, helping cus-tomers deploy applications faster and with higher quality. ElectricDeploy is built and tightly integrated to Electric Cloud’s ElectricCommander platform providing end-to-end application delivery automation. The new product automates and standardizes application deployments across all environ-ments—Dev, QA, pre-production, and production by mod-eling applications, related environments, and processes that deploy and recover applications. This model-driven approach reduces the variability of deployments across multiple environ-ments, enabling teams to reliably and more rapidly deploy ap-plications. ElectricDeploy also provides centralized visibility and control of deployments, allowing teams to manage and track release processes across the application delivery lifecycle.

Additionally, ElectricDeploy reduces the occurrences and impacts of deployment failures in production environments through its fail-safe features by refining deployment processes throughout the application delivery pipeline from develop-ment to operations. These fail-safe features integrate three distinct capabilities: Code-Safe offers run-time debugging capabilities to interactively refine deployment processes; Run-Safe lets teams define success and failure thresholds for ap-plication deployments so that deployments can account for real-world solutions; Recover-Safe enables teams to define

recovery policies and processes for dynamic management of deployment failures.

www.electric-cloud.com/deploy

Management Analytics Solution Acunote, an online project management and collaboration software provider, launched its Management Analytics solu-tion as part of its new breed of business software, Manage-ment Intelligence. Acunote Management Analytics gives ex-ecutives and managers real-time data insights that increase productivity, save time and costs, and improve collaboration among software development, I.T., marketing, and customer service teams in a wide range of industries.

Many companies fail to capture and analyze quality data to help them uncover faster, easier, and more accurate ways to manage and predict how and when complex projects will be completed across one or more teams. The end results are inefficient teams, higher costs and, in many cases, competitive disadvantages. Acunote solves this problem by automatically capturing and analyzing execution data in real-time to create burndown charts that predict and track the progress of in-dividuals and entire teams for each project. Individual team members, project managers, and executives alike can view which tasks need to be completed by whom and by what date, even if plans change during a project.

www.acunote.com/plans-and-prices

SOFTWARE CONFIGURATION

MANAGEMENT FORAgile, Waterfall, & Everything in Between

www.accurev.com | info@accurev.com

Top 5 Software DevelopmentProcess Challenges

Download White Paper: www.accurev.com/top512

SCM

28 BETTER SOFTWARE SEPTEMBER/OCTOBER 2012 www.TechWell.com

Product Announcements

platforms, including Java and PHP, all designed to maximize developer productivity with HTML5.

www.kendoui.com

GUIdancer and Jubula BREDEX GmbH announced the latest release of its auto-mated GUI test tools, GUIdancer and Jubula in versions 6.0.1 and 1.2.1. The new standalone versions of both tools contain an integration with Chronon, which records the entire execu-tion of a Java program and allows it to be played back any-where. The replayed program can be analyzed using Chro-non’s Time Travelling Debugger to quickly identify and solve any problems or bugs that might have occurred in the original program. The release of GUIdancer and Jubula coincides with the Eclipse Juno release, which also sees the Eclipse Jubula feature updated to include features that were made available in the standalone versions in spring.

When the Chronon recorder is active, debug information is collected while the applica- tion is running. In the GUId-ancer and Jubula context, this means that an application being tested automatically can also be collecting debug in-formation. Once the test is finished, the recorded file can be imported into the Chronon Time Travelling Debugger to step through the source code to easily identify and analyze prob-lems. The standalone versions of GUIdancer and Jubula also come with the Chronon recorder embedded in themselves, which allows users of the tools to report any troubles with the tools themselves back to BREDEX GmbH by sending them as a Chronon recording. Jubula offers cross-platform test au-tomation for Swing, SWT/RCP/GEF and HTML applications and can be downloaded from the Eclipse Jubula Project Page. GUIdancer is based on Jubula and extends Jubula to offer a range of professional features for testers such as Code Cov-erage analysis, reporting, a web-based Dashboard, test quality assurance (Teststyle), and context-based working with Mylyn.

www.bredexsw.com

TerraformUrbanCode, an enterprise build, deploy, and release automa-tion company, announced the launch of Terraform. The open source software, made available under the Apache 2.0 license, allows for one-click provisioning of environments for IT teams. Terraform lets teams slash environment provisioning times from weeks to minutes by automating time-consuming operations. Terraform currently works on top of Amazon EC2 and VMWarevSphere, with integrations for additional providers planned for future releases.

Terraform exposes provisioning of an environment as a self-service. By reducing the time needed to provision envi-ronments, teams are now able to test scenarios faster. saving money by detecting issues sooner, and delivering more often. Terraform also lets users track changes easier and promote topology changes just like code changes. Other features in-clude: open source, free software; the ability to works on top of Amazon EC2 and VMWarevSphere, with additional pro-

Kendo UI CompleteKendo UI, a new product from developer tools and solutions provider Telerik, unveiled its next major release of Kendo UI Complete, a collection of Web, DataViz and management tools for professional software developers. With this release, Kendo UI adds support for tablet UIs and debuts server-side wrappers for ASP.NET MVC in order to extend and simplify development of HTML5 and JavaScript mobile apps and sites.

This new release also adds server-side helpers for ASP.NET MVC, enabling developers to incorporate and con-figure Kendo UI via familiar server-side programming, while still producing apps that benefit from the client-side power of Kendo UI and HTML5. While Kendo UI works with any server-side technology, some developers are less comfortable in JavaScript and CSS, but feel very capable when working in-side of a server-side language. These wrappers ensure that de-velopers who prefer to build apps from their own server-side language, can do so quickly. Developers using the new ASP.NET MVC wrappers can take full advantage of server-side framework features and coding conveniences, while targeting both desktop and mobile devices using the cross-platform power of modern HTML5, CSS3 and JavaScript. Kendo UI Complete for ASP.NET MVC is the first of what the company plans to be a collection of server-side helpers for different

Get Agile

Training Now.

WWW.COLLAB.NET | +1 650-228-2500 | 888-778-9793

VIEW FREE AGILE

VIDEOS!

CollabNet has an unparalleled track record of success helping enterprises successfully adopt Agile. Our trainers and coaches, internationally recognized as leading experts in the Agile community, have trained more Certified ScrumMasters than anyone in the industry.

• Agile Process• Scrum Certification• Private Agile Coaching

View our free agile training: www.collab.net/getagilevideos

www.TechWell.com SEPTEMBER/OCTOBER 2012 BETTER SOFTWARE 29

dashboards that are specifically designed for application lifecycle management (ALM) and IT Service Management (ITSM) processes. With this release, customers now have an enterprise dashboard tying together all Serena technologies, including performance metrics of both mainframe and distrib-uted systems.

The new Serena IT Dashboard offers built-in best prac-tices, along with easily configurable views, so IT executives can avoid the let-down of BI initiatives, and instead quickly deploy an enterprise IT intelligence solution that easily adapts to their changing environment. Integrating with the main-frame, and now also available on tablets, smartphones and laptops, Serena IT Dashboard delivers IT intelligence with “BYOD” (bring-your-own-device) efficiency.

www.serena.com/products/alm-dashboard/index.html

Cloud Summer 2012Informatica Corporation, an independent provider of data integration software, introduced Informatica Cloud Summer 2012, the latest release in its family of cloud-based data in-tegration services, with a focus on making cloud integration easier to develop, configure, and consume. Informatica Cloud Summer 2012 increases the functionality and power of the Informatica Cloud Platform by allowing developers to en-capsulate integration process logic in templates that can be

viders on the way; configuration management via integrations with Puppet and Chef; and virtual environment provisioning with the push of a button.

www.urbancode.com/html/products/terraform

Rally Acquires Agile AdvantageRally, an agile software development company, has acquired Agile Advantage, a product and services company that helps organizations maximize the financial return of agile soft-ware development projects. The acquisition adds integrated schedule and cost measurement to Rally Portfolio Manager, enabling accurate and objective evaluation of portfolio per-formance so companies can determine where they should steer their technology investments for higher returns.

Built on Rally’s enterprise-class platform, Rally Portfolio Manager offers the following: a business view of agile devel-opment status; development aligned with portfolio investment plans; fact-based governance; value-driven prioritization; and realistic roadmaps.

Agile Advantage is a software products and services com-pany focused on bridging the gap between agile and tradi-tional business planning processes. Its products translate the results of agile teams into something consumable by busi-ness stakeholders and provide business-level forecasting of schedule and budget. Experienced members of the agile community, Brent Barton (CEO) and Chris Sterling (CTO) founded the company to help organizations solve the business challenges of moving to agile.

www.rallydev.com

MonkeyTalkGorilla Logic, an enterprise application development and testing company, released its latest version of MonkeyTalk, which provides open source application testing. MonkeyTalk Beta 5 features comprehensive script recording and playback support for testing any HTML-based browser application,and any Adobe Flex application. This new version of MonkeyTalk now makes it possible for QA analysts and developers to per-form functional tests of their apps for iOS, Android, HTML5, and Adobe Flex with one tool.

Released in March of this year, MonkeyTalk has been downloaded more than 10,000 times and is being used to au-tomate application testing and ensure the quality of iOS, An-droid, and mobile web applications that businesses depend on to make great impressions on their customers. MonkeyTalk records and plays back all user interactions on iOS, Android, and now desktop-browser apps.

www.gorillalogic.com

Serena IT DashboardOrchestrated IT solutions company Serena Software an-nounced the new release of Serena IT Dashboard, providing improved visibility into end-to-end IT process performance and new accessibility on mobile devices. The new Serena IT Dashboard provides key performance indicators (KPIs) and

Product Announcements

30 BETTER SOFTWARE SEPTEMBER/OCTOBER 2012 www.TechWell.com

consumed and dynamically configured by end-users at run time. Cloud Integration Templates are a key component of the Informatica Cloud Developer Edition, and will be made avail-able along with other productivity assets on the new Cloud Integration Developer site. This release also increases the number of native cloud connectors and broadens support for the Informatica Cloud Data Loader Service.

Informatica Cloud Summer 2012 introduces new enhance-ments to the Cloud Connector Toolkit for building and de-livering high-performance native connectivity to cloud or on-premise business and social applications. Customers, ISVs, and SIs can now take advantage of new connectors for El-oqua, Workday, Netsuite, and Web Services. The Cloud Con-nector Toolkit also supports new advanced hierarchical data modeling, which allows applications with complex object re-lationships to make use of new data integration scenarios.

www.informatica.com/us

CloudForgeCollabNet, an enterprise cloud development and agile ALM products and services company, launched the commercial version of its CloudForge development-Platform-as-a-Service (dPaaS). The new CloudForge interface combines a consumer-like user experience with the security and management needed to bring cloud development to the enterprise.

Product Announcements

With CloudForge, developers and operations teams alike can migrate their projects and data to the cloud, and deploy to their PaaS or datacenter. For the first time, development teams can instantly provision and integrate their tool stack of choice, including hosted tools like Apache Subversion® (SVN), Git, Trac and TeamForge®, and integrated applica-tions like Atlassian JIRA, Basecamp and Rally Software. Administrators gain a single-pane view of cloud resource consumption, activity and project progress, and critical data needed to manage team-based development.

www.cloudforge.com

OpenStackRackspace, a cloud computing company, announced the availability of cloud databases and cloud servers powered by OpenStack, along with a new control panel. Customers can now select from private, public, or hybrid offerings and can deploy their solutions in a Rackspace data center or another data center of their choice.

All of Rackspace’s open cloud products can be accessed through the new control panel. The control panel allows customers to manage both existing and new cloud products as they emerge. In addition, customers now have the ability to use the open Rackspace cloud in hybrid or private cloud instances. Customers can choose the best platform for their applications by realizing the power of hybrid computing through RackConnect. This solution allows the flexibility and elasticity of the open cloud, as well as the enhanced security and performance characteristics of traditional hosting on ded-icated hardware. RackConnect provides integration between public and private clouds within Rackspace and the open cloud provides open standards to help customers use hybrid hosting between clouds located anywhere.

www.rackspace.com/cloud

Insight 9.6Klocwork Inc., an automated source code analysis solutions company, announced the latest release of its source code analysis tool, Klocwork Insight 9.6. This release introduces multiple capabilities that allow software development teams to reduce their development time while ensuring their code is secure and reliable. Klocwork Insight 9.6 is also fully local-ized for the Japanese market.

To accelerate the Klocwork build process, Klocwork In-sight now includes integration with the Xoreax IncrediBuild native build environment. This integration allows joint Kloc-work and Xoreax customers to run IncrediBuild in tandem with Klocwork Insight analysis, enabling tight process inte-gration and ensuring accurate analysis results.

www.klocwork.com/products/insight

www.TechWell.com JULY/AUGUST 2012 BETTER SOFTWARE 31

DYNAMICDUO

TwO COnferenCesin One LOCaTiOn

november 4–9, 2012 • Orlando, fL

early Bird savings!RegisteR by OCt. 5 and

save Up TO $200The Larger The group The More You Save

explORe the full pROgRam at

www.sqe.com/betteragileeast

PMI® members can earn PDUs at both events

One RegistRatiOn gets yOu twO COnfeRenCes

32 BETTER SOFTWARE JULY/AUGUST 2012 www.TechWell.com

Conference scheduleBuild your own conference—multi-day training classes, tutorials, keynotes, conference

classes, Summit sessions, and more—packed with information covering the latest

technologies, trends, and practices in agile methods and software development.

who should attend?• Software managers, directors, CTOs, and CIOs

• Project managers and leads

• Measurement and process improvement specialists

• Requirements and business analysts

• Software architects

• Security engineers

• Test and QA managers

• Developers and engineers

• Technical project leaders

• Testers

• Process improvement staff

• Auditors

• Business managers

sunday

Monday–Tuesday

wednesday–Thursday

Software Tester Certification—Foundation Level Training (3 days)

Certified ScrumMaster Training (CSM) + PMI-ACP (2 days)

Product Owner Certification (2 days)

Agile Testing Practices (2 days)

Fundamentals of Agile Certification (2 days)

Bonus session: From Practitioner to Published Author: A Workshop About Writing About Software

4 Keynotes

48 Conference Classes

Networking EXPO

Special Events

…and More!

36 In-depth half- and full-day Tutorials

Multi-day training classes continue

www.sqe.com/betteragileeast RegisteR eaRly and save up to $200!

“From beginner to expert there was something for everyone.” —Rob frisbie, software project engineer, gentex

The eXpO

November 7–8, 2012

Visit top industry providers Offeringthe latest in software solutions

94 sessions offer PMI® PDUs

One registration gets you into all sessions!One AmAzing DestinAtiOn

TOOLS • TECHNIQUES • SERVICES • DEMOS • SOLUTIONSLooking for answers? Take time to explore the

Better Software Conference and Agile Development

Conference EXPO, designed to bring you the latest

solutions in technologies, software, and tools

covering all aspects of software development.

www.TechWell.com JULY/AUGUST 2012 BETTER SOFTWARE 33

Conference scheduleBuild your own conference—multi-day training classes, tutorials, keynotes, conference

classes, Summit sessions, and more—packed with information covering the latest

technologies, trends, and practices in agile methods and software development.

who should attend?• Software managers, directors, CTOs, and CIOs

• Project managers and leads

• Measurement and process improvement specialists

• Requirements and business analysts

• Software architects

• Security engineers

• Test and QA managers

• Developers and engineers

• Technical project leaders

• Testers

• Process improvement staff

• Auditors

• Business managers

sunday

Monday–Tuesday

wednesday–Thursday

Software Tester Certification—Foundation Level Training (3 days)

Certified ScrumMaster Training (CSM) + PMI-ACP (2 days)

Product Owner Certification (2 days)

Agile Testing Practices (2 days)

Fundamentals of Agile Certification (2 days)

Bonus session: From Practitioner to Published Author: A Workshop About Writing About Software

4 Keynotes

48 Conference Classes

Networking EXPO

Special Events

…and More!

36 In-depth half- and full-day Tutorials

Multi-day training classes continue

www.sqe.com/betteragileeast RegisteR eaRly and save up to $200!

“From beginner to expert there was something for everyone.” —Rob frisbie, software project engineer, gentex

The eXpO

November 7–8, 2012

Visit top industry providers Offeringthe latest in software solutions

94 sessions offer PMI® PDUs

One registration gets you into all sessions!One AmAzing DestinAtiOn

TOOLS • TECHNIQUES • SERVICES • DEMOS • SOLUTIONSLooking for answers? Take time to explore the

Better Software Conference and Agile Development

Conference EXPO, designed to bring you the latest

solutions in technologies, software, and tools

covering all aspects of software development.

www.sqe.com/betteragileeast RegisteR eaRly and save up to $200!

Games software People Play: reasoning, Tactics, Biases, Fallacies Philippe Kruchten, Kruchten Engineering Services, Ltd.

adaptive Leadership: accelerating enterprise agilityJim Highsmith, ThoughtWorks

embracing uncertainty: a Leap of Faith Dan North, Lean Technology Specialist

Form Follows Function: The architecture of a Congruent organizationKen Pugh, Net Objectives

Friday

agile Leadership summitJoin your peers and agile industry veterans to explore the unique challenges facing software development leaders as they transform organizations to support agile methods. You’ll hear what’s working—and not working—for them and have the opportunity to share your experiences and successes

Kicking and screaming: Moving to Business agilitySue McKinney, VP, Pitney Bowes

agile Reality Bites: the stories of the struggleRobert Begg, VP, Bluecat Networks

proactive Risk Management: Calming nervous ManagersNiel Nickolaisen, CIO, Western Governors University

think tank discussion

“From beginner to expert there was something for everyone.” —Rob frisbie, software project engineer, gentex

The eXpO

November 7–8, 2012

Visit top industry providers Offeringthe latest in software solutions

keynOTes by International Experts

One registration gets you into all sessions!One AmAzing DestinAtiOn

Two GreaT ConferenCes

TOOLS • TECHNIQUES • SERVICES • DEMOS • SOLUTIONS

Pollyanna Pixton

Program Chair

34 BETTER SOFTWARE SEPTEMBER/OCTOBER 2012 www.TechWell.com

Wayssave

on your ConferenCe reGisTraTion

early Bird savings!Register for either conference, remit payment on or before October 5, 2012, and save up to $200 off your registration fees (depending on conference package selected). Call the Client Support Group at 888.268.8770 or 904.278.0524, email them at sqeinfo@sqe.com, or register now online.

Training + Conference Attend any of the training courses + the conference and save $300 (already reflected in conference pricing).

The Larger the Group the More you save! See the chart below for an example of how much savings groups of 3+ can enjoy on one of our most popular conference packages–Conference + Two Tutorial Days. To take advantage of this offer, please call the Client Support Group at 888.268.8770 or 904.278.0524 or email sqeinfo@sqe.com, and reference promo code Grp3.

Silver Sponsors:Silver Sponsors:

Platinum Sponsor:

www.sqe.com/betteragileeast RegisteR eaRly and save up to $200!

*Full payment must received by deadline date

Please Note: We will always provide the highest possible discount and allow you to use the two largest discounts that apply to your registration.

number ofTeam Members regular pricing early Bird pricing

(By 10/5/12)*Group savings

1-2 $2,495 $2,345

3-9 $1,996 $1,876 20%

10-19 $1,871 $1,759 25%

20+ $1,746 $1,641 30%

save BiG wHen yOU pUrCHase THe vip paCkaGe!Choose the VIP package for maximum savings and receive:

two tutorial or workshop days • all Keynotes • Conference sessions • bonus sessions • the expO on wednesday and thursday • all continental breakfasts, lunches, breaks, and receptions • agile leadership summit on friday • all networking opportunities • plus, complete access to both conferences

www.TechWell.com SEPTEMBER/OCTOBER 2012 BETTER SOFTWARE 35

by Dale Perry

Why Is Extrapolation of Results in Performance Testing a Bad Idea?In the discussions I have on performance testing, the topic of extrapolation always seems to come up. This is especially true when the person asking the question is relatively new to the performance testing area.

When I refer to extrapolation, I am looking at the normal use of data points to create or predict other data points based on an analysis of a series of sample tests. This can be, for in-stance, a series of incremental load levels or increases in infrastructure areas. The sample size must be sufficient to create a set of data points to create the predictive model.

Performance testing extrapolation is used as a form of behavioral projection. Specifically, we are looking at the linear extrapolation of results from a series of tests run on a scale model of the system architecture. By using linear extrapolation, we theoretically can predict what the larger system’s behavior will be—we can “extrapolate” the unknown from the known.

There are two reasons that extrapolation in performance testing is problematic.

First, there is the accuracy of the data gained from the initial set of tests. If the initial data are compromised, the projected results are automatically suspect. The primary area of con-cern here is the scalability factor of the system used to generate the data for the projection. The scalability factor is the ratio of the equipment or architecture used in the test compared to the real system. Some believe that a model of the architecture up to a ratio of 10:1 can be used, but I prefer to stop at a lower ratio. In my experience, with a scalability factor greater than 5:1, the results can be very misleading when used as a projection. The general ratio of the equipment involved in the test (physical boxes, etc.) is just one concern. The internal ra-tios of the scale model as they compare to the target system also must be accurately balanced (number of CPUs, memory, etc.)

The second—and most important—reason extrapolation in performance testing is a bad idea is that the method is essentially linear in nature, and many elements within the system under test are non-linear. When you use a linear model to predict the behavior of something that is non-linear, the data can be extremely misleading.

In the performance world, there may be some limited areas where extrapolation can be applied—e.g., you can extrapolate the consumption of data storage space if you know the size of each element written to the data store and the frequency of additions and deletions as well as how the storage system manages its space (compression, etc.). This is a linear activity and so may be extrapolated with some degree of confidence.

Linear extrapolation is a risky endeavor and tends to be conjectural in nature. The larger the system to be extrapolated, the degree of validity or accuracy of the sample data, and the greater the issues with the scalability factor—both external and internal—the more likely the projected number will be of little value. You might as well get a crystal ball.

dperry@sqe.com

Wayssave

on your ConferenCe reGisTraTion

early Bird savings!Register for either conference, remit payment on or before October 5, 2012, and save up to $200 off your registration fees (depending on conference package selected). Call the Client Support Group at 888.268.8770 or 904.278.0524, email them at sqeinfo@sqe.com, or register now online.

Training + Conference Attend any of the training courses + the conference and save $300 (already reflected in conference pricing).

The Larger the Group the More you save! See the chart below for an example of how much savings groups of 3+ can enjoy on one of our most popular conference packages–Conference + Two Tutorial Days. To take advantage of this offer, please call the Client Support Group at 888.268.8770 or 904.278.0524 or email sqeinfo@sqe.com, and reference promo code Grp3.

Silver Sponsors:Silver Sponsors:

Platinum Sponsor:

www.sqe.com/betteragileeast RegisteR eaRly and save up to $200!

*Full payment must received by deadline date

Please Note: We will always provide the highest possible discount and allow you to use the two largest discounts that apply to your registration.

number ofTeam Members regular pricing early Bird pricing

(By 10/5/12)*Group savings

1-2 $2,495 $2,345

3-9 $1,996 $1,876 20%

10-19 $1,871 $1,759 25%

20+ $1,746 $1,641 30%

save BiG wHen yOU pUrCHase THe vip paCkaGe!Choose the VIP package for maximum savings and receive:

two tutorial or workshop days • all Keynotes • Conference sessions • bonus sessions • the expO on wednesday and thursday • all continental breakfasts, lunches, breaks, and receptions • agile leadership summit on friday • all networking opportunities • plus, complete access to both conferences

hensive accessibility support for your product from the early stages?Understand the Accessibility Guidelines and Standards:

These guidelines set by governmental agencies and consor-tiums—including World Wide Web Consortium’s (W3C) Web Content Accessibility Guidelines 1.0 and 2.0, Section 508 [2]—outline critical checklist points that you can extract and incor-porate in your test effort.

Understand Accessibility from a Usage Standpoint: Dis-cuss your inputs with your product team up front. If your team has done usability tests in the past leveraging real end-users or is open to allowing you to interact with real-time users with accessibility issues, grab the opportunity. Interact with your users, observe them playing around with the product, and carefully make note of the kinds of issues they

face from UI, functionality, and us-ability angles. If you have a usability expert on the team, work with him to analyze your observations. These find-ings go a long way to help you design the right product. Even if you do not have a product to demonstrate as yet, talk to users to understand their pain points and what they would like to see in a product such as yours.

Manual Accessibility Testing: Some content simply cannot be tested using automated accessibility validators and tools. As an example, an image of a

tiger could have its alt text set to “mouse,” which is clearly inappropriate. There is currently no automated tool that can recognize the contents of an image and determine whether the alt text is correct. Ensure you chalk out a clear test plan with areas that you want to test manually to extensively cover the accessibility guidelines. Use assistive technology tools in the test efforts to simulate a disabled user’s experience in verifica-tion efforts. For instance, use screen readers such as NVDA or Jaws in a combination of operating systems, browsers, and de-vices to test for both accessibility and compatibility scenarios.

Automated Accessibility Testing: There are several tools that scan through the source code as well as analyze the ap-plication’s UI to report core accessibility issues. Such findings greatly supplement the manual test efforts in reaching out to all corners of the code, which may be difficult in manual code reviews. See the StickyNotes for links to some tools that we’ve used in our test efforts.

Use the VPAT: The Voluntary Product Accessibility Tem-

36 BETTER SOFTWARE SEPTEMBER/OCTOBER 2012 www.TechWell.com

You might be surprised to know that currently 650 million people—or 10 percent of the world’s population—live with some form of disability [1]. With the growing use of software in all walks of life, this is a major segment of the population that cannot be left behind.

Disabilities and associated accessibility problems largely fall into four categories:

Visual Impairments: partial or complete loss of vision. Low or no vision affects the user’s ability to discern or see the screen. Core assistive tools and technologies for the visually impaired include screen readers, Braille terminals, and screen magnification tools.

Mobility Impairments: conditions that affect movement of the limbs. This category includes conditions that cause difficulty or inability to use one’s hands, including tremors, muscle slowness, and loss of fine muscle control. Due to their restricted movement, users with mobility impair-ments might find the links in your appli-cation too close or too difficult to access. Some assistive technologies that promote accessibility in such cases include speech recognition tools and head mouse wire-less pointing devices.

Auditory Impairments: partial or complete loss of hearing. Hearing loss affects the user’s ability to discern or hear audio. In some cases, hearing aids are a useful tool along with enhancements to your product, such as video transcription (a text equivalent for the video content).

Cognitive Impairments: mental disorders that affect cog-nitive functions. These disorders range from developmental disabilities to learning disabilities to cognitive disabilities of various origins, affecting memory, attention, developmental “maturity,” and problem-solving and logic skills. Screen readers come in handy in the testing process, but a lot of manual intervention focusing on site design, flow of informa-tion, and content intuitiveness is required in testing for ac-commodating users with cognitive impairments.

Special attention needs to be given to the product’s archi-tecture, implementation, and quality assurance phases from an accessibility standpoint. Identifying lack of support in these areas later in the game makes it very difficult to fix is-sues, leading to the possible alienation of a large set of your product’s users.

So, what can you as a tester do proactively to ensure compre-

The Last Word

No One Left BehindWith 10 percent of the world's population living with some sort of

disability, we must develop products with all users in mind.

by Rajini Padmanaban | rajini.padmanaban@qainfotech.net

“Accessibility is about

promoting access to a

product and its contents

to a group of people

who might otherwise be

deprived of the same.”

The Last Word

AccuRev www.accurev.com 27

Agile Development Conference East 2012 www.sqe.com/AgileDevPracticesEast 31–34

Alp International www.alpi.com 18

ASTQB www.astqb.org 22

Better Software Conference East 2012 www.sqe.com/BetterSoftwareEast 31–34

CollabNet www.collab.net/getagilevideos 28

Hansoft www.hansoft.se 1

Hewlett-Packard www.hp.com/go/cloudservices Back Cover

Polarion www.polarion.com/qa 29

SQE—STAR Canada 2012 www.sqe.com/StarCanada 8

SQE Training—Live Virtual www.sqetraining.com/VirtualTraining Inside Front Cover

TechExcel www.techexcel.com 2

Telerik www.telerik.com/html5-testing 5

VaraLogix www.varalogix.com 30

Wipro www.wipro.com 23

Better Software (USPS: 019-578, ISSN: 1553-1929) is published six times per year January/February, March/April, May/June, July/August, September/October, November/December. Subscription rate is US $19.95 per year. A US $35 shipping charge is incurred for all non-US addresses. Payments to Software Qual-ity Engineering must be made in US funds drawn from a US bank. For more information, contact info@bettersoftware.com or call 800.450.7854. Back issues may be purchased for $15 per is-sue (plus shipping). Volume discounts available. Entire contents © 2012 by Software Quality Engineering (340 Corporate Way, Suite 300, Or-ange Park, FL 32073), unless otherwise noted on specific articles. The opinions expressed within the articles and contents herein do not neces-sarily express those of the publisher (Software Quality Engineering). All rights reserved. No material in this publication may be reproduced in any form without permission. Reprints of individual articles available. Call for details. Periodicals Postage paid in Orange Park, FL, and other mailing offices. POSTMASTER: Send address changes to Better Software, 340 Cor-porate Way, Suite 300, Orange Park, FL 32073, info@bettersoftware.com.

Display Advertisingadvertisingsales@sqe.com

All Other Inquiriesinfo@bettersoftware.com

index to advertisers

plate (VPAT) is a great resource for the entire product devel-opment team, especially the test team. Developed in 2009 and owned by the Information Technology Industry Council, the VPAT lists the requirements for Section 508 to accom-modate for accessibility in the product under development. The tester should ensure this template is discussed up front with the business, design, and development teams so everyone is on the same page about incorporating the requirements in the product. When included in your accessibility test efforts, VPAT is almost like a certification for your product’s compli-ance with Section 508.

Consider Collaboration: To elicit valuable feedback, you can work with organizations that support people with acces-sibility issues. At our company, we work with the Blind Relief Association in India to engage the visually challenged in our accessibility test efforts. This has helped us not only evaluate a product’s accessibility by the visually impaired but also pro-vided equal employment opportunities for the disabled. As a side benefit, such collaborations have gone a long way in en-couraging our employees to actively participate in our corpo-rate social responsibility mission.

As you read about accessibility testing, it is important to understand and differentiate accessibility from usability, at

www.TechWell.com SEPTEMBER/OCTOBER 2012 BETTER SOFTWARE 37

least at a high level. Accessibility is about promoting access to a product and its contents to a group of people who might otherwise be deprived of the same. On the other hand, us-ability is about promoting a product’s user experience and intuitiveness. It is really difficult to say that one is more im-portant than another. What is important is to understand the underlying differences and work toward building a product that is both accessible and usable.

Take a moment to ponder the points listed above. Some are pure science on specific disabilities that need to be accommo-dated, some are pure art in terms of working with end-users to elicit feedback, and some are a combination of art and sci-ence with your hands-on accessibility testing efforts. When you arrive at the right balance in your overall accessibility test efforts and collaborate with your product development team and end-users, you are in a position to create a product that is accessible to one and all—leaving no one behind! {end}

For more on the following topics go to www.StickyMinds.com/bettersoftware.n Referencesn Links to tools

38 BETTER SOFTWARE JULY/AUGUST 2012 www.TechWell.com

How do you feel about the title Cloud Master”?

© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.

“No matter where you are in your cloud journey, unleash the power of cloud computing with HP.Build, manage, secure, and consume cloud services with HP Converged Cloud across public, private, and hybrid models. It’s the industry’s first hybrid delivery approach, based on a common architecture. It features HP CloudSystem, the industry’s most integrated, open system for building and managing cloud services. Learn more by downloading the HP white paper today. Brought to you by HP and Intel®.

The power of HP Converged Infrastructure is here.

Get the HP white paper Cloud Computing—It’s All About the Service athp.com/go/cloudservices

T:8.5”

T:11”

O-HLJ64_ESSN_PrintAd_INTEL_EN-US.indd 1 6/25/12 11:41 AM