Archive for February, 2010

Will That Put QA Management On The Hook?

Thursday, February 25th, 2010 by The Director

A proposal would hold vendors liable for bugs:

SANS’ newly released Top 25 list of common programming flaws came with a little legal muscle, too, with representatives from SANs, Mitre, the U.S. Department of Homeland Security, the National Security Agency, and other organizations pushing for custom software developers to be held liable for insecure code they write.

Experts from more than 30 U.S. and international organizations, including OWASP, Microsoft, Apple, EMC, Oracle, McAfee, and Symantec, contributed to the CWE/SANS Top 25 list. And procurement experts from some of the organizations are recommending standard contract language for procurements that would ensure buyers aren’t held liable for software that contains security flaws. “Wherever a commercial entity or government agency asks someone to write software for them, there is now a way they can begin to make the suppliers of that software accountable for [security] problems,” says Alan Paller, director of research for the SANS Institute.

Paller says the contract language would be based in part on a draft in the works by the State of New York (PDF) that refers to the SANS Top 25 and would make the state’s custom-software vendors contractually bound to provide apps that are free of those bugs. Paller says although there is “no formal agreement on the language” among the group at this point, it’s focused on the section of New York’s proposed contract language that reads: “the Vendor shall, at a minimum, conduct a threat assessment and analysis of vulnerability information, including the current list of SANS 25 Most Dangerous Programming Errors; provide the Purchaser with a written report as soon as possible after a vulnerability, threat, or risk has been identified.”

Well, within the context of the job, QA management is always on the hook. Any bugs that get through reflect poorly on QA (as they do on the whole organization, but I always internalize it because I’m that way).

However, when I read something like this, I get a little skittish and recollect sitting in a sexual harassment seminar given to all department heads and learning that I, personally, was on the hook as a potential plaintiff if one of my minions made a hostile-in-the-sexual-way environment (hostile-in-the-QA-way environments are standard). I am sure I paled a bit learning someone could get my house. I mean, I had a Canadian on staff, and you know what that means (the man was born in Canada).

I’m probably a little worried for something that probably won’t come to pass. A little liability and being required to fix problems is good. That fear can help make some better software. How the torts shake out, though, that remains to be seen.

Think Of It As Decals On Your Fuselage Of Programs You Crashed

Wednesday, February 24th, 2010 by The Director

Steven Den Beste finds a common error with programs that write their icons to the Windows system tray:

Every time I start playing a new file, it spawns another icon in the tray. There’s only one copy of it running, and if I run my mouse pointer over them then all the phantom icons will disappear.

Let me put on my developer hat here: That’s not a bug, it’s a feature! Yeah, it tells you how many files you’ve played since you’ve moused over the system tray! I’m marking the defect RESOLVED: NOT A BUG!

As one of his commenters mentions and my experience indicates, this happens sometimes when low rent applications ab-end. And I include Yahoo! Messenger in the low end category.

Which brings me to a good testing point: So, what happens when you kill your desktop application from the task manager? Does it leave connections on the database open? Does it leave stray icons? Try it and find out. You might like it better if you know the UNIX term for it: kill.

Be A Tiger

Wednesday, February 24th, 2010 by The Director

Finally, someone has a QA job whose title I approve of:

QA Maneater wanted

However, they left the e out of Maneater.

(Sent in by reader Dave H., who presumably sent it in because the careless job poster misspelled the title, not because omitting the hyphen in the year spans makes it look like they want someone with almost six decades of QA career behind them.)

Click Upon Product Launch

Tuesday, February 23rd, 2010 by The Director

Sorry, guys, despite our best efforts, they’re going to launch the product with a handful (King Kong’s hand, natch) of critical issues that only QA (and those who deviate from the happy path) would find.

Here’s a button to press for final launch.

And may God or your preferred deity have mercy upon your souls.

Jerry Pournelle on Fly-by-Wire and Programming Languages

Monday, February 22nd, 2010 by The Director

Speaking about the Toyota software problems, Jerry Pournelle diagnoses the root of many quality problems in software:

When the computer revolution was beginning, there was a concerted effort to develop theories of computer languages. Two major champions of language reform were Niklaus Wirth** of ETH (Zurich, the Swiss Federal Institute of Technology) and the late Edsger Dijkstra (eventually held a chair at the University of Texas in Austin). Dijkstra spent much of his life developing theories on how to “prove” programs. They and some others were largely responsible for the movement that induced the Department of Defense to develop Ada, a strongly typed and highly structured language with some similarities to Wirth’s Modula languages. (The last time I discussed it with him Wirth did not care for Ada, in part because it became too complex with too many “features” and in part because he did not approve of exception handling — and that is one argument I’m not going to get into.)

More on all this another time, but my point is that in those times there seemed to be a lot more concern with languages, and with building languages that required good programming practices. In the various Wirth languages starting with Pascal the goal was to have the compiler catch incipient bugs: it took longer to develop a program that would compile, but once it did, it was likely to do what you expected it to do. Unfortunately the computer hardware of the time wasn’t up to huge programs in strongly typed and highly structured languages; it took a long time to compile a new addition to a program. The programming world turned to C and its derivatives, and in the early days a C compiler would compile almost anything, including very tricky uses of pointers and type changes.

I don’t know what language Toyota has used to develop its drive by wire programs, but I would bet reasonable sums that it wasn’t Ada or one of the Wirth languages.

To make it easier for people to become developers, they made it easier to write software. To deleterious effect.

By the way, be sure to use the word deleterious in a sentence this week. Vocabulary is a weapon.

QA Anthem: Hair of the Dog

Monday, February 22nd, 2010 by The Director

It’s Sunday morning. Let’s start it with some “Hair of the Dog”:

That will put you straight for a week of handling the unthinkable.

Separate Mobile Version Is Another Vector For Suck

Friday, February 19th, 2010 by The Director

Jack in the Box’s latest e-mail offers the normal View as Web Page version:

The Jack in the Box e-mail
Click for full size

Note that The in the salutation is my first name, since I am The Director.

On the Web it checks out:

The Jack in the Box e-mail on the Web
Click for full size

The Web version changes omits it, since it’s not passing the first name to the Web version, although it could.

The Mobile version?

The Jack in the Box e-mail on your phone
Click for full size

Suddenly, it reads like a comment thread on Fark or something. Hey, FIRST!

You know, it’d laudable to make a separate version for different platforms. As long as you test it.

QA Anthem: Make Your Week Epic

Monday, February 15th, 2010 by The Director

It’s the start of another week, but how about we make it an epic week?

Whenever I hear this song, I feel like tearing off my shirt, picking up the family claymore, painting my face, and charging the English lines or sacking the software architect’s office again.

Unfortunately, I don’t have a family claymore; all we have is a family halberd. And the software architect doesn’t have anything worth taking left in his desk.

But keep in mind, QA, you’re the only hero who stands between the predations of the project managers and developers and the poor innocent users. They need you. They’re holding out for you to do your job.

QA Koan for Friday

Friday, February 12th, 2010 by The Director

“It’s better to be wanted for murder than not to be wanted at all.” –Marty Winch

Surely you can meditate on that for a while and see how it applies to QA.

Pays in D&D Loot

Thursday, February 11th, 2010 by The Director

You know you’re in for a wild spelling ride when you’re looking at a job posting for a Web Contruction / Editor Analyst, and the job listing does not disappoint on that score.

The best part, though, is the compensation:

Plus you get experience points!
Click for full size

You get experience points, too? Awesome! You’ll finally get to 18th level Tester and can think about multiclassing.

When Developers Are Rock Stars, You’re Just The Roadies

Thursday, February 11th, 2010 by The Director

Joe Strazzere reviews a job listing for a QA position at Fog Creek Software and finds its job expectations a little odd:

Joel seems to believe that one part of a tester’s role is to boost the morale of developers. He says “Believe it or not, one of the most valuable features of a tester is providing positive reinforcement.” I have to say that I’ve never heard that expressed before, and I can’t say that I agree. While I do want my testers to be professional, and enthusiastic about the company and their job, I really don’t want my testers concerned with programmer morale. What if programmer morale starts to dip? Should we blame the testers?

Anyone who has read Joel on Software for any length of time knows that Mr. Spolsky and Fog Creek Software are very developer-centric. Spolsky does not hide that he thinks the best and the brightest developers work for him, the rock stars, the Olympians. You need to watch out for those guys. Not Spolsky and Fog Creek Software, et al, specifically. But the Rock Star Developers and environments that cater to them.

Rock Star Developers think that software only exists as a proving ground to showcase their genius! It’s not about solving users’ problems or streamlining operations that take place in the physical world. It’s fourth dimensional chess, man, except the fourth dimension isn’t time, you silly mortal; Rock Stars are not beholden to time and to deadlines. Only to the elegance of their solutions. That’s the fourth dimension. Elegance as defined by Rock Star Developers.

You’ll notice that, at Fog Creek Software, the software tester is only there to improve morale and not to provide massages. That’s because Rock Star Developers know that the other people in software companies lack any sort of valuable skills; if software testers could provide good massages, they would not waste their time as software testers; they would be masseurs or masseuses.

I’ve worked at some Rock Star Developer workplaces in the past. It’s not for everyone; if you’re going to go into that sort of environment, you really have to get your elbows up and throw them from time to time if you’re going to actually make the software better. Or, alternately, you could just not care.

So how can you determine if a company is a Developerpalooza before you give your two weeks’ notice at your current environment? Here are a couple signs to look for:

  • It’s a small to medium sized company. A large company gets corporate enough that its bureaucratic professionals will stabilize things into being interchangeable with any other big company in any other industry.
  • The leader of the company is a developer.
  • Or, the leadership of the company is located elsewhere from the software development campus, and a developer runs the campus.
  • The leader of the company talks/blogs about the developers as though they were more important than the other people in the company.

I’m not saying you should never work in those circumstances; you can get a lot of fiscal reward out of working for a small or medium sized company if they offer stock options or stock purchase plans. However, you’re less likely to get respect as a tester out of the gate. Get in there, throw some elbows, and maybe you’ll get some respect to go along with your salary.

(Full disclosure: I once responded to Joel Spolsky when he was looking for someone to write a new edition of his FogBugz book. I didn’t get the gig, so if you’d like, you can think I’m retaliating here instead of just spreading my usual misodevny.)

Looks Like A Nervous Breakdown To Me

Monday, February 8th, 2010 by The Director

An interesting metric to use for your Web design and development estimation efforts: Time Breakdown Of Modern Web Design.


Monday, February 8th, 2010 by The Director

It’s not actually a printed medium until you print it, but the Software Testing Club Magazine is now available in PDF and features a classic QAHY post.

Thanks, guys, for including me.

QA Anthems: Two For Our Project Managers

Monday, February 8th, 2010 by The Director

Good morning, project managers! Here’s a couple songs to perk you up for a change!

We in QA are certain things are going to go right for you this week. Unlike all the rest of them.

Finally Upgraded

Sunday, February 7th, 2010 by The Director

Hey, I finally upgraded WordPress here, so let me know if you run into any weirdness.  It looks as though the migration lost all user accounts, so you’ll have to register again to comment.  Also, I’ll have to rebuild the blogroll since that, too, is lost.

However, now it will handle YouTube videos correctly, so we’ll get back to the weekly QA anthems.

Thank you, that is all.

I Suffer From CDO

Friday, February 5th, 2010 by The Director

That’s obsessive-compulsive disorder with the letters in alphabetical order.

Cartoon Tester shows how you can spot a tester in a supermarket.

When he was drawing me, I would have preferred that Mr. Glover had gotten my good side, but you take what you get.  Because he certainly captures my essence, and probably many of yours.  When I get a kiosk or console of any sort, I reflexively try some boundary analysis and exploratory testing, even before I use the kiosk for whatever I need to use it for.

Designers Don’t Have Enough Stakes To Kill IE 6

Thursday, February 4th, 2010 by The Director

Here’s an e-mail that might give hope to Web designers and developers in the world, probably written by a Web designer to boot:

IE 6 is immortal!
Click for full size

I suspect a Web designer wrote that subject line because he or she left in an extraneous “this” and misspelled, “Yay!”

I can understand the glee.  Hopefully with Gmail dropping IE6 support, they can, too!  If they even think about anything but Safari or Chrome.

However, as a reminder, IE 6 has a 20% share of the browser market in this January of the year of Our Lord 2010 according to Net Market Share.  More than Firefox.  5 times that of Chrome.

If your site or application doesn’t handle it, you’re going to strand a lot of users.

Sharing the Format, But Not the State

Wednesday, February 3rd, 2010 by The Director

Sometimes your organization needs to tie into third party Web sites with corporate badging.  In these cases, you either provide them with a set of CSS files and whatnot that cover your site’s template.  In other cases, you just trust them to grab the things they need off the Web site.  And you let them grab.

However, it would behoove you to apply a little intelligence to the process instead of doing the equivalent of cut and paste.  Case in point:, which links to off-site press releases but does not pass logged-in state, leading to a misleading bit of imagery:

First, here is when you’re not logged in:

Click for full size

Now, when you’re logged in, the top identifies that you’re logged in.  All over the place:

Here is someone logged in.
Click for full size

But if you click through to the media releases, you’re taken from to the site of some PR or PR hosting firm:

But now I'm not logged in?
Click for full size

Amazon is not sharing credentials with this site, which is appropriate; however, note that at the top, the site indicates that the user is not logged into when this is not the case.  Showing incorrect things is bad.  Sometimes, I have to restate this in defense of defects.  Telling the user things which are not so is bad.

Corporate should have masked this messaging.  All other links and whatnot would have worked seamlessly, taking the user back to Amazon where he or she is logged in.  But the invitation to log in or sign up should have been suppressed.  You don’t need to pass the credentials, and you don’t have to fake a logged-in look.

Remember when you’re working across sites like this to look with a jaundiced eye to the places where the original template shows state that the copied site should not.

Interview/Sales Call Advice Needed

Tuesday, February 2nd, 2010 by The Director

When I go all medieval Eastern European when I meet someone professionally and introduce myself as

Noggle the QAthian, the scourge of infuzia, the sorrow of Tripostan, the desecrator of MetaMatria, the castigation of Dearay, emperor of Jeracor….

should I use my Gozer voice or my Vigo voice?

Maybe There Is A Lesson From Manufacturing QA

Monday, February 1st, 2010 by The Director

Maybe we can draw a lesson from manufacturing quality processes to apply to SQA.  Here’s an article on How Lean Manufacturing Can Backfire:

But Toyota’s recent problems highlight how certain elements of this approach—eliminating overlap by using common parts and designs across multiple product lines, and reducing the number of suppliers to procure parts in greater scale—can backfire when quality-control issues arise.

What’s the software equivalent?  Open source components and reliance on third party integrations.

You know I bang on the drum of distrusting anything that your company doesn’t develop even more than you distrust anything that your company does develop.  However, you can now use the Toyota recall as a metaphor for how that can break and can pervasively impact your software.

wordpress visitors