Testing Circus

Volume 6 - Edition 11 - November 2015

Interview with
Magazine for Software Testers
David Greenlees
www.TestingCircus.com
 www.TalentPlusPlus.com

Kick Start Your Career

www.TalentPlusPlus.com

Career classes in Gurgaon

and online classes
worldwide.
 serious about software quality
At Doran Jones, our mission is to help technology organizations
improve their ability to deliver software and add business
value. We believe the best way to do this is through hands-on
delivery, working alongside our clients. Let us show you life at
the intersection of talent and opportunity.!

• Software Development • Training and Coaching

• Software Testing • Recruitment
• Urban Onshore Outsourcing

as seen in:!

www.doranjones.com!
 Testing Circus
Volume 6 - Edition 11 - November 2015

Table of Contents
Topic Author Page #
Testing Challenge – Project Balto Mike Talks 6
Solving Performance Engineering Puzzle Alexander Podelko 11
Jackie Chan and His 100,000 Friends Perze Ababa 15
A Fake Tester’s Diary, Part - 59 Fake Software Tester 18
Interview with David Greenlees Ajoy Singha 21
Hunting For ‘Hard-to-Reproduce’ Bugs Ravi Kumar BN 28
My Thoughts on EuroSTAR 2015 Patrick Prill 34
#Testers2Follow @Twitter Testing Circus Team 39
Book Worm’s Corner WoBo 41
Tips for security threat detection and prevention Santhosh Tuppad 42
Validata Launches New Test Data Generator Solution AppAloud 43
SmartBear Redefines Functional And Performance Testing AppAloud 44
Synack Launches Hydra AppAloud 45

Article Submision: [email protected]

Testing Circus Team Testing Circus India
Founder & Editor – Ajoy Kumar Singha Chaturbhuj Niwas, 1st Floor,
Team - Sector 17C, Shukrali,
Ÿ Srinivas Kadiyala Gurgaon - 122001
Ÿ Sanath Kumar India.
Ÿ Dwarika Dhish Mishra © Copyright 2010-2015. ALL RIGHTS RESERVED. Any
Ÿ Pankaj Sharma unauthorized reprint or use of articles from this magazine
Ÿ Jaijeet Pandey is prohibited. No part of this magazine may be reproduced
Edition Number : 62 (since September 2010) or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or by any
Editorial Enquiries: [email protected] information storage and retrieval system without express
Ads and Promotions: [email protected] written permission from the author / publisher.

*On the Cover Page - David Greenlees www.TestingCircus.com November 2015 - 04 -

 From the Keyboard of Editor

What is the one most important characteristic of an employee that a boss desires?
To me, it is the timely status update to the boss, informing if any promised deadline
cannot be met, especially when there is an issue which may prevent the project team
from achieving important milestones. It is very important that the red flags are
raised early enough (as soon as the employee realises about it) so that the boss can
work on alternative strategies. Remember, your boss has to answer to his boss too.
Tell him what is going wrong and most importantly, what can be done to fix the
issue.
To fix a large scale issue is entire team’s responsibility. So make sure your boss is
appraised of any serious issues. Do not hold the problem on to yourself until the last
minute or till the status meeting occurs. Inform as soon as possible. This serves two
purposes. First, your boss is aware of the problem early and what is being done to
solve the problem. Second, it gives him time to think of alternative solutions and
work on his portion of the firefighting or at least prepare for a different course of
action—and to present it to his boss. For God’s sake, don’t keep the problems to
yourself, especially when the work is time-sensitive, and many downstream
components are dependent on that particular piece of work. Do not fear breaking
the bad news.
In this edition, you will enjoy the interview with David the martial tester and the
other articles. Mike has a testing challenge for you. We have some prizes for you
too.
See you next edition. Happy testing!

- Ajoy Kumar Singha

@TestingCircus // @AjoySingha

Feedback please! [email protected]

www.TestingCircus.com November 2015 - 05 -

 Testing Challenge
– Project Balto
- Mike Talks
If you’ve seen the recent movie The Martian, then this
challenge might seem a bit familiar! There was a problem NASA was trying
to solve around testing a rocket, and I was bursting to email my solution to the author!
I ended up talking with a few people, and they came up with different angles on my solution. Wow.
In the end, I ran the scenario below as an exercise with my test team in our monthly meeting – they came
with some different approaches, and in the debriefing they had some very useful ideas to feedback into their
daily work.
Now it’s your turn – how do you think you’ll do? If you can, do talk it over with other testers you know. Even
better, please submit your answers to the [email protected] – I’m going to do a follow-up in a couple of
months, and I’d really like to use as many ideas from others as I can – this is your opportunity for a
mention!
Enjoy!
Mike Talks

Yesterday at 2:59am, we secretly landed the first

men back on the Moon since 1972. Commander
Alice Kramden and Lieutenant George Herbert
successfully landed their lander at Maginus
Crater, whilst their automated service module
remained in orbit awaiting their return.
During their stay on the Moon, they did an
excursion with their lunar rover and collected
some rock samples, looking for traces of He3,
which we hope to use to power future fusion
reactors, as well as set up a science station near
the lunar module.
Their mission completed, they boarded the lunar
module for the return visit – which is where
things started to go wrong. “There was a crash

www.TestingCircus.com October 2015 - 06 -

 The bad news is we have no rescue or resupply rocket
ready. Our expectations of such scenarios was that any
incident would be outright fatal.

Project Balto
Project Balto is our planned resupply lifeline for the two
astronauts stranded on the Moon. It’s named after the
famous Alaskan husky who ran supplies of medicine
during a diphtheria epidemia.

and then a zoom, as we tried to take off from the Moon”.

The lunar modules main engine refused to fire, and the
crew could see they were venting from their craft. Later
inspection from the outside of their craft showed that a
key valve had blown in the propellant fuel line, and the
module has vented its fuel for takeoff, stranding it on
the Moon.

We’re used to running regular supply rockets up to the

International Space Station every 3 months, but sadly
we used our the other month, and it’s replacement isn’t
constructed yet. That rocket uses a 2-stage rocket which
gets into low Earth orbit. But to get to the Moon, it
needs additional power, so we’re adding an additional
rocket stage to the base – similar to the one we used in
our manned lunar rocket.
Stage 1 – Liftoff stage
The good news is the oxygen tanks were not affected,
and the crew has food and air to last for 30 days.
Potentially 31 if everything goes favourably and
exertion and trips outside are kept to an absolute
minimum.

www.TestingCircus.com November 2015 - 07 -

This is the stage that is used at take-off, and usually lifts Stage 3 – Cargo package
a manned rocket into high Earth orbit. We’ve used these
for 6 previous launches. It’s reusable, but requires a
huge service between uses – hence it has parachutes and
beacons to help us retrieve and reuse it.
Key features
· Recovery parachute
· Recovery beacon
· Propellant tanks
· Guidance fins
· Re-entry shields
· 64 rocket engines
· Separation charges (between stages) Once in orbit, this section will attempt to land nearby
· Launch cameras the lunar lander, where the astronauts can use their
lunar rover to collect supplies.
Stage 2 – Lunar Orbital insertion Key features
Once in orbit, this stage will take the vehicle out of Earth · Retro rockets
orbit and into an orbit around the Moon. This design · Recovery beacon
· Propellant tanks
· Steering fins
· 5 rocket engines
· Guidance computer & autopilot
· Pressurized cabin
· Black box monitor
· Radio
· Webcam

Stage suppliers
Each rocket stage is supplied by a different supplier,
· STAGE 1 – Zeus Inc
· STAGE 2 – Hera Ltd
· STAGE 3 – Hermes Industrial
And each supplier is about 2 days by freight train away,

has been used over 50 times to resupply the

International Space Station, with low levels of failure.
Like Stage 1, when used to supply the International
Space Station, it is reusable.
Key features
· Recovery parachute
· Recovery beacon
· Propellant tanks
· Steering rockets
· Re-entry shields
· 18 rocket engines
· Separation charges
· Black box monitor
www.TestingCircus.com November 2015 - 08 -
Our first pass at working out a timeline for this was, Freight train
Each stage is then taken by freight train from the
supplier to our launch facility,

Rocket integration
Stage assembly
The stages of the rocket are then assembled.
Each stage is assembled on a production line.

Stage testing
The stage is then moved to a test facility where it’s tested Rocket testing
component by component, The assembled rocket is then tested to confirm the stages
are working together as expected.

www.TestingCircus.com November 2015 - 09 -

Revising timeline chances of a successful launch, as they do so, if we do
With the typical time to do delay, the crew will be dead for certain.
this, the astronauts will all be
dead by the time we’re
ready. So we’re going to
work around the clock,
which gives us the following
revised schedule,

With the typical time to do this, the astronauts will all be

dead by the time we’re ready. So we’re going to work
around the clock, which gives us the following revised
schedule,

What can you do to reduce the chance of

this happening?

In order to meet this deadline, we can’t afford the

dedicated test phases, although they increase the

Editor’s Note: We will select/publish top 3 solutions to the above problem. Send your
entries to [email protected] with subject ‘Project Balto’. We have few prizes too.

About the Author

Mike Talks was an aspiring astronaut in his youth, and a student of Astronomy at Sheffield University.
One of his favourite movies is Apollo 13 – about the Moon mission which faced disaster – because they
were so good at identifying problems, and finding solutions to them. This is testing at its most exciting
form.

www.TestingCircus.com November 2015 - 10 -

 Solving Performance Engineering Puzzle
Performance Engineering
and Load Testing:
A Changing Dynamic
There are many discussions about performance, but
they often concentrate on only one specific facet of
performance. The main problem with that is that
performance is the result of every design and
implementation detail, so you can't ensure performance
approaching it from a single angle only.
There are different approaches and techniques to
alleviate performance risks, such as:
· Single-User Performance Engineering.
Everything that helps to ensure that single-user
response times, the critical performance path,
match our expectations. Including profiling,
tracking and optimization of single-user
performance, and Web Performance
Optimization (WPO).
· Software Performance Engineering (SPE).
Everything that helps in selecting appropriate
architecture and design and proving that it will
scale according to our needs. Including
performance patterns and anti-patterns, scalable
architectures, and modeling.
· Instrumentation / Application Performance
Management (APM)/ Monitoring. Everything
that provides insights in what is going on inside
the working system and tracks down
performance issues and trends.
· Capacity Planning / Management. Everything
that ensures that we will have enough resources
for the system. Including both people-driven
approaches and automatic self-management
such as auto-scaling.
· Load Testing. Everything used for testing the
system under any multi-user load (including all
other variations of multi-user testing, such as
www.TestingCircus.com
- Alexander Podelko
performance, concurrency, stress, endurance,
longevity, scalability, reliability, and similar).
· Continuous Integration / Delivery /
Deployment. Everything allowing quick
deployment and removal of changes, decreasing
the impact of performance issues.
And, of course, all the above do not exist not in a
vacuum, but on top of high-priority functional
requirements and resource constraints (including time,
money, skills, etc.).
Every approach or technique mentioned above
somewhat mitigates performance risks and improves
chances that the system will perform up to expectations.
However, none of them guarantees that. And,
moreover, none completely replaces the others, as each
one addresses different facets of performance.
A Closer Look at Load Testing
To illustrate that point of importance of each approach
let's look at load testing. With the recent trends towards
agile development, DevOps, lean startups, and web
operations, the importance of load testing gets
sometimes questioned. Some (not many) are openly
saying that they don't need load testing while others are
still paying lip service to it – but just never get there. In
more traditional corporate world we still see
performance testing groups and most important
systems get load tested before deployment. So what
load testing delivers that other performance engineering
approaches don’t?
There are always risks of crashing a system or
experiencing performance issues under heavy load –
and the only way to mitigate them is to actually test the
system. Even stellar performance in production and a
highly scalable architecture don't guarantee that it won't
crash under a slightly higher load.
November 2015 - 11 -
 Fig.1. Typical response
time curve.
A typical response
time curve is shown on
fig.1, adapted from
Andy Hawkes’ post
When 80/20 Becomes
20/80 discussing the
topic. As it can be seen,
a relatively small
increase in load near
the curve knee may kill
the system – so the
system would be
unresponsive (or
crash) under the peak
load.
However, load testing doesn't completely guarantee that the system won’t crash: for example, if the real-life
workload would be different from what was tested (so you need to monitor the production system to verify that
your synthetic load is close enough). But load testing significantly decreases the risk if done properly (and, of
course, may be completely useless if done not properly – so it usually requires at least some experience and
qualifications).
Another important value of load testing is checking how changes impact multi-user performance. The impact on
multi-user performance is not usually proportional to what you see with single-user performance and often may be
counterintuitive; sometimes single-user performance improvement may lead to multi-user performance
degradation. And the more complex the system is, the more likely exotic multi-user performance issues may pop
up.
Fig.2 Single-user
performance vs. multi-
user performance.
It can be seen on
fig.2, where the
black lines represent
better single-user
performance (lower
on the left side of the
graph), but worse
multi-user load: the
knee happens under
a lower load and the
system won’t able to
reach the load it
supported before.
Another major value of load testing is providing a reliable and reproducible way to apply multi-user load needed
for performance optimization and performance troubleshooting. You apply exactly the same synthetic load and see
if the change makes a difference. In most cases you can’t do it in production when load is changing – so you never
know if the result comes from your code change or from change in the workload (except, maybe, a rather rare case

www.TestingCircus.com November 2015 - 12 -

of very homogeneous and very manageable workloads
when you may apply a very precisely measured portion
of the real workload). And, of course, a reproducible
synthetic workload significantly simplifies debugging
and verification of multi-user issues.
Moreover, with existing trends of system self-regulation
(such as auto-scaling or changing the level of services
depending on load), load testing is needed to verify that
functionality. You need to apply heavy load to see how
auto-scaling will work. So load testing becomes a way to
test functionality of the system, blurring the traditional
division between functional and nonfunctional testing.
Changing Dynamic
It may be possible to survive without load testing by
using other ways to mitigate performance risks if the
cost of performance issues and downtime is low.
However, it actually means that you use customers to
test your system, addressing only those issues that pop
up; this approach become risky once performance and
downtime start to matter.
The question is discussed in detail in Load Testing at
Netflix: Virtual Interview with Coburn Watson. As
explained there, Netflix was very successful in using
canary testing in some cases instead of load testing.
Actually canary testing is the performance testing that
uses real users to create load instead of creating
synthetic load by a load testing tool. It makes sense
when 1) you have very homogenous workloads and can
control them precisely 2) potential issues have minimal
impact on user satisfaction and company image and you
can easily rollback the changes 3) you have fully parallel
and scalable architecture. That was the case with Netflix
- they just traded in the need to generate (and validate)
workload for a possibility of minor issues and minor
load variability. But the further you are away from these
conditions, the more questionable such practice would
be.
Yes, the other ways to mitigate performance risks
mentioned above definitely decrease performance risks
comparing to situations where nothing is done about
performance at all. And, perhaps, may be more efficient
comparing with the old stereotypical way of doing load
testing – running few tests at the last moment before
rolling out the system in production without any
instrumentation. But they still leave risks of crashing
and performance degradation under multi-user load. So
actually you need to have a combination of different
www.TestingCircus.com
performance engineering approaches to mitigate
performance risks – but the exact mix depends on your
system and your goals. Blindly copying approaches
used, for example, by social networking companies onto
financial or e-commerce systems may be disastrous.
As the industry is changing with all the modern trends,
the components of performance engineering and their
interactions is changing too. Still it doesn’t look like any
particular one is going away. Some approaches and
techniques need to be adjusted to new realities – but
there is nothing new in that, we may see such changing
dynamic throughout all the history of performance
engineering.
Historical View
It is interesting to look how handling performance
changed with time. Probably performance engineering
went beyond single-user profiling when mainframes
started to support multitasking, forming as a separate
discipline in 1960-s. It was mainly batch loads with
sophisticated ways to schedule and ration consumed
resources as well as pretty powerful OS-level
instrumentation allowing to track down performance
issues. The cost of mainframe resources was high, so
there were capacity planners and performance analysts
to optimize mainframe usage.
Then the paradigm changed to client-server and
distributed systems. Available operating systems didn't
have almost any instrumentation or workload
management capabilities, so load testing became almost
only remedy in addition to system-level monitoring to
handle multi-user performance. Deploying across
multiple machines was more difficult and the cost of
rollback was significant, especially for Commercial Of-
The-Shelf (COTS) software which may be deployed by
thousands of customers. Load testing became probably
the main way to ensure performance of distributed
systems and performance testing groups became the
centers of performance-related activities in many
organizations.
While cloud looks quite different from mainframes,
there are many similarities between them, especially
from the performance point of view. Such as availability
of computer resources to be allocated, an easy way to
evaluate the cost associated with these resources and
implement chargeback, isolation of systems inside a
larger pool of resources, easier ways to deploy a system
November 2015 - 13 -
and pull it back if needed without impacting other
systems.
However there are notable differences and they make
managing performance in cloud more challenging. First
of all, there is no instrumentation on the OS level and
even resource monitoring becomes less reliable. So all
instrumentation should be on the application level.
Second, systems are not completely isolated from the
performance point of view and they could impact each
other (and even more so when we talk about
containers). And, of course, we mostly have multi-user
interactive workloads which are difficult to predict and
manage. That means that such performance risk
mitigation approaches as APM, load testing, and
capacity management are very important in cloud.
So it doesn’t look like the need in particular
performance risk mitigation approaches, such as load
testing or capacity planning, is going away. Even in case
of web operations, we would probably see load testing
coming back as soon as systems become more complex
and performance issues start to hurt business. Still the
dynamic of using different approaches is changing (as it
was during the whole history of performance
engineering). Probably there would be less need for
"performance testers" limited only to running tests – due
to better instrumenting, APM tools, continuous
integration, resource availability, etc. – but I'd expect
more need for performance experts who would be able
to see the whole picture using all available tools and
techniques.

About the Authors

For the last seventeen years Alex Podelko has worked as a performance engineer and architect for
several companies. Currently he is Consulting Member of Technical Staff at Oracle, responsible for
performance testing and optimization of Enterprise Performance Management and Business Intelligence
(a.k.a. Hyperion) products.
Alex periodically talks and writes about performance-related topics, advocating tearing down silo walls
between different groups of performance professionals. He collects performance-related links and
documents at www.alexanderpodelko.com, blogs at http://alexanderpodelko.com/blog, and can be
found on Twitter as @apodelko. Alex currently serves as a director for the Computer Measurement
Group (CMG) http://cmg.org, an organization of performance and capacity planning professionals.

www.TestingCircus.com November 2015 - 14 -

 Jackie Chan
and His
100,000
Friends
Once upon a time, a few jobs ago, I was asked to design
a performance test for a client that needed to upgrade a
workflow that was relying heavily on fax based
transactions. This particular workflow was simply
broken apart in 6 individual requests:
● Customer opt-in
● Calculation
● Payment
● Data storage
● Send a confirmation email to the user
● Send that same confirmation email as a PDF to a
partner's print server
The performance requirement for that particular test
was straightforward. We needed the ability to handle
100,000 opt-in's in an 8 hour period in the Asia-Pacific
region that covers the flows from the first 5 of the above
mentioned requests.
As I was preparing the performance script, I realized a
couple of problems specifically dealing with test data.
This means that I will possibly need 100,000 unique
individuals, along with their respective credit card
information. I reached out to the Engineering Head of
this project and asked if there’s a way to create these
accounts beforehand. I was told that our payment
provider only gave us one card number that we can test
with and the way they’ve been able to go around this
www.TestingCircus.com
- Perze Ababa
limitation is to have the same person pay for all the
transactions.
I decided that based on that information, why not have
a certain Jackie Chan pay for 100,000 of his friends. As a
bonus, these friends would be traveling to Europe.
Seemed pretty logical at that time.
I presented the plan to my QA Manager and the
Engineering Head and I got a go signal to use our
pre-production infrastructure. That gave me 10 origin
servers with ample instrumentation in place to find out
what’s going on in all layers during the 8 hour test
window.
So I fired up the script. At the end of 8 hours, we
checked the results and we realized that a recent
configuration change in the request queueing server
that seemingly broke 9 out of 10 transactions. I was able
to confirm that 10,000 of the transactions that were sent
to the available origin server were processed properly,
payment requests were honored, the correct emails
were received and all 10,000 transactions were sent to
our dummy print server.
We decided to look into the missing 90,000 and we
found out that since 9 out of the 10 origin servers didn’t
respond as expected, the queueing server preserved all
those transactions on memory. I was told that once those
9 origin servers were reachable from the queueing
November 2015 - 15 -
service then those transactions should be processed
accordingly. As a result, a second round of tests were
scheduled 1 month after.
Unfortunately, I left that company a couple weeks later
having found a better opportunity somewhere else.
The story doesn’t end here.
A few months after I started at my new company I got a
call from my former QA Manager. In the call also was
the Engineering Head, and his counterparts from Asia-
Pacific and Europe. I was told that they just launched to
production two days before and there were 90,000
orders from Hong Kong to Ireland paid for by Jackie
Chan and they want to know if I’m familiar with these
transactions.
I told them that I remember running a test some months
ago, I described to them the situation and the results. As
it it turns out, they promoted that pre-production
environment without cleaning up or establishing a clean
state. Since the queueing server can now reach the
remaining origin servers, it just finished what it was told
to do. So a print server somewhere in Ireland printed all
90,000 of these transactions that were dated 3 months
ago and an email server in Hong Kong received
corresponding email confirmations.
When it comes to performance test planning, it’s key
that you as the tester understand the schedules and
timeline, it’s also important that you have the right
people, proper tools, a reliable environment, and that
you understand what the objectives that your software
solution is trying to accomplish. When it comes to
people, you can never predict when people leave. If they
do, make sure there is continuity and plug as much
knowledge gaps as you can. Lastly, when running
automation assisted tests, it’s always key to keep track
of your test artifacts. Since you know what you created,
you should also know what happens to them in the end.
Make sure you clean up after yourself.
Then again, no matter how much you prepare, you can
never know what will happen when you try to employ
100,000 of Jackie Chan’s friends.

About the Author

Perze Ababa is the Test Engineering Manager for Johnson & Johnson Consumer, Inc., and is responsible
for the team providing testing related services and test tooling support for J&J Consumer Platform and
its websites. With over 13 years of software testing experience, Perze has tested for teams that built
multi-tiered desktop applications, websites and native applications for companies such as nytimes.com,
the now defunct ivillage.com and was recently the Director of Test Engineering for Viacom Media
Services. He has been a member of the Association for Software Testing since 2010 and have participated
in co-facilitating some BBST classes. He is also a founding member and organizer for the NYCTesters
meetup group.
Perze originally comes from Marawi City, Philippines, and is now living in New Jersey, USA with his
wife and three beautiful daughters.

www.TestingCircus.com November 2015 - 16 -

Reach out to a
larger number
of audience.

Write for Our

Readers.

Looking for a theme to write?

We have some ideas for you.
Click Here to get all ideas!

www.TestingCircus.com
 A Fake Tester’s Diary
e 5 9
Epi so d
http://www.testingcircus.com/category/a-fake-testers-diary/

"A week has 168 hours; I am asking you to bill at least

Yes Boss!
This week, I learned “Corporate Testing Maths”. In
corporate Maths 24 = 72; it’s possible to have 30 hours
billed in a 24 hour workday.
I was summoned to my manager's
cabin; my New manager. He seemed
in a foul mood and I walked in fully
prepared for one of his lectures on
something. He was looking at my
billing sheets pondering over my
billed hours. (Or unbilled hours, as
he put it).
"You billed only 40 hours last week?”
he asked.
"Yes", I said".
"You are a floating resource who
works across projects. You should
have billed at least 200", he said.
"What?” I thought I did not hear him
right; it sounded like 200 to me.
"Yes," he went on. "I said at least 200".
I started wondering if he's sober after
all. I started calculating 24 times 7 to
find out how many hours are there in
a week.....
"I am sober; not drunk; not yet", he said.
I was blankly staring at him still trying to work out 24
times 7.
"168", he seemed to read my thought.
"Huh", I was blank again.
200. Do you understand?” he growled.
"No", I said.
"Did you not have our cross-functional team
orientation?” he asked.
"No", I was unsure if 24 times 7
is 144 or 168; definitely nowhere
close to 200.....
"Well, if you are in a cross
functional team then it means
you work across different
projects. And different clients.
For example, let's say that you
are flying from here to the USA
for a client visit. How many
hours would you bill?"
"Nothing", I said. "It's my
travelling time".
"No", he went on. "Bill client-1
for 2 days since you are
travelling to meet them; if
possible meet client-2 and
client-3 and bill them for the trip
since you are visiting them as
well. While you are flying, work
on a document for client-4 and
client-5 and bill them too. That's 10 days of missed
billing time in a 2 day time period. 240 hours of missed
billing time.”
"Let’s go again. How many people do you bill while
you are in a 1-hour phone call with your client?” he
asked.
"1 hour for client-1", I said.

www.TestingCircus.com November 2015 - 18 -

"No; he said. Get into the call with client-1 and bill him
for the 1-hour. You are not going to be talking for the
entire duration of the call. While you are on the phone
with client-1, engage client-2 in an online discussion.
While you are messaging client-2, send emails to
client-3. That will make it 3 hours. If you bill client-1
only for 1 hour, that makes it 2 missed hours. You can
bill 3 hours for 1 hour!!!”
I nodded; I was learning.
"3rd question. How many hours do you bill for a
meeting that lasts for 10 mins?” he asked.
"10 Mins", I said.
"Nope; if a call lasts for 10 mins, bill the client for 30
mins; learn to round off. 10 mins is 30 mins, 35-45 mins
is 1 hour, and anything more is 2 hours. If a call goes
for beyond 2 hours, bill him for half-a day".
“Wow”.
"4th question. Let's say that you are writing a test
scenario for login for client-1 and the entire activity
spans 3 days. How much are you billing?"
"3 days for client-1, 3 days for client-2, 3 days for
client-3", I said. I wanted to impress him with my fast
learning skills.
"No. Bill the client-1 for 6 days, client-2 for 5 days and
client-3 for 2 days. Talk to the project managers on
new clients and old clients and bill them accordingly.
Don’t make the mistake of sending the test scenarios
within 3 days. Hold a meeting on day-1. Hold a
meeting on the 3rd day. Bill them for KT activities. Ask
for a sign-off and bill them for the sign-off meeting too.”
“That’s 12 days of billing for a 3 day effort”, I said.
www.TestingCircus.com
"Yes”, he went on. “5th question. Let's say you are
taking a coffee break and indulge in chit-chat with 5
people from 4 projects. What will you do?” he asked.
"Bill all the 4 clients for 1 hour under the heading of
"Group Discussion on project status". A total of 4
hours billed for a coffee break with employees from
different accounts", I said.
"Oh yes... you are indeed a fast learner. Remember, a
24 hour work day gives us, folks in Smart Billing, and
immense possibilities for billing 72 hours every day. If
you do more, that’s super-awesome. That way, you
can bill a minimum of 200 hours in a 168 hour work
week", he signed off waving me off.
As I walked away, he said “That’s why you have
targets on billing hours. The more you bill, the more
your appraisal is.” The proverbial “carrot” was shown
to me as I walked away.
Now all of the above is a lesson that I would have
learnt in schools. I learnt this story in a “promising”
company that has now taken action on their errant
management. The first thing that I did after hearing
this story is to ask for an exit from the project. You
would also come across such individuals in many
companies and projects; Companies are good, but
individuals are not. In every good company, there will
be such evil greedy businessmen who resort to such
tactics putting the company’s reputation at stake.
Though many companies have checks and balances,
some don’t; if you are in a company that does not have
systems to prevent it, the best thing to do is ask for an
exit from the project. Being a fake tester is fine, but
you cannot be a “criminal tester”; stay away from such
projects; and stay safe. See you in December.
November 2015 - 19 -
More TestBash New York Photos - Here
 Interview with
DAVID GREENLEES Testers
Director of Testing
Doran Jones, Inc
New York, USA

David has been testing software and managing testing teams for almost
15 years. Many of these spent in one of Australia's largest government
departments, while more recently undertaking a consultant role in
multiple organizations prior to joining Doran Jones. While he has
worked in multiple industry sectors, the last 5 have been spent in finance
working on online banking implementations and regulatory reporting
programs.
He has published several articles, blogs regularly at
http://www.dmg.name/, http://martialtester.wordpress.com/ and
http://hellotestworld.com/, and is close to releasing his first book on the
combined subjects of software testing and martial arts. In 2012 David
founded the Australian Workshop on Software Testing
(http://ozwst.wordpress.com/), Australia's first software testing peer
conference.
* Interviewed by Ajoy Singha

1. How did you begin your career in testing? Was it
planned or a chance?
Definitely chance. Like many testers that I've spoken
to throughout the years I 'fell' into testing.
In my late teens I joined one of Australia's largest
federal government departments as a call center
operator. I saw it as a stepping stone to something
bigger and better, turns out it was! After 18 months
of spending all day on the phone, and writing a time
variation on a sheet of paper when I used the rest
room, I'd had enough. It was around that time that
we had some visitors from the department's
Software Testing Center who were trying to recruit
testers for upcoming projects. I don't recall the exact
words I used, but I grabbed one of them on the arm
and asked them to get me the hell out of there!
Not long after their visit I was asked to be a part of a
five week test execution exercise, after that, the only
time I returned to the call center was to collect my
belongings. I spent the next 10 years performing
various roles from tester through to manager of the
entire testing center. I learned a great deal in that
www.TestingCircus.com
time, and even though the approach they used is
what many would refer to as a 'traditional' one, it's
given me a great grounding, especially when
thinking about how not to perform testing!
From there I moved in to the world of consulting,
where I have performed various roles and various
industries. I made that move so that I could broaden
my horizons and expend my testing knowledge,
and it's certainly paid off.
2. How did you end up working in New York for
Doran Jones?
In the not so distant past I picked up a book called
Lessons Learned in Software Testing; I'm sure
you've heard of it (if not, find it and read it!). The
book was filled with lessons that I could directly
relate to, and it began to change the way I thought
about testing. That book led to another, which lead
to blogs, which led to Twitter, etc, etc. I soon became
someone who was looking in on a wonderful
community of testers and I no longer wanted to be
on the outside.
November 2015 - 21 -
 DAVID GREENLEES
I began a blog, joined Twitter, started commenting
on other's blog posts, and even started a local meet
up for testers in my home city of Adelaide. It could
be a very long and detailed story but I soon found
myself working with Anne-Marie Charrett and the
guys from Let's Test to bring that wonderful
conference to Australia. As a part of that I went to
Let's Test in Sweden in 2014 and spent quite a bit of
time with Paul Holland, the Managing Director of
Testing for Doran Jones.
If I recall correctly Paul was trying to teach me how
to play disc golf, and while he was laughing very
loudly at my terrible form he simply asked me if I
would like to move to New York and work for
Doran Jones. After arriving home, speaking about it
with my very supportive wife, we took a holiday to
New York in the Fall of 2014 to meet the Doran
Jones crew, and having the right opportunity land,
I'm here!
3. How is the work different in Doran Jones than
that you did in Australia?
Generally speaking it's the client that makes the
difference. I've had to learn all about North
American finance, and while you may think finance
is the same the world over, I can tell you it's not. It's
almost an entirely different language.
What is different about Doran Jones is the approach
we take, to testing and to the community. We are
context-driven testers at Doran Jones, and we give
that message at an organizational level, which is
very different to any consultancy I've ever worked
for. Our goal is to help our clients become better at
testing by teaching them different ways of
performing it. Breaking in to clients who have only
ever known and performed 'traditional' testing is a
challenge, but it's a good one. It's fantastic to work
with them and see their reactions when we
demonstrate what we can do.
www.TestingCircus.com
While the above provides me with a great level of
job satisfaction, what goes far beyond is the
community work we do. We partner with a not-for-
profit IT training provider and recruit directly from
them which is visibly changing people's lives. Being
a part of that is an amazing feeling, and I have also
had the opportunity to manage the development of
a mobile application for a local public school. The
entire team is working on a volunteer basis on their
own time and the excitement from the school and
their kids has already made it all worthwhile.
4. What are your challenges at work? How do you
solve them?
Wow, I could write a novel!
One of the biggest challenges I think most testers
face is keeping their knowledge current. As a tester
you generally can't just focus on the technology as
you also need to maintain an understanding of the
business. As a test manager this becomes even more
important. You need to navigate technology,
business, office politics, your staff's needs and
wants, etc. etc.. Dividing your 8, or more likely 10-
12, hours into each of these areas of focus is
probably the most complex thing I have to do. Add
to that I also need to help Doran Jones build and be
successful. The latter is not too difficult, as it's
something I really enjoy, but it does add to the
juggling act.
There is no one way to solve this problem, and the
way I approach it could be different on any given
day. On my current project there are rare occasions
of 'down-time' for the testers and so I pass on tasks
to them when possible. It may be as simple as
collating a report, but it helps them by developing
their skills while helping me by allowing me to
focus on other things.
Another challenge I often face is educating non-
testing staff on what testing is. After years of being
told that testing is like a form of UAT, getting
November 2015 - 22 -
 DAVID GREENLEES

business stakeholders to truly understand and think the site will undergo several changes in the
appreciate what testing is can be quite a battle. In future. What they are I'm yet to decide upon.
the past I've held presentations and walked people 6. So do you often lecture your clients on usability?
through it, but recently I've found it more valuable
If by lecture you mean formally train, then not so
to actually show them. It's amazing how quickly
often. If you mean get up on my soapbox and
you can change someone's view on testing simply
preach the importance of usability, then almost
by showing them a bug that you found and how
every day!
you found it. They will often ask something like
My previous online banking projects are what really
“How did you find that?”, and this is the perfect
got me interested in the subject. When an
opening for you to further educate them. By them
application is customer facing it's a lot easier to
asking the question you have their attention; you
debate the importance of usability issues, especially
have their interest. That is key to successful
when those customers could end up being anyone
education.
with internet access! In more recent times while
5. You own Useology and TestingBullshit websites.
concentrating on regulatory reporting is been far
What are the objectives of those websites?
more of a challenge. When the end users are
Who said I own TestingBullshit? Oh, that's right, it's primarily made up of internal staff the important
linked from another one of my website. Oops. One usability issues very quickly end up defined as
day I found a really cool site called UXBullShit.com. 'training issues'.
I thought it was a wonderful idea and wanted to
In these instances I go directly to the end users and
know how it worked so I found the developer and
collect information from them. While I can 'talk for
he shared his code with me. It was a bit of fun and I
them' in project meetings, the real impact is felt
learned a bit more about GitHub, HTML, and CSS in
when they talk for themselves. Imagine yourself as a
the process. Your question has reminded me to
tester on a project stating in a meeting “I don't think
revisit that little project and add some more content,
the user will like how complicated it is to produce
so thank you. If you can't smile about your work,
that report” versus “I spoke to Jasmine (the actual
then what's the point?
end user) and she said she wouldn't use it because
Useology was sparked via my interest in both it's too hard and will take her too long”. Which
usability and psychology along with wanting to statement do you think would carry more weight?
build a website. I'll admit that it's been left far too
Usability should be front of mind for anything that
long in its current form and I would like to get back
requires human interaction, which is almost
to it so that I can add to it and turn it into something
everything, and while I'm on my soapbox I'll take
better. I actually came up with the name while
the opportunity to mention that usability is
thinking about potential business names and going
subjective. So even though we make use of
independent. If I ever did I would like to think that I
standards and heuristics to help guide us, you need
would concentrate on usability, which has been a
to remember there is no one size fits all in usability,
focus area of mine for many year now.
which is part of the reason why it's such an
The original objective of the site was to capture all interesting subject.
my research and thoughts on usability and
7. Do you love martial arts? How often do you
psychology, and while I continue to study both I
practise?
www.TestingCircus.com November 2015 - 23 -
 DAVID GREENLEES
Love would probably be an understatement. I have
been utterly fascinated by martial arts for as long as
I can remember. I have been studying at least one
form of martial art since I was 18, but before that I
was already unstoppable from watching Bruce Lee
movies.
How often I train varies depending on my personal
situation of course, but since moving to New York I
have spent some time at a wonderful place called
Clockwork Jiu-Jitsu. I was training 3 times a week
until recently. Prior to that I was boxing and kick-
boxing 3-4 times a week back in Adelaide. If I had
my way I would train every day.
It's also something that has helped me to
understand testing. Many of the philosophies in
martial arts can be directly related to lessons in
testing. So much so that I'm currently writing a book
on the subject. For example, take this quote from
Bruce Lee, “Notice that the stiffest tree is most easily
cracked, while the bamboo or willow survives by
bending with the wind.” Now think about that in
relation to standards in software testing. I find it
profound.
8. Ok, let’s talk that book you are writing on
‘Software testing and martial arts’. Give us some
hints.
Well, the biggest hint would be the name…
Software Testing as a Martial Art. In essence it's a
collection of my thoughts and experiences on how
studying martial arts has helped me understand
testing and become a better tester.
I begin each chapter with a martial arts quote that
means something to me from both a martial arts and
software testing perspective, and cover a wide range
of subject matter from the art of questioning to
mental models. I also have chapters from some
other great testers who are, or have been, martial
artists.
www.TestingCircus.com
It's been a great journey so far, and I'd like to think I
can release it in early 2016, probably via LeanPub,
but I'm constantly thinking of new content. I'll have
to draw a line in the sand at some point and hit the
publish button!
9. If you have to name only one book that every
tester should read which one that would be and
why?
Only one? OK, Lessons Learned in Software Testing
by Kaner, Bach, and Pettichord.
Oh, and I'm going to be a good tester and break the
rules by mentioning a second, Perfect Software: And
Other Illusions about Testing by Gerald Weinberg.
There has been plenty written about both of these
books but as mentioned above Lessons Learned was
the turning point for me. Not just because of the
lessons in-between the covers, but also the names
and what the research into those names has
provided me since discovering them.
When talking about books for software testing many
people, including myself, will tell you that they
don't have to be on the subject of testing to help you.
However, I do feel it's important that you have a
good understanding of what testing means to you
before you try and take lessons from other
industries and disciplines. I'm currently reading The
Invisible Gorilla and it's providing me with many
great lessons that I can bring to my testing, however
if I had read it when I was just beginning in the
industry I feel that many of those lessons would
have been lost. So while I encourage people to read
beyond the singular subject of testing, I caution
them to be comfortable with their knowledge in it
first, or perhaps be prepared to come back and re-
read the book when they are.
10. Five testing related websites you often visit.
Certainly, but in no particular order:
November 2015 - 24 -
 DAVID GREENLEES
• Ministry of Testing -
https://www.ministryoftesting.com/
• Michael Bolton's Blog -
http://www.developsense.com/blog/
• Thoughts from the Test Eye -
http://thetesteye.com/blog/
• StickyMinds - http://www.stickyminds.com/
• Satisfice - http://www.satisfice.com/
Why oh why did you limit me to five? There are
many more but I think these are the ones I most
frequently visit (depending on how often the
bloggers post).
11. No problem, go ahead, add five more.
Calling my bluff, well played:
• Test Insane Apps - http://apps.testinsane.com/
• Testing Stack Exchange -
http://sqa.stackexchange.com/
• Software Testing Club -
http://www.softwaretestingclub.com/
• Slack Testers Community - http://www.testers.io/
• Rob Lambert's website -
http://thesocialtester.co.uk/
Do you play poker, Ajoy?
12. No. I don’t. Next question. How can a newbie
tester become a well-known tester like David
Greenlees?
Firstly, ask yourself why you want to be well
known. If it's to be famous among software testers
then just speak at as many conferences as you can.
However be warned, if you don't 'bring it' you'll
quickly become infamous.
If you want to be well known because you're good
at what you do then just be good at what you do,
but make sure you share it! Get a Twitter account,
start a blog, and be active. Many people will tell you
to also go to all the great conferences out there and
to network, but that can be very difficult for people
www.TestingCircus.com
due to location and the associate expense. If that's
the case for you like it was for me, then start
something of your own in your location. With sites
like Meetup.com it's really easy these days to get a
small group of people together who can quickly
grow into a big group. As the originator of that
group your reputation will grow, and your network
greatly extended.
While you need to remember the first question I
asked, and be sure to chase 'fame' for the right
reasons, let's be blunt… reputation is very
important. I haven't formally interviewed for a role
in the last 5 years. What I've done is 'show' people
what I can do. Building a solid personal brand can
equal success, but it's how you build the brand that
matters.
13. Do you think testing conferences are useful?
That depends greatly on the user. I've approached
conferences in few different ways. In the early days
of my career I took the 'standard' approach whereby
I looked at the program before going to the
conference and chose the tracks I wanted to see.
Then during those tracks I stayed, no matter how
unimpressed I was. I didn't want to be 'rude' by
leaving part way through.
Later in my career I've taken more of a flexible
approach, whereby I often decide 5 minutes before
the track session begins which one I'm going to go
to, or if I'm not going to one because I'd rather stay
where I am and continue my current conversation. I
also do leave part way through if I feel I need to.
With the new wave of more context-driven
conferences this approach is actually encouraged,
and let's the attendee feel far more comfortable in
doing so.
For me, the true power of conferences is conferring.
Meeting new people and sharing ideas. That can
happen in a track session, but it can also happen at 3
am while sitting in a bar sharing war stories, or
November 2015 - 25 -
 DAVID GREENLEES
during a party in your hotel room, perhaps even in
room 403. Remember back to Go to question 2, and
how I got to work for Doran Jones!
My message here is that you, the conference
attendee, are in most control of whether or not the
conference is useful. Conferences are what you
make them, so head to them with an idea of what
you want to achieve and do whatever you need to
do in order to make that happen.
14. Name few people in testing, who influenced you
directly or indirectly in your career as a software
testing professional.
There have been so many, but OK, I'll limit myself
as much as possible, in no particular order:
• James Bach – I see James as a Grandmaster of
testing. Sparring with him will leave you bruised
and battered, but you'll learn so much in the
process!
• Anne-Marie Charrett – A tireless testing leader
who helped me bring Let's Test to Australia.
Knowledgable, patient, and a firecracker when the
situation calls for it.
• Mark Tolfts – The first context-driven tester I got
to work with and I really hope to again one day.
• Henrik Andersson – My business mentor. What
Henrik has created, and continues to create is
amazing, and I'm very glad I can call on him when
the need arises.
• Keith Klain – He's my boss, I have to mention him
right? Seriously though, I've only just commenced
working with him, but already I can see him
shaping my future.
• My software testing brothers from another
mother, Brian Osman, Richard Robinson, and Oliver
Erlewein – This crew from New Zealand (although
one is trying desperately to be an Aussie) is
awesome. Three great thinkers who I can debate
www.TestingCircus.com
with intensely while still remaining mates, what
more could I ask for?
Paul Holland, Michael Bolton (not the singer),
Jonathan Kohl; like I said, there are many more...
15. Five things nobody knows about you –
I thought I was an
open book!
1) I used to DJ, but not
with CDs, with vinyl
(the real deal). I still
love listening to drum
and bass, techno, and
trance!
2) I used to be able to
do the splits. It was
around the time I got my black belt in Taekwondo,
but I didn't maintain it.
3) We had pet wallabies (like small kangaroos for
those not in the know) when I was growing up.
4) I was crew member of the year for McDonald's
when I was 15, I received a medal, was written
about in the local newspaper, and received a free
Big Mac.
5) I once dressed up as Aladdin for my daughter's
Princess Jasmine party when she turned 5 (pictures
will not be supplied).
16. Usually our last question. Do you read Testing
Circus Magazine? If yes, what is your feedback to
improve this magazine?
I do read it if I like the look of a particular article/s.
In more recent times I had been focusing my efforts
on Testing Trapeze and helping review articles for
them so please don't be angry with me.
We are not. Thank David for your time.
Blog URL: http://www.dmg.name/
Twitter URL: http://twitter.com/DMGreenlees
November 2015 - 26 -
 “Doing business without
advertising is like winking
at a girl in the dark. You
know what you are doing
but nobody else does.”

Advertise in our Monthly Editions and Website

and reach out to thousands of real testers worldwide.

http://www.testingcircus.com/advertise
 Hunting For
‘Hard-to-Reproduce’
Bugs
Every tester likes to find bugs, report and track them to
closure. An effective bug report should help developer
understand the issue, reproduce it and fix it. One of the
most difficult tasks in software development is to find
non-reproducible bugs. These bugs are difficult to find,
because you can't fix a bug if you can't reproduce and
find it.
As a tester, you may reach a point in your testing where
you have found a bug or submit bug reports for defects
that are 'not reproducible'. They may be reproducible on
your computer, but not on end user's system. Or the
user supplies steps to reproduce, but you can't see the
defect locally. Many variations on this scenario of
course. Every tester faces such bugs during testing and
could easily become a nightmare.
There are often situations where you hear following
statements:
“I observed the issue once and the exact steps are not known”,
“Out of 10 times, 3 times the issue was seen”, “I observed this
issue only sometimes”, “I see too many defects declared non-
reproducible in bug report”
These kind of responses will never help developers to
debug & fix the issue. If issue is there, definitely it’s
there, the only problem is that we as testers need to find
when, where and how this bug occurred and provide as
much information as possible so that developers can
find why it occurred and fix it.
What are ‘Hard-to-Reproduce’ Bugs?
'Non-Reproducible' or 'Hard-to-Reproduce' bug are the
bugs, which are not easy to reproduce every time even
by following seemingly same set of steps/procedures
under which they were found at first place, showing
www.TestingCircus.com
- Ravi Kumar BN
their presence once or in rare circumstances (things that
happen only intermittently) under test.
These bugs occur when a user reports an issue but
testers or developers aren't able to reproduce the bug.
Handling these bugs has been a challenging one for both
developers and testers. During testing once the tester
observes an issue, he/she will try the same steps again to
see the issue again, however it might so happen that the
issue can’t be seen when tested second time or after
subsequent trials. These are the type of bugs which
testers often find harder to isolate. However tester logs
the issue as non-reproducible and to get them fix
becomes mundane task. In order for non-reproducible
issues to be fixed, it requires a lot of time. The developer
ends up spending lot of time to reproduce the issue and
to get the exact steps. When developer gives up it gets
marked as 'To-Be-Reproduced' and assigned back to
tester. Finding these bugs may take several days, and in
many cases the bug never actually gets fixed by either
getting rejected or closed (stating no plan to fix).
It’s tough for the developers to work with such bugs and
testers get lot of objections over such bugs. If the count
is more, then it might spoil the relationships between
testers and developers. These bugs cause your software
to lose users' trust, which eventually leads to the user
choosing another application.
Why do they occur?
Non-determinism is the source of many bugs. Many of
the times application behavior is dependent on user
input, operating environment, network, etc. There are
many different reasons under which bugs are harder to
November 2015 - 28 -
isolate and reproduce. Following are some scenarios
where few things affects in order for bug to appear.
§ Source Code – A non-reproducible bug occurs when
a test both passes and fails for the same input and
source code for different executions. It's also
possible that a test always passes during
development but fails for the tester or end-user. A
common issue with these bugs is that your code has
two executions for the same input: one good and one
bad. However, there must be some differences
between them or the result would be the same. In
some cases, part of your code should be executed
but it isn't for some reason. This type of analysis is a
great starting point that might lead you to the defect.
Another possibility is when the executions follow
different traces. If we find the point from which the
execution traces are different, we have another good
starting point to find the defect.
§ Build – Another possibility is the code fails with the
release or build version of your software, but it
passes in the IDE.
§ Installation – A bug may appear during the
installation of the software under particular
operating system with specific memory. Same bug
doesn’t appear under another system with same
operating system and memory. This is due to the
fact that such bugs are often affected by current
running processes and the libraries installed and
under use in the memory.
§ Operating System – Another type of bug is specific
to the environment changes (development libraries
and dependencies installed on the operating system)
in the operating system.
www.TestingCircus.com
§ Memory– Some bugs also appear due to the memory
location accessed outside the specific location. Or if
the accessing the
specific location is
not possible under
that particular
instant due to
operating system
resource priorities.
§ System
Process– If the
particular process
in the operating
system is not free
and it makes the operating of particular software
harder. In such case, if you try to reproduce the same
steps then it becomes harder to find the bug again.
§ Platform – If the bug is occurring due to the
platform changes and the library conflicts, then such
bugs are harder to isolate.
§ Debugger – Some bugs also vanish outside the scope
of the debugger. Once the debugger is turned off
such bugs don’t appear leaving us to assume the
conflict happens with debugger tool or libraries.
How do you hunt for such bugs?
As a tester, quite often you will be asked to reproduce
some "Hard-to-Reproduce" bugs, reported by other
testers or users of the application. Here, your aim
should be to try and get more and more information
regarding the bug (who knows in the process we might
reproduce it too!). Testers need to improve their skills in
order to reproduce such issues. The following five
points if you adapt might help you while hunting for
such bug.
§ Always be on your toes; be alert! – You should be
observant and keen for details while trying to corner
such a bug. Keep your eyes and ears open for any
possible suspicious looking process going on in the
system. You will need to have more observation
skills on the application behavior under test. Look
for those tiny little changes like flickering of the
status bar, a missing button on the toolbar, a
partially loaded dialog box, an empty dropdown
list, slow to respond database queries and so on. If
November 2015 - 29 -
 you happen to miss such a change in state, it might
prove vital for your bug hunting!
§ Trust but Verify; be suspicious! – Never trust
anything without verifying. Take the bug report
(submitted by other tester or whoever), just as a
reference. Don’t follow it as a word from bible, or it
won’t be long before you would find yourself
moving on a wrong track! Do it yourself and see
whether things are working as they are supposed to.
§ Look for Patterns! – Bugs love patterns. It’s the
tester who has to identify the patterns to identify the
bug. While trying to reproduce the bug, look for the
possible patterns that are similar to a cousin of this
bug. Who knows you might be able to find a pattern
which could help you to reproduce this bug!
§ Note down the things you are doing while testing! –
Make a note of the things you are doing while trying
to reproduce the bug. Include things like the test
environment, other applications that might be
running simultaneously, database configuration, the
test data you are using, other instances of
applications that might be using your AUT
(Application Under Test) etc. Try to capture and
narrate the story around the issue and not just steps
to the stake holders and to corner the issue. Capture
the complete test environment details, all the
available test execution results. This includes your
test data, screen shots, applications logs, system
logs, server logs. Noting down these details can help
to reproduce the bug. If you are able to get the bug
but have not noted down the things you did to get
the bug, then it might be difficult to recollect the
exact sequence of things to reproduce it again.
§ Have patience! – Patience is the key while trying to
reproduce such a bug. As a tester you have to show
lot of patience while hunting for such a bug. These
bugs are not easily reproducible and hence
sometimes may make you impatient. Sometimes
resources & time constraints might be an issue (more
true for tech support), bargain for the same.
How do you get them fixed?
If a certain bug/issue is non-reproducible on one system
and the same is reproducible on another system, then
the possibility of going wrong is in test bed or the test
environment where the software is being tested. Such
www.TestingCircus.com
bugs that are reproducible but only on some systems are
easy to handle:
§ By using some sort of remote software, you let the
user tell you what to do to reproduce the problem on
the system that has it. If this fails, then close it.
§ Try to reproduce the problem on another system. If
this fails, make an exact copy of the users system.
§ If it still fails, you have no option than to try to
debug it on the user system.
Once you can reproduce it, you can fix it. Doesn't matter
on what system.
As a tester, you often come across a situation when you
can’t reproduce some errors again. But in order for you
to report it, developer to reproduce and fix it, often you
have to confirm (reproduce the elusive bug) visually
with screenshots that you really observed this defect
and give precise instructions on how to reproduce the
bug for developers or other team members.
It does not make sense to keep wondering about why
software is behaving differently at different times but to
think several parameters involved while testing. There
are certainly some things that we need to take care while
testing. Some good practices that we should consider
before arriving at the decision that a particular
bug/issue is not reproducible.
§ Test Bed: It may so happen that the test bed being
used itself is wrong while testing the software, so it
does make sense to define the test bed first before
even start testing the software.
§ Exact Steps to Perform: People can't capture the
exact steps that they performed while testing
because they may have some assumptions. Avoid all
the assumptions while testing the software. Every
parameter while testing the software matters such as
test bed, the operating system, what was the CPU
and memory usage while testing the software etc.
If you are not confident of finding out the exact steps
to perform to reproduce the issue, it’s highly
recommended to use the desktop recording
software (such as WebEx Recorder). Start the
desktop recording software before you start testing,
this helps a lot. Its normal tendency of human beings
that they tend to forget to capture certain steps that
November 2015 - 30 -
 they actually performed while testing. The
recording software can be used to resolve these
issues. Turn on recording software while testing all
the time. You always have the option of deleting the
recording if you do not need it. In case of non-
reproducible bugs or issues, you always have the
option of going back and watching what are the
steps you were performing when the bug was seen.
§ Capture the logs: Logs are very important inputs to
developers to debug the issue and find out the
possible cause for it. Every software will have logs
enabled for debugging purposes, if not it is highly
recommended that you enable the logs in your
software. Sometimes the logs help developers to
find the exact root cause of the bug with no time.
§ Think out of the box: There was a situation wherein
one issue was because the Windows Firewall was
turned off while testing the software but if the
firewall is turned the issue wasn't there. There could
be lot of such parameters to consider that no one will
usually think. So all the initial computer settings
may also matter. So think out of the box. Test the
software in multiple computers before concluding
the bug is non reproducible.
§ Discuss sufficiently: Especially for non-
reproducible issues, we need to discuss a lot with
user who observed the issue. Developer has to talk
to the testing team to get more details of the issue. It
may so happen that the testers will not capture each
and every details of the issues that they raise though
it’s not recommended. This might give some
insights as to what is going wrong.
How do you report them?
Always report non-reproducible errors. If you report
them well, programmers can often figure out the
underlying problem. To help them, you must describe
the failure as precisely as possible. Below are some best
practices to describe the failure.
§ Error Message: If you can identify a display or a
message well enough, the programmer can often
identify a specific point in the code that the failure
had to pass through. Hence do keep a screenshot or
documentation of the error message that appeared
during the bug occurrence.
www.TestingCircus.com
§ Test Data: Provide the exact test data that was used
for test or any changes made to test data to
reproduce the bug.
§ Test Results: Provide the complete & detailed test
execution results. This data will even help to
evaluate the changes in the tests. Find ways to affect
timing of your program or of your devices, Slow
down, speed up.
§ Test Steps: When you realize that you can’t
reproduce the bug, write down everything you can
remember. Do it now, before you forget even more.
As you write, ask yourself whether you’re sure that
you did this step (or saw this thing) exactly as you
are describing it. If not, say so. Draw these
distinctions right away. The longer you wait, the
more you’ll forget. Hence add the test steps that gets
the execution closer to the bug.
§ Similar Bugs: Check the bug tracking system. Are
there similar failures? May be you can find a pattern.
This also helps developer to relate to the root cause
of previous occurrences.
§ Record Sequence: Use screenshot recording tool like
WebEx or Camtasia (or any other tool specific to that
operating system) to record the bug.
§ Capture Logs: Provide the environment logs and the
software debugger logs before and after noticing
such bugs. Checking the logging software in the
background helps to identify the system sources
when the bug was found.
§ Test Variants: If you can’t reproduce a bug, you first
document the steps and repeat them under different
environment to find it again. Capture all those
environments where tests were repeated and the
corresponding results.
§ More Details: Capture as much information as you
can to write new test cases for the same test steps
with different environment, user error and data
corruption scenarios.
§ Pre-Condition: Maybe the failure was a delayed
reaction to something you did before starting this
test or series of tests. Before you forget, note the
tasks you did before running this test.
November 2015 - 31 -
§ Program Code: The fact that a bug is not
reproducible is data. The program is telling you that
you have a hole in your logic. You are not
entertaining certain relevant conditions. Talk to the
programmer and/or read the code.
How do you use them?
A non- reproducible bug is a tester’s error, just like a
design bug is a programmer’s error. It’s valuable to
develop a system for discovering your blind spots. To
improve over time, keep track of the bugs you’re
missing and what conditions you are not attending to
(or find too hard to manipulate). There are several
advantages of recording, analyzing and tracking the
trend of such onetime issues:
§ Trending during testing phase helps assess the
quality of product under test
§ Trending at the end of testing phase helps assess
release readiness
§ Trending post release helps relate them to
field/customer complaints
Conclusion
Every bug is reproducible and if something happened
once it can happen again! It depends on how much time
and effort you are ready to invest on the investigation to
reproduce the bug, record and track them to assess the
quality & reliability of product under test.
It is true that if the so called non reproducible issues are
bound to take lot of time & resources in the process. It’s
suggested to reproduce each & every issue. We must
explore more for the critical issues & re-produce them.
In the process, we learn more too.
If these bugs are not much analyzed and fixed, it’s
certain that today or tomorrow the same bug/issue
comes from our customers. It’s also equally important to
understand the software deployment scenarios. In-fact
this should go as part of the software requirements. It’s
very much essential to understand in what conditions
the customers are going to use the product. Testers must
always think from this perspective and prepare their
test bed according to the end user scenarios.

About the Author

Ravi Kumar BN is a Product Verification Manager for Imaging Clinical Applications & Solutions,
HealthCare IT, Philips Innovation Center, Bangalore. He is a master’s graduate from IIT Kanpur, UP,
India, and BE (CSE) from SDM College of Engg & Technology, Dharwad, Karnataka, India. He has 13
years of experience in software quality processes and testing at Honeywell. He is a six sigma, lean and
agile testing expert and a six sigma techniques and tools trainer. He is actively involved in building and
deploying testing strategies for various platforms such as ERP (Peoplesoft), CRM (Siebel, SFDC), BI
(Cognos, OBIEE), emerging technologies such as Mobility, Cloud, Analytics, Voice, Responsive Web
Design and Wearables. He has attended design thinking workshop and has expertise in deploying
design tools in problem solving and usability testing. He has authored and published few testing articles
in QAI conferences and online magazines such as Testing Experience, Testing Circus etc.

www.TestingCircus.com November 2015 - 32 -

 My Thoughts on
EuroSTAR 2015
EuroSTAR conference that was held from
November 2nd to 5th in Maastricht, The Netherlands
The EuroSTAR conference edition 2015 was held in the
MECC in Maastricht, The Netherlands from November
2nd to 5th. This year’s conference topic, set by
conference chair Ruud Teunissen, originally was “Walk
the Talk”. The unofficial topic felt more like “The Future
of Testing” and the key message throughout many talks
was “The Human Factor of Testing”.
It all began with an intense keynote about “Trendz
2030” by future watcher Richard van Hooijdonk. In just
45 minutes he tried to show us what will happen in the
next 15 years and what is already possible. He tried to
present to a room full of professional sceptics, that most
of the changes of the near future will be positive. All
people I talked to afterwards were at first benumbed by
the flood of information, but more and more the
feedback came through that the future will hold lots to
do for testers, and that testing has to change (a lot) to
adapt for this future.
I went to several experience reports on various topics.
The key message was always, no matter what you try to
accomplish, you have to work as a team, establish good
communication, do the right things (automate, test,
develop, etc.), and you have to be disciplined about
what you do, to benefit the most from current trends in
software development. It was good to hear this key
message coming from several speakers with different
backgrounds in different situations, and it shows
exactly: context matters, and there are tools and
approaches to deal with the situation to adapt to your
context and create the product you want or need. There
is no one solution for everything, but there a good ways
to find a good solution for your problem.
Only one talk/discussion left the feeling, that not
everyone is ready for the future and is still looking back
and trying to reestablish structures from 25 years ago.
www.TestingCircus.com
- Patrick Prill
But I predict the future will prove them wrong, since
several people were not successful yet to tell them.
I want to explicitly mention a few talks that stood out for
me:
Paul Coyne was talking about the scientific method.
And this is something that really all testers ought to
know about. Paul showed us where the parallels
between science and testing are, and that the scientific
method is actually the thing behind testing. There is lots
we need to invent for the future of testing, but the
foundation is already there for quite some time, we just
have to acknowledge that fact and study it.
Julie Gardiner provided a 5-step program to remain
relevant as a tester in the future. And that is something
that can’t be told too often. You have to take your career
and learning in your own hands. Don’t wait for your
company to help you with that. Show why your testing
is adding value to the development process and remain
relevant.
The most intense talk was the “Lightning strikes the
speakers” session. Seven people with 5 minutes each,
talking about the future of testing.
Iris Pinkster’s message was “Think up new processes
and realize you are a team!” Important for teams that
have to transition from a world of silos to a more Agile
approach.
Jeffery Payne described the key elements for testing the
Internet of Things: 1. Fault Tolerance, 2. Robustness in
Error-handling, 3. Privacy. Which he also named the age
of non-functional testing!
Derk-Jan de Grood asked if testing is at the right level of
responsibility.
Michael Bolton challenged us to exchange “verify that”
with “challenge the idea that”, and “validate” with
November 2015 - 34 -
“investigate” or “look for problems”. Change your
language and improve your communication.
Rikard Edgren said that testers can bring new
perspectives and ideas to the development lifecycle, and
asked the audience: “what are the new perspectives you
will find?”
Rob Lambert’s hope for the future is that there will be
more testers to hire out there. And he gave us “10 things
to improve”.
Kristoffer Nordström predicted that in 15 years most
testers won’t work in testing any more. For low pay you
get low skills, but as a tester in an Agile environment
you need lots of skills. Kristoffer hopes for a future
where companies hire sapient testers and invest in the
future of their people.
And most of all, a conference is for conferring. And it
was a joy for conferring. The expo was built around the
TestHuddle and the TestLab, two fantastic places to
mingle and meet lots of awesome people. The vendors
in the Expo held lots of fun things to try and presenting
their newest tools, and of course giving freebies.
The TestHuddle held regular soap box talks and the Test
Lab offered lots of challenges and puzzles and several
practice sessions.
I also had the pleasure to join both evening events which
were both in caves. A fantastic location in the caves of
Château Neercanne on Tuesday, and the restaurant La
Caverne on Wednesday to celebrate the Awards Dinner.
The award of “EuroSTAR Tester of the Year” was
presented to James Lyndsay, “Tutorial of the Year”
went to Rob Lambert, and “Paper of the Year” went to
James Thomas.
At both events the food was good, the wine was plenty
and the talks were passionate.
To come to an end, Ruud Teunissen and his team
managed to get a balanced selection of tracks appealing
to the wide audience of the conference, with some really
good highlights.
And the team of EuroSTAR did a fantastic job in
organizing and running the conference. Everything
went smooth and participants could really enjoy the
event! Well done!
If you want to know more about the conference, you can
find several posts on my blog at
http://testpappy.wordpress.com. And I can highly
recommend the posts from Colin Cherry at
http://itesting.com.au, which you can also find at the
TestHuddle blog: https://testhuddle.com/blog/.

About the Author

Patrick Prill has over 12 years of experience in software testing. After 4,5 years as a tester he became test
manager, coordinating the work of ~50 people for another 5 years in a big national test project.
Since 3 years he is test lead for a software and consulting company for the automotive industry. The job
brought him back to a smaller test team and the hands-on experience of testing software again. This
experience and following the testing community re-lighted his fire for testing and bug hunting.
Patrick will start as speaker at two testing conferences in 2016. Patrick is living outside of Munich,
Germany and is a proud husband and father of a wonderful daughter. In the little spare time he loves
turning wooden bowls and pens.

www.TestingCircus.com November 2015 - 35 -

 .com [email protected]

Govind PK
Expert Exploratory Tester
India

236 1653
Following Followers

83 bugs reported
Level 7 (870 points)

30 more points needed to became a validater Receivable amount in this month

4 test cycles won 19,500/-

What is 99tests? Meet our community

99tests is a crowdsourced testing platform consisting over

12,000 testers who have logged around 75,000 bugs. Testers are
exposed to various types of testing and domains. 99tests is a
platform where you can earn, learn and grow by login bugs,
connecting with testers across the globe. India USA Russia

Why should I sign up with 99tests?

UK Philadelphia Austin

1 Work whenever you wish to and from any place you want to

2 Choose the products/ software you want to test

Collaborate with the testers across the globe, share your Join our community today!
3
skills and grow with them 99tests.com

“ Being in the field of software testing for a while, I always wondered whats my stand in the testing skills I
possess compared to the other testers. This was more of a positive thought as I was more keen on identifying
what I lacked and what I needed to improve.”

AWA R D E D B Y
Connect with our 4000+ fans
in our page.

http://www.facebook.com/TestingCircus
Become our fan -
https://twitter.com/_sahi
http://www.facebook.com/sahi.software

Request a free demo by sending us an email at [email protected]

http://www.sahi.co.in
 #Testers2Follow
Llewellyn Falco
Agile Coach, Creator of ApprovalTests, Co-Founder of
TeachingKids Programming. Legacy Code Expert

https://twitter.com/LlewellynFalco

Dwayne Green
Software Tester.

https://twitter.com/N00bTester

Women In Testing
Recognizing the great women in #softwaretesting.

https://twitter.com/WomenInTesting

Words From A Purple Mind

Quality Assurance, Business Analysis Web Design, SEO, and much
more.

https://twitter.com/WFAPM

https://Twitter.com/TestingCircus
www.TestingCircus.com NOvember 2015 - 39 -
 s
te ster
e
wa r
so f t
fo r
a z ine ting

cu s a g
ag
e m 010. #
tes

Cir
ngu er 2
li s h la ptemb

i n g ing
Eng nce Se
si i r cus

Test
a d s
ngC
e n
’s l itio
orld thly ed s t i
/Te
a w
u s is s. Mon m
c t o
er.c
Cir
sias
e s ting enthu i t t
://tw
T
test
and t ps
s at
ht
u
low
F ol

ter
wit
n T
s O
w U
o llo
#F
rc us
ngCi
Testi
m/
ter.co
wit
://T
ps
htt

200+ testers to follow on Twitter -

https://www.testingcircus.com/testers-in-twitter

www.TestingCircus.com NOvember 2015 - 40 -

 s
w
vie
Re
o k
Bo

BOOK
WORM’S
CORNER
Towards the end of the year is when we retrospect about our performance for that year; that’s when we think about
what we should have done, what we did not do, what we set out to do and if we met our own expectations for that
year. That’s the same for performance testing teams. They are called almost at the last minute to help and identify
problems; the bugs can be very costly to fix if found at a late stage. This book helped me to escape, when I was called
on by teams at such late stages. I hope it will help you too….
This month’s recommendations is
The Art of Application Performance Testing
Performance teams are usually engaged at a late time in the project; and they are expected to deliver a scalable sys-
tem on unstable systems. This book has helped many teams to cope and scale when they helped me when I was
called in to help out a project. Most practical things about performance testing are to understand the lifecycle of sys-
tems built for performance testing; this book would help you with that. It also helps you the various metrics that you
define for building performance testing systems so that you will understand when the systems get mature. A bigger
take away is a bunch of tools that is recommended by the author. The experience of the author is visible where they
talk about the most common issues that people would overlook if they are involved in performance testing for the 1st
time. The only time when this book does not work is when the person testing is new to performance testing and does
not realize the pitfalls, or wants to fall down and learn; if you want to get it right from the 1st time, this book is a
must-buy (and a best-buy).
Buy it here

- Wobo

www.TestingCircus.com November 2015 - 41 -

 Security Testing Tips
Tips for security threat detection and prevention
If you are a security tester and love to find security
vulnerabilities, cheers to you. Nevertheless, as security
testers we may want to do more in terms of real-time
where we detect the security attacks by black-hat
hackers or script kiddies and prevent such attacks so
that our customers or users don’t have downtime or
outage when the security attacks are lethal and
merciless. Personally, I would love to help my
customers not only with security vulnerabilities
through my exploratory testing skills, but also help
them to detect any such in future when they make
code changes while I also help them to prevent such
attacks. Nevertheless, it’s always good to have a
security tester going through the code
changes and then assessing it. What I
am trying to say here is, we need to
have combo of both detection &
prevention system while we do
frequent security assessments of the
application or software.
How do we detect the security
threats?
I will be taking a simple example to
explain it to you.
Let’s say, I have a web app where a
hacker will try doing code injection attack and it could
be something like <script> or <h1> or any HTML tag.
In this case, I will have a javascript or AJAX detection
script which will alert the server about this activity.
Even though we have server side truncation of this
kind of scripts, nevertheless it’s always good to know
that someone on this planet is trying to attack our
application.
We can always maintain a list of inputs in our database
categorized under “Possible Attacks” and whenever
www.TestingCircus.com
Part 33
- Santhosh Tuppad
we find such an input, we try to prevent further
attacks. Not only input vectors, but also URLs can be
included in detection algorithm / code. One more
example I would like to quote is: Tracking those
people who try to access /admin/ to land on admin
login form. Having said that, firstly it’s not
appropriate to have admin form open to web and that
too such a guessable name which is /admin/ after
hacker enters the website URL. I find many
applications on web which always have
http://example.com/admin/ which is like BOOM!
How do we prevent it after detection?
Now, once the detection is done you
need to think about how you need to
deal with it. It could in terms of
blocking the IP address for a while,
account-lockout policy, or notifying
the administrator / web developer or
anyone who matter via email or SMS
or call so that the suspect attack could
be blocked which may lead to
downtime of application or threat to
users privacy (Brute-force attack
trying to gain unauthorized access) if
not blocked.
There are several ways to do it and the question is, do
you want to start developing something like this from
scratch or you want to use something that is already
available as open-source or commercial. The decision
depends on various attributes here. If you are willing
to go ahead with open-source framework, may be you
should look into AppSensor at OWASP. Thanks to all
the people who worked on this to give it to the world
of technology. Have a good time in stopping malicious
attackers and let’s move towards clean web.
November 2015 - 42 -
 Validata Launches New Test Data
Generator Solution
Validata Group, the leader in Enterprise Software
Testing solutions, is pleased to announce that it has
launched, Test Data Generator, a complete end-to-end
test data management solution, which offers
organisations the market leading functionality and
flexibility to find, design and make ‘fit for purpose’ data
for use in non-production environments.
It enables the creation of test data and expected results
automatically avoiding time- consuming and error
prone validation of test results on a field by field basis.
Test data created with Test Data Generator is reusable,
adapts to change quickly and allows faster innovation
and faster release with better quality on time and
within budget.
The solution enables successful implementation of
continuous delivery as it delivers the right data in the
www.TestingCircus.com
right place at the right time, reducing project delay by
efficient provisioning of quality, realistic data with all
the characteristics of production, but with no sensitive
content. It also enables to identify any gaps in the test
data on demand and powerful synthetic data
generation to provide testers with data before testing
starts.
The tool’s powerful data generation engine supports
hierarchical overview of equivalence partitioning, and
boundary values analysis, as well as advanced spot
diagrams for effective environments comparison and
data coverage measurements for all valid combinations.
Clients will benefit from reduced number of time and
resources required to provide ‘fit for purpose’ data and
improved test coverage and teams’ productivity, while
allowing IT to ‘shift left’ testing and cut costs.
November 2015 - 43 -
 SmartBear Redefines How Functional
And Performance Testing Is Done
With Script Reuse
SmartBear Software, the leader in software quality tools
for the connected world, announced a new version of
TestComplete that redefines how functional and
performance testing is done with script reuse. One of
the world’s most recognized automated testing tools,
TestComplete is now integrated with LoadComplete,
SmartBear’s popular load testing solution for websites,
mobile and Web apps. Customers deploying the new
version are able to repurpose TestComplete functional
test scripts for performance testing in LoadComplete.
Organizations are under constant pressure to improve
time-to-market schedules to meet accelerated delivery
timeframes. Delivering on these quicker release
deadlines often comes with maintaining high quality
functional and performance delivery criteria. Meeting
such an improved time-to-delivery cannot come at the
expense of quality, essentially meaning that QA
managers are under constant pressure to cut testing
time while expanding functional and performance test
coverage.
Expanding coverage while reducing testing time can
be difficult to achieve for QA managers, especially
when testers have to reinvent the wheel and create
scripts from scratch every time a feature needs to be
tested for performance and functionality. Rewriting
different scripts for performance and functional testing
results in redundant efforts, which in turn erodes
efficiency gains achieved during previous stages of the
software development lifecycle. Add to that, additional
challenges arise from the fact that testers with a
development background are hard to find.
SmartBear believes that a January 2015 Forrester
Research report entitled, “Five Must-Do’s For Testing
Quality At Speed,” (subscription required for access)
www.TestingCircus.com
effectively captures this trend by stating, “71 percent
of the most successful advanced companies have made
it a high priority to increase software development
speed while maintaining quality; they regard doing this
effectively as important for competitiveness compared
with usability, flexibility, global integration, reliability
and business insights.”
“Testing cycles continue to get shorter from months to
weeks and now even a few hours,” said Nikhil Kaul,
Product Marketing Manager, Testing Products at
SmartBear. “Achieving higher levels of test automation
holds the key to delivering applications at a greater
speed and higher quality. With an ability to convert
functional tests into performance tests, we are ensuring
QA teams have the right tools to succeed in Agile and
DevOps environments. The functionality ensures that
performance and functional testing are not treated as
a stand-alone activity and same set of testing skills as
well as assets can be used across disciplines.”
TestComplete’s integration with LoadComplete makes
it easy for QA teams to convert functional tests into
performance tests. QA teams can increase their level of
automation testing and improve time-to-market,
thereby reducing test development costs and time. The
facilitated reuse of functional tests as performance tests
drives efficiency gains as the script logic needs to be
written only once, which cuts down testing time and
expands coverage.
The tests created can then be run as a part of continuous
build process to minimize handoffs and get rapid
feedback. Most importantly, organizations can leverage
their existing QA resources for both functional and
performance testing, thereby not leaving any test
creation and execution in developers’ hands.
November 2015 - 44 -
 Synack Launches Innovative
Vulnerability Intelligence Platform
Hydra
Synack, the security company that harnesses the power
of a worldwide community of highly qualified and
trusted researchers, announced the launch of the
Synack Hydra Technology Platform. Hydra
Technology is an advanced vulnerability intelligence
platform that together with the Synack Red Team
(SRT), gives the enterprise an unparalleled adversarial
perspective of their digital assets.
Hydra combines the power of a modern vulnerability
scanner with the expertise and creativity found in
individual hacker toolkits to provide actionable
intelligence to the Synack Red Team (SRT) so that they
can locate, confirm and report exploitable bugs with
unprecedented efficiency and scale. Acting as a closely
integrated extension of internal security teams, the
Hydra-enabled SRT delivers exploitation intelligence
that reduces windows of exposure and provides
comprehensive testing coverage across large, complex
enterprise assets.
Strong security posture for a fast moving enterprise is
no longer an option, it’s an expectation. Security is top
of mind in the court of public opinion — key business
partners, customers, regulators, and rating agencies —
all want to know that the enterprise they do business
with is proactively securing itself against cyber threats.
Using Hydra Technology, the SRT locates and helps to
eliminate the vulnerabilities that give way to cyber-
attacks that could ultimately threaten the way we live,
play, travel, do business and interact with one another.
Synack’s proactive testing solution seamlessly
combines the collective human intelligence of the SRT
with Hydra’s advanced vulnerability intelligence
technology, consistently delivering prioritized and
contextualized exploitation intelligence that has led to
record-breaking find-to-fix cycles for many of their
enterprise clients.
Hydra’s continuous monitoring capabilities are
designed to streamline the SRT’s reconnaissance phase
of the testing process, allowing them to test faster and
www.TestingCircus.com
deeper across large enterprise assets without
jeopardizing quality. This optimal pairing of man and
machine is a unique approach to combating the real
and ongoing threat of compromise that the enterprise
faces on a daily basis — strategically pitting a solution
that leverages advanced technology to scale researcher
intelligence against the threat of skilled blackhat
hackers.
Today, Synack helps secure leading Fortune 500
financial, healthcare, consumer goods companies,
among others, and Hydra will enhance Synack’s core
solution in a way that can scale the unmatched
expertise of the SRT across a growing customer base.
“Today’s vulnerability solutions are flawed,” said Mark
Kuhr, CTO and co-founder of Synack. “Some are
human-centric, point-in-time penetration tests, which
are limited to the skillsets of individual testers and
project timelines. Others are solely reliant on scanner
technologies, which overwhelm today’s already-
strained IT organizations with duplicates, false
positives, uneven quality levels and thousands of
submissions that require manual review. Hydra
Technology delivers scalable, continuous testing to the
enterprise without the noise, so that enterprises can
secure their perimeter and ease the strain on security
organizations.”
The Hydra platform can be separated into three subsets
of functionality — host monitoring, web application
analysis and mobile application analysis — all of which
will be released in phases. Host monitoring capabilities
will be available to Synack customers on October 21,
with web and mobile testing capabilities to be released
in the first half of 2016. The technology is available as
part of the Synack subscription model. As Hydra
technology is a SaaS offering, there is no physical or
virtual appliance to install, no software to deploy and
no physical infrastructure to acquire and maintain.
November 2015 - 45 -
 Still relying on
reading
Testing Circus
from tweets
& facebook
updates?
Subscribe
with your
u b s c r i b e email id and
To S
C l i c k H e r e get the
magazine
delivered to
your email
every month,
Testing Circus free!
www.testingcircus.com