We put together a meetup where three QA experts talked about what a tester needs to talk to the development team, what tools to use for planning and testing, and what needs to be considered to make websites safe. Inside there is a video and text extract for each report.
Modern testing patterns
Says the director of business development at the IT company @BSL_Dev and the ex-head of the quality assurance department at Redmadrobot Marina Kulikova @Marishunya_QA.
Briefly what is the point.
It happens that development teams forget about the principle of early testing. There is a myth that product testing should take place at the end of a sprint or development. With such an organization of the project process, errors can occur (both process and technical).
To prevent this from happening, product testing should be at the very beginning of development. In addition, test activities must run in parallel with it. This helps testers to communicate risks to the team in advance and provide feedback at every stage, from requirements analysis to final release reports and support.
The main purpose of testing is to promptly notify the team about the real state of the system or product.
The main points of support for building testing
Analysis of requirements or technical specifications.
Infrastructure – it is important to set up the environment, select target devices, what test data will be required.
Communication process – you need to agree on the format in which we build feedback with the team (for example, we make test reports in Jira).
We figure out exactly how we organize testing: what types of testing, at what stages we apply, how we allocate resources, planning, and so on.
We take the time to write reports and agree on what kind of reporting is needed and in what form.
We are constantly introducing improvements and analyzing changes.
What the tester should communicate to the team
What needs to be automated. In the process of communicating with developers and managers, the tester needs to determine and tell which tests should be automated and at what level.
How to optimize your work. You need to do constant optimization of tests so that they spend less time. The tester’s task is to minimize test execution time, optimize feature tests and regression. This is necessary in order to quickly receive information about the condition of the product.
Provide useful metrics for your business. For example, the number of bugs in production, the number of activities, how the documentation writing process is moving, the time spent on testing, etc. Such metrics will signal whether the project is doing well. In addition, with the help of them, the tester can show the results of the work of the entire team. But it is worth remembering that you should not bury yourself in metrics, but rather use them as reference points. After all, in addition to metrics, there are other reporting systems.
Remind me of new tools… It’s important to talk about testing tools because they are constantly changing now. It is worth constantly monitoring how the tools are changing, and adding the best ones for yourself.
Testing is like a perimeter defense. It is very difficult to “guard” the entire product, so testers create “sensors” (some red flags) that report at the right time: alarm! And similar “sensors” are metrics, as well as autotests, various techniques, etc. The task of the testing team is to build a multi-layer protection system, consisting of the necessary “sensors”. It is also worth remembering that in addition to what QA is testing, the team also reports the real state of the system, where everything is okay, where it starts to “break”, and where everything is bad and urgently needs to be corrected.
How the tester provides feedback to the team
Via paired testing or programming. Test automation is useful to do with developer support. At this stage, a mutual review should take place, this helps the tester get to know the system deeper and already at this stage detect some problems.
Using Code Reviews. It’s not really a tester’s job, but you can get feedback in the project through Code Reviews. For example, if we have a typical automation feature, and it is reviewed for a long time on different projects, then you need to find out the reason.
Through unit tests.
With the help of automated integration tests (Automated Integration Test).
Using Automated Acceptance Tests. This activity can be shared with product managers.
If possible, you should automate the Regression Test.
Continuous Exploratory Testing.
Feedback from users or business users.
Constant UAT testing + DEMO sessions.
Through which the tester can organize feedback with the team
By working with defects (bugs) – you need to determine the format of their establishment and notifications about them, for example, do it in Jira or another convenient tool. Developers do not always have enough information in the defect to start fixing, so sometimes additional communication with the bug reporter is required.
Organize communication on assemblies and states of test environments. This will be needed if suddenly something goes wrong with them or they are delayed.
Cross-learning within testing. All specialists are different, they can learn from each other, so it is important sometimes to get together and discuss the results of the work and share life hacks and product knowledge. This is a kind of knowledge transfer.
Test documentation – collect reports on features, assemblies, and acceptance. For reporting, the study of GOSTs will help: they describe the gradation of defects, how to deal with them, and so on. For projects related to government contracts, the study of GOST 34.603-92 will help.
How can testers work with Google Sheets (and why)
Sasha Strokin, the head of the testing department at Redmadrobot, has assembled his own Google Sheets, with the help of which he builds work, from planning to analytics for testers.
Using several examples, Sasha spoke about the tools and formulas that he uses in his work.
Google Sheets in Planning – Preparing for the Testing Process
There are four main processes in testing:
Planning – preparation for the actual testing work,
Test development – crafting artifacts, developing test scripts,
Test execution – the test execution itself,
Test analysis – assessment of test results, highlighting processes that need to be improved or, conversely, should not be changed.
Planning in Google Sheets Is a tool that is necessary primarily for leads, in order to connect and disconnect the right people on time, carry out rotations, and track the workload of employees.
To facilitate the planning process, a Dictionary tab can be created in Sheets, which describes all existing projects to work with, a list of participants, the role of an engineer on a project, and so on.
It is worth noting that Google Sheet allows you to add separate slices, if we are talking about data filtering, it can be done both at the level of the entire table, and according to individual criteria. For example, if you click on a tab indicating a specific project, you will see how many engineers are currently involved in it and the percentage of their workload.
Google Sheets integration with Jira
Integration of Excel with the working tool of most development and testing teams – Jira – is possible through a special plugin – Jira Cloud of Sheets…
Using this plugin, you can “pull” any data from the Jira backlog using the same filter by which testers usually filter defects, only with translation not into a graphic image, but into JQL.
Using the example, Sasha showed how he decided to check all his defects and collect statistics against this background. During the work on the project, a total of 1,500 defects were introduced and statistics were generated for them. You can see, for example, which of them have a priority level. You can also generate statistics in the form of graphs for almost any indicator.
In addition, using the plugin, you can upload statistics for individual projects and view statistics for it. You can analyze how projects are overgrown with defects in dynamics and see that, for example, in June and July, the most bugs were introduced on the project.
To generate such statistics, you need to use the MounthStat tab (it pulls data on the creation date from the general upload, where we can select the date of the defect creation). With the Trim function, dates can be sorted by month.
All ready-made tables for work from Sasha’s presentation.
Website testing and security for novice testers
The QA engineer of Redmadrobot Vika Begencheva @vikusti told and showed.
The main tricks of fraudsters, how they can harm users or systems:
Vika told what cookies are on the example of an online store. Let’s say we open a browser, go to the site and put the cookies that we like in the basket. If we close the browser window and then open it again, then all information about the purchases that have begun will be saved. This happens using cookies – various information about the user that is stored locally in the browser.
This information is needed for the convenience of the user, so that the site “remembers” certain data and we do not have to constantly indicate them. Cookies are of two types: temporary (session cookies) and persistent. Session cookies are stored for a certain limited time and can change when the user logs in. Persistent cookies are always stored until you erase them.
A hacker can “hijack” your cookies and use this to “prove” to the system that he is you. Then he can reuse them and continue the session. It goes like this:
Via protocols: HTTP and HTTPS
Digging in the vastness of the Internet, we can still get to the sites, the insecurity of which the browser warns us about.
Why is that? Because the browser is smart and it considers sites that connect via HTTP, not HTTPS, to be untrustworthy. The HTTPS protocol has the last letter S, which means that increased security requirements are added. In this protocol, when a browser communicates with a server using the https protocol, a security certificate is added: if a hacker tries to intercept such requests, he will receive only a set of characters and will not be able to decrypt them.
Password guessing – brute force
This is a brute force attack – a fraudster can know the login and use a special script to brute force the password. Typically, guessing a password using a script takes about 10 hours.
How to check sites for safety
See how the security of storing cookies is arranged: open the “Inspector” in the browser, go to the application tab and see your cookies for the site. To check the security, you need to pay attention to the columns named httpOnly and secure. If the checkboxes are checked, then the site provides protection against theft of cookies.
You need to check that all requests go through the HTTPS protocol. For example, we work with the site sofasnadom.ru… It is necessary to remove the letter S from the protocol and check if it is possible to access only the link with HTTP. If yes, then this is bad, a scammer can create such a link and intercept user requests. To avoid this, you need to create a redirect – automatically redirecting users to a secure page.
When entering a username / password, you need to use a limit on the number of incorrect attempts, as well as use a timeout, for example, after three unsuccessful attempts to enter a password, you can try to enter the password for the fourth time only after an hour. This will help you avoid hacking by automatically guessing passwords.
Vika wrote a separate article, where she spoke in detail about all the points and gave even more advice for novice testers.
Telegram channel “Google Sheets»: A lot of information about Google Sheets chips;
YouTube STM Solutions: video tutorials Google Docs, Google Sheets, Google Apps Script;
Jira Cloud for Sheets: plugin for integrating Google Sheets with the main working tool of most teams – Jira;
owasp.org: a non-profit foundation that works to improve software security;
hackthebox.eu: An online training platform where you can test your site security testing skills;
xss-game.appspot.com: A training game for detecting and eliminating XSS errors.