Thursday, December 6, 2018

Testing United 2018 - My First Keynote

Right after returning home from Agile Testing Days 2018 I packed my things again and went to the lovely city of Bratislava for Testing United; the conference that invited me to give my very first keynote. A colleague of mine accompanied me for the conference. We arrived the day before, got welcomed by the organizers and enjoyed a nice lunch together with two other speakers. The evening offered a private sightseeing tour through the old city of Bratislava as well as a lovely speakers dinner where I could already get to know further people. My keynote was scheduled as second session of the first conference day and I was really glad about having it early. On the one hand this helped calm my nerves, and on the other hand I had caught a cold the week before, so I wanted to get the keynote done before it got too bad to deliver a proper talk. The day came, and indeed felt nervous right before the keynote, however, I always did before any of the sessions I gave so far. What I learned on my speaking journey is to prepare for that and that I am then able to cope with the situation on stage. For the first keynote, it was exactly the same. And then it was done! I felt really relieved afterwards. I mean, achievement unlocked, right? It was great to get some nice feedback on it from the people I talked with during the rest of the conference. My job was not done yet though. For the second conference day a panel discussion with all keynote speakers was scheduled. Honestly, I do not like panel discussions as they provide lots of uncertainty how they go. Also, my cold had grown worse. But well, I made it through, and then I was finally really done! Now, what about the rest of the program? I made quite some sketchnoting experience on the last three conferences and I was committed to keep at it. So here are my notes of the sessions I attended. Well, the conference was over - so what to do? I found a nice small dinner group with Raluca Morariu, her partner and Roy Boven and really enjoyed our conversation in a low key setting to close the conference in a personal way.

What I really liked about the conference was that they provided plenty of opportunities to socialize and have conversations with the people. The venue was great for that, breaks had a perfect length, they offered a free networking party on the evening of the first conference day - and all that was always accompanied by amazing food, and plenty of it. (Yes, I will remember the food at any conference.)

In case you'd like to get further impressions yourself, check out the official photo album or the talk recordings that will get published on the Testing United YouTube channel.

Wednesday, December 5, 2018

Agile Testing Days 2018 - Wonderful Unicorn Season

Agile Testing Days 2018 ended over two weeks ago, and yet I instantly get this very special conference feeling just when thinking of it. I know I'm biased when it comes to this conference as it was my very first one. To add to that I made many new friends there, the inspiration I drew from it changed my life, and it feels more and more like magic each year. The best thing, however, is that others share this impression!
Here are my experiences of the 2018 edition, the conference's 10th anniversary. Although this post became lengthy it cannot do this week full of inspiration justice in any way; and yet I hope it gives an impression.

Meeting Friends Old and New

This year I met Maria Kedemo and Tom Roden at the airport so I did not have to go to the venue alone. What luxury to share a taxi along with stories, getting into the conference mood already. Arriving at the hotel we met the next familiar faces and the next stories were shared. It was great spending the first evening with lots of the amazing people from the Women in Testing slack that I am part of.

Seeing my learning partner Toyer Mamoojee again in real life was simply awesome, as always! It's great we have so frequent video calls but they cannot replace meeting in real life. Also, so many people of the power learning group Toyer and I started were around as well! Lovely to meet João Proença, Viktorija Manevska, Lilit Sharkhatunyan, and Pooja Shah in person again. That not being enough, I also had the chance to meet several people I paired with on my testing tour like Thomas RinkeGuna Petrova, Claire Reckless, and Marianne DuijstLisa Crispin, who introduced me to the community in the first place. And Alex Schladebeck, who won this year's MIATPP = Most Influential Agile Testing Professional Person award! Congrats Alex, you very well deserved it. Several of my former and current colleagues attended the conference for their first time. I'm really glad they enjoyed our trip to unicorn land just as much as I did. One of them even won the first price of the costume contest and therefore a free ticket for next year's conference! How awesome is that?
I cannot name them all, but I've also met again many people from past editions of Agile Testing Days, as well as made new connections. I'm thankful for them all.

With all those great people I had lots of great conversations and I wished I would have had more time for every single one of them. So many stories shared, lessons learned, a lot of feedback received, and much more inspiration to take home. I said it already so many times, and I'm going to say it again: it's all about the people.

A Theme, and It's Precious

The program of this conference can only be described as huge. Every year the fear of missing out is gets bigger, and yet we have to decide between 10+ tracks or giving ourselves a bit of rest. This conference goes the whole week from early hours until early hours again, nearly around the clock. Getting rest and sleep is essential and yet there are so many wonderful people to have inspiring and thoughtful conversations with which makes it hard to find a good personal balance. Complaining on a very high level here!

Although the program is huge, there is still a sort of theme each year. João Proença shared in his great blog post that last year it was "What does the future look like for testers?" whereas this year the focus was on "What should we be paying attention to now in ourselves?". I absolutely agree with him. Many sessions addressed diversity, inclusion, mental health, psychological safety, biases, learning, mentoring, teaching as well as our creative, critical, and lateral thinking skills. Yes, it's a testing conference! And all this is what we need to grow as testers and hone our testing skills. So many so much needed messages and exercises.

By the way, when it comes to diversity and representation, these conference organizers really do their homework, and their efforts are reflected in a very diverse speaker lineup and audience.

What a Week

In the following are the sessions I've attended, including the sketchnotes I did wherever I had the time and energy to do them. Knowing how overwhelming the 5 days of 10+ tracks of Agile Testing Days can be, I mostly chose workshops this time, adding in only a few talks here and there. Though it's really sad I couldn't hear all those other great talks, this strategy worked out well for me this time to not overload myself, get a lot out of the official program, and get even more out of the informal socializing opportunities and conversations throughout this testing festival. By the way, many speakers shared their slides, several people wrote own blog posts, shared photos and more, it's worth to check them out as well.






The conclusion is clear: see you next year!

Yes, this conference is expensive, and yes, it's absolutely worth it. So it really does make sense to apply as speaker or volunteer or use the conference budget in case you have one. I know one thing for sure: I am going to find a way to get to the 2019 edition as well. So see you next year back in unicorn land!

Wednesday, October 31, 2018

My Testing Tour 2018 - A Challenge Worth Tackling

My testing tour officially ended today. Now it's time to reflect, gather lessons learned, and draw a conclusion.


My challenge was to become a better skilled tester. Inspired by a lot of people around me, I came up with a hypothesis and designed an experiment, or rather a probe, to test it. I decided to go on a testing tour in 2018, from January until end of October. I paired with many different people, from other teams of my company as well as our global community, to learn with and from each other. Some sessions were collocated, most of them remote, they took at least 90 minutes each and afterwards I blogged about our lessons learned.

Amazing People

In the end I did 25 pair testing sessions with 22 awesome people within 10 months. I'm still speechless when it comes to these figures. However, it's not about figures, it's about the amazing people who joined me on my journey. We learned so much with and from each other, together. These people were key to success of the story, so here is a list of everyone I paired with in the order of their appearance on the tour.
  1. Maaret Pyhäjärvi
  2. Thiago Amanajás
  3. Dianë Xhymshiti
  4. Lisa Crispin
  5. Pranav KS
  6. Peter Kofler
  7. Viv Richards
  8. Cassandra H. Leung
  9. Alex Schladebeck
  10. Viktorija Manevska
  11. João Proença
  12. Mirjana Andovska
  13. Toyer Mamoojee
  14. Thomas Rinke
  15. Simon Berner
  16. Amitai Schleier
  17. Guna Petrova
  18. Claire Reckless
  19. Alex de los Reyes
  20. Rachel Kibler
  21. Marianne Duijst
  22. Gem Hill
If you are on this list, thank you so much for giving this learning experiment a try, for sharing your knowledge, for maybe getting out of your comfort zone yourself, and last but not least for having fun together. Without you the tour would not have happened. I cannot thank you enough for this great experience!

There were further people who agreed to pair up for testing, however, unfortunately we could not find time to do so this year. Some day I'd like to catch up on that in case you're still up for it!
The same goes for all the people who had a place on the tour and expressed interest in having further sessions. And there are so many more people to learn from. I'm sure more opportunities will come to do so.

Lessons about Pairing & the Tour

If you're interested about the actual testing lessons learned on each stop, you will find them in each single post. When it comes to collaboration, I found that I personally prefer the strong-style approach to pairing with frequent rotations of navigator and driver roles. In my experience this set us up for sharing implicit knowledge, building up on each other's ideas and in general smooth collaboration right from the start; especially if I had never paired with that person before.

In general, the following things became clear to me on this tour.
  • The concept of accountability and learning partners works for me. We are probably able to do most things on our own, it might just take more time. The problem is that we often simply don't do them on our own; together, we actually do. You don‘t want to disappoint your pairing partner, right?
  • Make it safe. Having one person share vulnerabilities or fears in the beginning of a session makes it safe for the pair to open up as well. I've witnessed this in several of our sessions. The thing is, I am always nervous in the beginning as well. Some people considered me to be a sort of "expert" - quite the opposite! I'm here to learn myself.
  • More ideas, faster. Pairing up was invaluable to generate ideas what the problem could be and what to try next to solve it. As pairs we could nicely complement each other and built upon each other's ideas. We nearly never got stuck or wasted any time thinking what we could do next.
  • Implicit knowledge becomes obvious. The best example here was my first stop with Peter. At first, we both thought we knew nearly nothing about security testing, and then we realized we indeed did know a lot more than we thought we knew. Often people don't see which kind of value they can provide, for example when pairing with developers to write unit tests. However, there's always something to be shared, always something to offer. Every single piece of knowledge, tip or insight helps us testing.
  • Give yourself time to learn. Diving into a huge topic or new domain takes time. Doing further sessions to go deeper or focusing on very small, dedicated areas might have helped here.
  • Diversity challenges our own understanding. And it's about creating a shared one! A diverse pair will contribute different thoughts and viewpoints, it will make you think. Also, there is nothing too basic to pair on, both can always learn something from each other.
  • Collocation is not a requirement but an excuse. I learned this from Maaret and Toyer, and the tour proved it once again. Remote pair testing sessions can go very smoothly. You can even benefit from geographical dispersal because it increases chances that you get a more diverse perspective.

Did it work?

Well, am I a better skilled tester now? Could I prove my hypothesis? Coming back to this, I did pair indeed, on hands-on exploration and automation along more specialized topics, and I got at least one insight out of each session. Therefore, I succeeded. So I can indeed say: yes, I am a better skilled tester now. At least, I‘m better than yesterday!
  • I have practiced testing a lot more than before.
  • I increased my knowledge around areas new to me like accessibility.
  • I have a lot more tools in my tool belt now.
  • I learned what I know and what I don‘t know, where I need to practice more.
  • And as a side-effect: I enlarged my network and therefore increased my access to knowledge.
In retrospect, it was worth it. I’m happy I chose this adventure. Is it still scary to pair with other people? Yes it is, but a lot less! I'm now feeling way more comfortable to just learn with people, leaving my personal fears aside. „If it‘s scary, do it more often“, right?

My testing tour is now officially over. Still, I really consider to keep the offer to pair test remotely. I might choose a more narrow focus next time. Maybe have more sessions with testers of my company's internal community, or with developers of other teams. Would love to find people to mob with! I could also continue with persons who had been on my tour and go deeper on the same topic. There are many options to choose from.

The Next Challenge

End of 2016, I made a pact with my learning and accountability partner Toyer Mamoojee to help each other out of our comfort zones and tackle our fear of public speaking in 2017. This worked out so well that we decided to go for another challenge in 2018, which was in my case this testing tour. You might have noticed how successful this was for me, as well. I even had the chance to talk about my tour at two conferences already, CAST and SwanseaCon. The best part of sharing my story was that I managed to inspire other people to give these kind of experiments a try as well! I'm already looking forward to give my talk again at TestBash Brighton next year.

The big question for me now is: what will be my personal challenge for 2019? What I know is that there will be another challenge. I'm already eager to tackle it and super curious to see its outcome. Indeed, I already brainstormed several topics and ideas, again based on my fears nowadays. However, there's one important thing I learned from my testing tour that I really have to consider: whatever my next challenge will be, it cannot be as time-consuming as my testing tour this year. Especially as I continued my public speaking challenge as well at the same time. I did not track exact numbers but I estimate the following time effort per session: 2 hours for preparation and communication upfront, 2 hours for each session, 1 hour for writing down my notes, and 3 hours per blog post. And that calculation would only hold for the second half of sessions where I already knew what needed to be done and how everything went. Just considering these figures, I invested 8 hours per session. Times 25 sessions... Well, you can do the math. 200 hours in 10 months is a huge investment. On top of that I know I spent even more hours to come up with the concept, to prepare the tour, to research tools and target applications, to improve the sessions as the tour went on, and so on. Long story cut short: my next challenge needs to be more flexible and less time-consuming.

In any case I am determined to give myself time to rest first, and then some more time to explore options before I finally decide on my challenge. Whatever it will be, it already helps to know that I will get feedback, support and encouragement. I can rely on my learning partnership with Toyer. I will get the backing from our extended pact group together with João and Diane. I will receive feedback from the even bigger power learning group we kicked off this year. And not to forget my newly increased network and the communities I am so glad to be part of. I consider myself really lucky to have so many amazing people around me. No matter what my new challenge will be, I'm already looking forward to where my journey will lead me next!

Tuesday, October 30, 2018

Testing Tour Stop #25: Pair Penetration Testing with Peter

Just a few days before my testing tour is coming to an official end, I had my final stop with Peter Kofler.
We had two sessions on my tour already together which makes Peter the only one I had the pleasure of pairing with three times. In all three sessions we tackled different security testing challenges, each time using Dan Billing’s Ticket Magpie as our target. The first time we focused on exploring the application using SQL injection. The second time we tried automating SQL injections. This time we planned to have a closer look at cross-site scripting (XSS) and see what fake content we could place.

Starting Out

In the beginning of our session, we looked for potential input fields where we could give cross-site scripting a try. We registered as new user and found a comment field on each offered concert. We added a comment containing an HTML tag to see whether this was allowed, and it was. We went ahead and added a simple script that should show up an alert. Interestingly, the Chrome browser considered this a potential cross-site scripting attempt and blocked it showing the error code "ERR_BLOCKED_BY_XSS_AUDITOR". Navigating again to the concerned page, however, indeed showed us the desired alert.

As we had already proven that the application was vulnerable to cross-site scripting, we considered to try out actual scenarios. What if we changed the link of the button to book a concert to lure the user to a different site? We used our JavaScript knowledge and tried out how to target the desired elements in Chrome's Dev Tools console until we had the right command. We added the script in our comment and this worked just fine!

What about posting comments in the name of another user? This was even easier than considered, we found the user name to be a hidden field of the form so we could simply change it using DevTools before submitting the comment. Tampering with web parameters was not our goal, so we decided to inject a script to change already existing user names. We found out how to select the desired elements to change, submitted our comment including the script, and all targeted user names got replaced. However, we found it did not work when adding a new comment in the name of the targeted user. Right, the script had already been executed at that point in time. So we changed the implementation to be executed only when the DOM content had been fully loaded. It still didn't work, but why? The console showed us that an error was thrown. What was wrong with our script? After spending some time on debugging we realized it might just be a copy and paste error, we might have copied some non-ASCII text from a website sample. We sanitized our code - and now it worked!

All this was surprisingly easy, so we still had some time left which we spent on brainstorming what else we might try on our current target practice application or what we in general would want to learn more about.
One of the best resources to get an overview on the most critical web application security risks alongside further resources are still the OWASP Top 10.

Looking Back

We were really successful with our attempts. Frustration was kept at a minimum, not everything worked at once but we made it work together. This was great for learning. However, it felt quite easy as well. This might have been due to the fact that both Peter and me complemented each other very well regarding our knowledge. Peter contributed most of the JavaScript knowledge where I lacked a lot of practice, and I was fluent with the Chrome DevTools that he never used as pure backend developer.

Time flew by and collaboration was smooth. The only thing we noticed: it was not easy for me to not see Peter's screen. I could not see when he shifted his focus away from the shared screen to his screen in order to research useful resources. Though this style had worked in previous sessions for us, we considered we would try researching together and sharing screen control in a future session. Would we have a future session? Well, the whole area of security testing is still really interesting for both of us so we might go deeper together on this topic outside of my testing tour.

This was the last stop on my testing tour in 2018. I aimed for ten pair testing sessions in ten months and ended up with 25. I am still amazed by this awesome learning journey together with so many amazing people. My final task to conclude the tour is to take time and reflect on it as whole, so stay tuned!