Aarogya Setu – Yes or No?

I almost decided to not post this blog. But on second thoughts I am posting it.

Date : 22nd May 2020.

Background :

Aarogya Setu has comeout as one of the most powerful tool that Government of India released to protect its citizens through “Contact Tracing”. While I do not directly know the source of inspiration for our government to do so, I believe that countries which are being respected for their ways of controlling COVID-19 spread, like – South Korea and Taiwan, have used such apps in their nations and given credit to the apps to be a successful tool in their fight against Corona virus.

Recently, there were tweets claiming how the app is dangerously exposing the privacy of Indian citizens.

For a typical app to fail in the market is neither a concern of mine personally, nor is it unheard of. While, it makes me curious to know more about the reality of the situation, my natural reaction in such cases is – these guys will figure it out; I don’t need to step in.

But when I looked at the flip side – the possible results of “Aarogya Setu” app failing due to privacy reasons, I got hugely concerned for 2 reasons –

  1. What if the app is really lacking privacy control? To put it in the terms of the “hacker” – what if it is truly exposing PII- Personally Identifiable Information of millions of citizens? In this case, the hacker claimed it to be 90million (number of downloads at the time of claim). This is simply NOT ACCEPTABLE.
  2. What if these claims were incorrect but the citizens do not adopt the app because of the fear and thus the country is unable to utilize a huge opportunity to protect its citizens. This would mean exposing the human lives all around to a massive danger, when we could have protected them. This is even more NOT ACCEPTABLE.

I wanted to do a deep dive, and therefore discussed the subject with some leading security professionals. Am capturing below – exactly the thoughts shared by them and the links they pointed me to. I wanted to hear from multiple professionals on their analysis on the subject beyond just my own observations.

Professionals mentioned in this blog are :

  1. Prashant KV (Involved in discussion)
  2. Swaroop Yermalkar (Involved in discussion)
  3. Nidhish Pandya (Referred)
  4. Harshit Agarwal (AppKnox) (Referred)
  5. Abhinav Sejpal (Involved in discussion)

Folks involved :

I reached out to few security test professionals including Prashant KV.  Prashant further added Abhinav Sejpal and Swaroop Yermalkar. When it comes to Security, one of the world wide recognized community is OWASP – Open Web Application Security Project . OWASP  is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security, by the way of setting Industry standards, organizing Conferences and Workshops. Their key focus areas are –  Web SecurityApplication Security, Vulnerability Assessment.

So it may be of interest of the readers to know that Prashant is an OWASP Chapter Lead for San Francisco Bay Area and is a Security engineer at a leading retail firm in the US. Swaroop is the OWASP iGoat Project Lead (Community Project dedicated to mobile security), Head of Cyber Security (India) for a leading cybersecurity firm. He is also the author of the book “Learning iOS Penetration Testing” and he is a well-known mobile bug bounty hunter. Abhinav Sejpal is also an OWASP chapter Lead, has spoken at – null, The Open security conference. He is currently the DevSecOps in a leading technology consulting firm.

PII :

And before I share with you the findings, let us understand what is PII?

PII – Personally Identifiable Information- is the information that can be used on its own or along with other information to identify, contact, or locate a single person, or to identify an individual in context.

Non-sensitive PII can be transmitted in unsecured form without causing harm to an individual. Sensitive PII must be transmitted and stored in secure form, for example, using encryption, hashing.

PII could include – direct identifiers – your Aadhar Number, Driving License, bank Account Number, Name, Phone number, Vehicle License number, Address, Mobile numbers, Email ID, Full face Photos, Biometric identifiers (Iris scan and finger prints), etc.

And then there are indirect identifiers – which can be used to identify a person, when used in combination with other information –like – Birthdates, languages spoken, Geographical Locations, Medical Insurance Plans, Medical conditions. These are not independently enough to identify an individual in a group of more than 1 person.

Discussion and Findings:

My conclusions are based on my analysis of the app and further discussions with my peers and going through all the detail analysis done by different people referred to me by my reputed peers.

Let me start with responses of the security engineers –

1. Prashant’s thoughts  :

To summarize :

Old version of app had a bug that could allow other apps to read files inside
the app sandbox using an exposed Activity and its intent filter. This issue was fixed.
App has jailbreak/root detection and ssl pinning. Both can be bypassed by
custom frida scripts. SSL pinning is not perfect in mobile implementation and can be bypassed.
In the latest version, app sends coordinate via headers to an endpoint and the
server returns information about how many are infected etc. The privacy issue being discussed is that anyone anywhere in the world can put in any coordinates in India and retrieve info about how many infected There are no names or any personal info leaked. Just number of people infected. The app is supposed to show these numbers based on your coordinates. Issues mentioned by the researcher might be of low risk based on that calling the app a disaster is not correct.
Much of the South Korea, Taiwan  and china’s success is attributed to a similar app.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Prashant also shared another tweet from October 2019 – where another hacker, called out the site that belongs to our attention seeker – Robert Baptiste aka Elliot Alderson , as vulnerable.

https://twitter.com/crackohacker/status/1182596471058681856?s=21

Furthermore, Prashant also shared a blog from another Security engineer – Swaroop Yermalkar, refuting Baptiste’s previous claims – https://blog.swaroopsy.com/2020/05/07/part-1-truth-behind-propaganda-against-maadhaar-security/amp/

Since Swaroop was part of the conversation, we will talk more about his view in the blog further.

Towards the end of our conversation, Prashant shared 2 more write – ups :

  1. https://medium.com/@N1gh7m4r3/explaining-exposing-imaginary-arogyasetu-privacy-issue-433a6dc7b76e

This is written by Nidhish Pandya, who is a cyber-security enthusiast. He has clearly called out the security issues raised by Baptiste as imaginary. His blog is full of pointers to various sources which prove his point.

  1. https://www.appknox.com/blog/is-the-aarogya-setu-app-safe-to-use

Appknox is a company that specializes in mobile app security. I found their analysis to be pretty detailed and conclusive. Hence, let me share the final word here from Harshit Agarwal , the CEO of AppKnox.


The Word 

There might indeed be certain security misconfigurations in the Aarogya Setu app, but none of which pose great threats. Into the bargain, we never found any evidence for the PII data breach in our security assessment.

We strongly believe Aarogya Setu app is the Indian government’s approach to providing the right information during the uncertain times of the COVID pandemic. Nevertheless, based on our findings, the following low and medium level safety issues of the Aarogya Setu can be rectified,

  • Implementation of ATS in iOS devices
  • Non-expiration of tokens
  • Usage of SSL Pinning instead of encryption
  • Using AES/CBC encryption instead of AES/ECB encryption

Yet, even without these rectifications, the application is still secure to use, and you don’t have to fear privacy intrusion.


Harshit’s blog also mentioned the below details as “Fact” against Baptiste’s claims.

Fact: 

The radius buffers have been limited to five values, as mentioned earlier. These standard values are posted with HTTP headers. Even if any user enters another value, the distance will be directed to the default value of 1km.

As asserted by the hacker, the user can indeed fetch data for multiple locations by changing the coordinates. Nevertheless, the API enforced in the Aarogya Setu application prevents such bulk calls from being processed.

So, there is absolutely no way for one user to procure the COVID-19 statistics by simply changing the coordinates.

That said, the claims of french researcher are futile. He was unable to prove the privacy risk of any user using the Aarogya Setu app. So, rest assured, you are safe. None of your confidential and sensitive information is out in the open, everything is secure.

2. Abhinav Sejpal

His recommendations were –

#1 Open source Aarogya Setu App Source code and Allow the honest feedback.

#2 Start the bug bounty via Hackerone or bugcrowd or whatever works for Indian gov

#3 Invite few security experts to review findings and crowd source overall triage process.

One may have to review these asks but it could be worth a look.

3. Swaroop Yermalkar

And our final specialist – who is a highly accomplished security professional – he wrote the following blog for his review of Aarogya Setu app –

https://blog.swaroopsy.com/2020/05/08/part-2-truth-behind-propaganda-against-the-aarogya-setu-app-security-the-real-story-of-success/

One can find his other blogs on security issues at: https://blog.swaroopsy.com/

In his words – clearly – “There were some security issues but NO Breach! No personal info of single user got leaked!

On probing further, he shared his interaction with Baptiste, who could not take being questioned on his false claims and Swaroop says – he got blocked therefore by Baptiste on twitter.

Incidentally , the day we were discussing this a news came in that someone from Bangalore hacked Aarogya Setu and I asked Swaroop, what does he think about that. He pointed me to his tweet that said –

 #mensxp Stop spreading misinformation! Have you performed verified analysis by security professionals? Validations can be bypassed at client side! Where is PII? Don’t make #infosec as #tiktok videos or #clickbait!

You can see his popular tweet at : https://twitter.com/swaroopsy/status/1260963165094834177

Major Highlights of Swaroop’s blog :

The list of vulnerabilities mentioned:

  1. Access to App’s Internal Files – LowSeverity
  2. Bypassing Root Detection Using Frida – LowSeverity
  3. Bypassing SSL Certificate Pinning – LowSeverity
  4. Finding Infected People In Any Area – Low/infoSeverity (It’s the app by design)

Final Conclusion: Vulnerabilities discussed didn’t disclose any PII / Personal Data / Age / Name of any COVID-19 Patients or Arogya Setu App Users. Forget about 90 millions but not even single user’s data got exposed! Bug Bounty Companies would pay USD 0 for these type of issues! Now you can decide, are these really security threats or just a publicity stunt?

In fact,  I would say the Aarogya Setu App is a success story! Millions of users downloading this app and helping people to get aware of nearby patients around them!

I also agree that government apps should have proper channels / bug bounty programs to receive security issues. India has one of the largest infosec community and can help government apps to get them more and more secure.


My observations :

  1. Much like all leading apps that different governments ( e.g : TraceTogether (Singapore), NHS (UK)) in the world have come up with , Aarogya Setu was also built in like 15 days.
  2. Technology stack looks similar to other such apps – AWS / SQLite / secure hosting/ rooted device detection.
  3. Interestingly – Aarogya Setu has implemented an additional layer of encryption (Lat / Long). Also, it stores data for a limited period of time both for COVID infected (60 days) and not infected people (45 days).
  4. I am NOT a reputed security engineer yet. But going by the take of so many of proven, experienced and reputed #InfoSec professionals – all claims made by Baptiste / someone in Bangalore (reported in menxp) – ARE TOTALLY FARCE AND ATTENTION SEEKING ACTIONS.
  5. Clearly there were some gaps in the previous version of the app, which have been fixed.

As a member of community of testing professionals – we like to believe that there is no software that is 100% defect free. After studying the app and comparable apps and usages across the globe, I find Arogya Setu to be a powerful tool made by the government to protect Indian citizens and one can download it and use it without any fear of security issues especially wrt what Baptiste claimed.


**Original blog ends here.



Further updates on Aarogya Setu –

The top demands from the security professionals across the world have been heeded to by the Aarogya Setu team.

As of today – the app has been open- sourced, and government has initiated a bug bounty program for the app.

Further updates from Swaroop.

Update 1 [May 26, 2020] – https://twitter.com/SetuAarogya/status/1265281058532016128
The #AarogyaSetuApp is now open source. Read the attached release documents to know more.

Update 2 [May 27, 2020] – https://twitter.com/SetuAarogya/status/1265353503221772288
Aarogya Setu Bug Bounty Program – Aarogya Setu Bug Bounty Program – call upon the developer community to join hands to help make Aarogya Setu more robust and secure. Those identifying vulnerabilities, bugs, or code improvement stand to get recognized and win cash awards too.



 

During lockdown, it may not have been important to use Aarogya Setu. But now that lockdown is getting lifted, and people are expected to move out and come in contact with more people beyond their immediate family and folks, IT IS MORE IMPORTANT TO USE AAROGYA SETU NOW. And I decided to publish this blog only with the purpose to reiterate the importance of the use of this app and to appeal more citizens to adopt it.

The success of the app is directly proportional to its adoption. More the number of people who use Aarogya Setu, better will be the information provided by the app.

Know what you are looking for.

Metal detectors and baggage scanners (X-Ray machines for luggage) are a common sight at public places in India – whether you go to sports stadium, a Mall, a hotel, a government office or for that matter even private offices and Business Centers. Airports are where I sight them globally.

However, I get a feeling of thoroughness only with the airports officials at these security check points. At most places, I notice, the officers sitting on the screens of the baggage scanners are not even looking at the screens – which makes me feel uneasy (Will refer to this later again as Experience 1). I don’t like being frisked multiple times a day, but when I pass through a security check and I know I have not been frisked properly – I know the danger I am entering into (Will refer to this later again as Experience 2).

The routine is different for different places. Mostly – my car’s boot space gets checked, there is a mirror pushed under my car’s bonnet to check if there is anything stuck under the car (Exp 3)- and then I am asked to give my luggage and even phone away before passing through the metal detector and then my luggage is handed over to me with a warm smile (Exp 4).

These officers seem to be trying to do a thorough check. And these ones (Exp 3 and Exp 4) interest me. The ones that were mentioned in cases Exp 1 and Exp 2 seemed totally hopeless – I absolutely have no respect for a person, who don’t do their work properly. As they say – you had one job.

But at this point – I am thinking – do any of these 4 set of folks know what their job is. So I talk to them – the response is same everywhere – we are looking for items forbidden to carry. Okay – and what could that be. Well, they are obvious ones – Guns, bombs, knives, Liquids etc.

My next question to them is – do you know what a bomb looks like? or a dismantled gun looks like? They start to smile – because obviously, none of them have ever seen a real bomb. I don’t want to come across as a depressed or a lunatic who is planning something so I don’t ever ask more than 1-2 questions at a place and move on. Now, after so many experiences, I ask just 1 question  – do you know what you are looking for? The answer is mostly a smile or “kya madam” (which in my English translates best to “C’mon Mam”)

At most airports – I find officers almost intimidating – their process being more lengthy and apparently rigorous – a bit black box kinds too. One doesn’t easily get to see the scanned images – the officers are glued to the screen – And to their credit – they sure find things every once in a while. But the investment is huge. The process again remains standard – not intelligent all the time. Makes me want to say an overkill sometimes, but concerned folks say – when it is about safety better safe than sorry. Not sure, if they are even looking for an optimum solution.

As I kept probing on my own uneasiness with the fake security check I get at most places and on the other side –  overwhelming & intimidating security checks at the airports and slowly I begin to feel, this is so similar to my world of Software Testing. Do testers know what they are looking for? More importantly, can they identify a risk if it is not shaped as they are expecting it to be (mostly in their limited/fixed test cases).

  • Most testers perform testing as a ritual they have to execute, in certain order
  • More often than not Testing is in place only to put a check and say – yes we do it
  • When Automation comes into play – most testers don’t know how to make the best use of it
  • Mindless automation – again as a “must do” procedure is applied. No one is looking at the scanner screen.
  • Garbage in Garbage out Automation keeps continuing. EVERY LUGGAGE should pass through the scan. But the story ends there.
  • The regular beeping through the metal detector or not beeping at all – doesnt ring a bell to the executives. Because of so many false positives – no one bothers to check eventually. The need is to continuously upgrade the system – but it is so much of work each time that they just let it go.

Comparisons could go on…

This is where I feel hopeful about software testing more than the physical security check world – because we seem to be adopting “AI”  to keep training our systems to understand how to segregate defects from those that are not. As we begin to use more artificial intelligence in our automation and we train our verification scripts to update as per the changes in the applications, our overhead for maintenance shall reduce to minimal.

Dont get me wrong – there will ALWAYS be a need to humanly explore the unknowns but our effectiveness in distributing the knowledge of the newly explored unknown, into the whole system quickly and making it a known quantity to our testers and application owners will bring a significant success to the business owners in terms of reduced risks and reduced time to market with minimum investment.

If you wish to learn more about what you should be looking for in software and how you can reduce risks in your application without creating huge technical debt in automation and yet reducing time to market (incrementally), you could do these:

  1. Talk to me at smita.mishra@qazone.in
  2. Study testing, learning critical thinking and uncovering risks at http://www.satisfice.com/ and http://www.developsense.com/  — Infact try registering in one of their classes.
  3. Explore test tools like test.ai, testim.io, saucelabs, applitools, tricentis.
  4. Explore training and webinars with SoftwareTestPro.com and MinistryofTesting.com . They also have some of the best conferences and meetups – full of latest trending content.

These are absolute top ones that come to my mind as I am typing. This wasn’t how I had planned to end the blog, hence a very limited list.

If you explore, you will find many more leaders and platforms. What is important is – to learn. So you know what you are looking for.

Do I need UX testing?

Do I need UX testing? Yes, More than what you think. We will comeback to this question again.

When should I get UX testing started ? Much before you think you do.

How should I test UX ? First research enough to ensure you understand your context – your target user, purpose of the software, the business in which your organization is, how different are the competing products……many many approaches and methods of UI/UX testing that can be applied at different stages of product development.
UX
Wait – so many questions and thoughts about UX – But, let me ask – what is UX? Why does it even exist?
Well, the purpose of User Experience is to provide the smoothest navigation to a user from point A to point B. And there is absolutely no standard rules to design a good UX. Like its said above, you need to research. The research will help you build context for your business/app/technology/target user/purpose – and help you understand , how to build FOR a good UX. There are multiple ways to research – you need to learn those too.

Well, coming back to the first question – Do I need UX testing? Very much. Its recommended to be added to your testing strategy.
Ketchup UX

So, once the team hands me the design document and the product then I can match the UI and do the visual testing and I should be good (Expected vs Actual). What say? 

Well, even by the standards of a zombie tester – going by mindless robotic executions, I would say – no , its not good. Testing User Interface is a subset or a part of testing User Experience but UX is a whole world besides UI. You (as a tester) need to ensure you are part of the design from the day they start talking about conceiving a design. And then test each paper design, wireframe with users – at every step and …..then …..*******Folks, if you really want to continue the discussion – come to my workshop at STP Spring 2016 – Why you need to build UI/UX testing into your test planning immediately!
Alright, alright – we get the point. We will be at the workshop. But one last question – why immediately?
Well, you can do it after your organization goes down and you or your friends possibly dont work there anymore. Or after your organization finds someone to replace you – someone, who cares more about ensuring their customers don’t migrate to competitions. But if you try to learn and implement UX Testing now, you will help your own reputation and your organization’s business for sure. Your job too (maybe)!
UX vs UI

Take your call. Hoping to see you there!! Tons of challenges / quizzes / exercises await you that will give you a glimpse of how real world apps / sites evolved to where they are today and how you can contribute towards a humongous success of the sites / apps you test and ensure that these apps you test also become a professional reference for your abilities.

ThinkTest 2015 highlights & acknowledgements

Finally – we did THINKTEST on 5th December 2015 that we were planning to do in 2013. I had so many emotions coming up through the entire month, that I purposely delayed writing the blog on ThinkTest , so I could give time for my thoughts to settle down and I only write what I truly mean . Frankly, this is not unlike me to get attached to my work but this event made me feel very different than my usual work.  I could be at risk of being called highly dramatic, but, I have to admit – the event almost felt like my third child – A feeling that probably Rosie Sherry or Peggy Libbey could share with me.

James + ThinkTest

One feeling that has not changed since the morning of 5th December 2015 though, is – ThinkTest 2015 was a resounding success!! Astounding and reverberating in every sense!!

Before I go further into my blog, I need to say this in bold & CAPITAL. THANK YOU JAMES FOR MAKING IT. I have seen your hotel bills and I have a fair idea of your travel costs too. And putting everything together, I know for sure, this was not a trip you did for commercial reasons. I am truly humbled by this respect and attention you have given me. I can’t thank you enough on behalf of the testers gathered here to meet you – they have loved your presence and your talks and would be so looking forward to seeing you here again.

full house - thinktest - james

Delhi, is typically known for being a little lazier than its other peers like Mumbai, Bangalore etc. However, the testers here broke the myth. We had the room full before James got onstage and that truly deserves a huge round of applause for the testers who made it all the way from Gurgaon / Faridabad / Ghaziabad / Noida and various far flung places in Delhi.  Besides the National Capital Region, we had testers from Chennai, Hyderabad, Bengaluru, Jaipur, Pune and Kolkata joining us. We also had 1 tester who flew all the way from Colombo ( SriLanka) – just for the conference and the RST class – in short – just for James Bach. There was a total gathering of 157 folks, of which we had a team of 5 organizers (including me), and 11 speakers (including James) and about 6 sponsor representatives. The rest were the awesome software testers. Thanks testers for making it in such numbers.

The day before – We worked with the hotel staff and the printing team all night until 5 am of 5th morning to get the stage up and the backdrop done. The sponsor booths were put up and the standees placed. The registration desk setup. Each chair and table checked for cleanliness – Audio / Visual equipments tested.

20151204_234026 20151204_234019

 

 

 

 

At Utpatang office – collecting the gift packs at 00:00 hrs on 5th December 2015.

20151205_02013820151205_024225

 

 

 

 

 

At the venue (Holiday Inn) at about 02:00 hrs on 5th December 2015 – setting up the “decorations” for the ceremony.

Had a quick nap from 5 to 6:30 am and the day started again. Our first attendees came in about 7:30 am. Thereafter they started to pour in at the registration desk as the 2 volunteers were hurriedly letting them in with their delegate tags. There were few walk-ins who had not registered. They were initially not allowed – frankly we had seating of 120 and were okay for 130-135 folks around but handling 15 – 20 more than the already 20 additional registrations, seemed difficult. But they stood patiently and we didn’t have the heart to turn them down. They were not charged but instead given complimentary passes and allowed because they showed their keenness to hear James and learn from him. From there on, the day went by smoothly – everything that was planned went better than planned. A few unplanned situations cropped in – which I talk about, under learnings- later in the blog.

James with other speakers and delegates

Before, I started to write this blog, I asked a few participants and organizing team members, as to what should we put as THE highlight of the event. Most of the participants couldn’t have enough of James, long after he left India and so I wasn’t surprised when they were raving about his inspiring Keynote “Testing is not Test cases” and also his latest new presentation the “Question Hospital” – a concept very well received by testers and something they would like for James to continue to build on, so we get more and more examples to go through. The keynote also happened to be the most and best rated by the testers; shortly followed by Santhosh Tuppad’s “Your data is no more ONLY your data”. All the feedbacks were collected at a survey done post event and the results shall be made public shortly.

DSC_0066

However, there was also a surprising/comic response to the highlights – one that was made by a member of organizing team – who said  – ‘I barely got inside the room, so I can’t say much what all went inside, but I can tell you that crowd outside was very interested in t-shirts and cups and all the goodies sponsors had’. Frankly – I myself couldn’t see much of the action at one place, as I wasnt stationery but kept moving due to multiple responsibilities on me on that day. But at one point, I did notice – when the lunch break had just started, that the queue for Saucelabs and Parasoft was longer than the queue for food. So, THANK YOU SPONSORS – truly – heartfelt thanks to all of you – Saucelabs, Parasoft, Software Test Pro (STP) and Srijan Technologies. I hope you do realize that it was because of your generous sponsorship that we could open our hearts to have complimentary and discounted tickets. Your contribution to the community is well respected. Our special thanks to the support sponsors – Test Insane and Moolya and PoolWallet, for supporting the event; Our diversity partner- Sheroes for promoting the conference amongst female technology enthusiasts ; Our community partner – Test Practitioner’s Club for promoting the event on all its avenues (FB / meetup/linkedin) to testing practitioners in the region; Our gifting partner – Utpatang, for making the meaningful giftpacks for our speakers and delegates; Our media partner Tea-Time with Testers for helping us spread the word amongst the right audience; and our supporters in Agile Testing Alliance and Discuss Agile Network and Unicom.

Long queue..

Testers

At this point, it’s imperative that I mention Anand Bagmar for mobilizing Thoughtworks team towards their significant presence at the conference and the RST class thereafter. Thanks Atulya Krishna Mishra and Anmol Bagga for working on almost war footing to ensure the word reaches every nook and corner of the region, covering every interested tester. Thanks Saket Bansal and Sarabjit Singh Bakshi for guiding me with pointers and at times, simply handing me the solutions for what I needed- Thanks for taking my calls EVERYTIME I called, and answering with patience. Seriously guys – heartfelt thanks.

There is something more I need to mention, since I am thanking everyone involved in helping me towards making the event happen – I need to thank Pradeep Soundararajan. I need to thank him for various reasons but 2 important ones I will mention. 1. Thanks Pradeep for introducing India to James Bach and other global leaders, as a respectable community of testers. As much as I like my abilities – I probably couldn’t have done it better than you. 2. Thanks Pradeep for silently supporting us with sponsorship and saying – “I may not give much of money. But I don’t want anything in return. I am doing this because I have hosted James earlier and I know how it is”. I am not sure if you would have wanted me to quote you here, but I needed to express my gratitude and tremendous respect for you. Every drop counts and you knew it better than me. Your thoughtfulness for the community deserves our sincere respect.

I am consciously stopping the thanks here – apologies for missing out anyone who thinks she / he should have been mentioned here. I truly thank everyone including the hotel staff at the venue for their bit of contribution in our success. I need to move on to other aspects 🙂

James with testers -STP

Coming to the learning part of the event – every session by James was very well received. Attendees would hog on every available minute with him. There were tons of amazing conversations held by the thinking testers and curious testers and those who had the potential to be one and were on their path to transformation. James was loving the talks as much as the testers around him. Amongst the other speakers – every speaker did fantastic job – Anand Bagmar , Kapil Saxena, Tarun Lalwani, Santhosh Tuppad, Ajay Balaurugaudas, Shrikant Vashishtha, Charu Jain, Sachin GoelSumeet Gupta, and Rajdeep Varma. After James (all sessions) and Anand’s morning session –  Tarun’s session was most attended , closely followed by Charu’s session. Topics covered  at the conference were – “Testing beyond test cases”, context driven testing, test estimations, asking relevant questions (and the right way) as a tester,  Continuously delivery, automation frameworks, test data management, ATDD / BDD, Mobile apps testing, testing in agile teams, tester’s role and relationship with developers, data security and leadership. It was thrilling to watch the level of participation from attendees at various sessions. Testers as well as speakers enjoyed questioning and being questioned.

CSC_0471 CSC_0472 CSC_0465 CSC_0470

 

 

 

 

 

 

One name whose presence we missed, got her virtual presence – as James made sure her name resonated throughout the day in the room. We missed –  Parimala Hariprasad – or “A True Role Model” as James called her, at the conference. She holds my warmth as a friend and respect as a peer.

The day sDSC_0151tarted with lot of energy that DIDN’T decline through the day.  James’ intensity and passion to teach was consistent – though he spoke for most of the day. The time he was not on stage, he was answering testers, engaging with them and also getting interviewed by me. The day ended with James recommending Neha Asthana as the winner for the free seat at RST class, pulling lucky draws out of the fishbowl for 5 lucky winners who won online packages of selenium books and tutorials, courtesy: Saucelabs.

The very final episode was felicitating the respected speakers, graciously done by James Bach. Interestingly the gift packs were “black boxes” with some “white” on it – James almost made the speakers test these too.

DSC_0256   DSC_0311  DSC_0276

Presentations for all the sessions have been shared with the attendees. All the videos have been uploaded at youtube. You can subscribe to the channel Events Team to stay updated as more videos of future events are added. All official pictures of the event are uploaded at the QAZone’s facebook page .

How can an event of this scale happen without any learnings or disappointments at all? Well, honestly -The only 2 feedbacks that we got about something not going well were both about time keeping. Attendees felt they missed on some parts of their next sessions because of some track speakers over staying. I learnt my lesson to have better time checks in future.  May be having a track owner, who manages the time and A/V / Infra  needs of the speakers of that track, could help. Some other learnings threw me out of my comfort zone as an ethical entrepreneur – but I learnt that when someone comes with a surprise act and that thing bothers me and I want to say NO to that activity, I should say NO. Instead of giving into the pressure (of respecting guests) and then feeling resentful later.

DSC_0262DSC_0318

Atulya

 

 

 

Sometimes people surprise you with their lack of ethics and working in certain environment helps you see their strength of character more clearly. When working with immature / ignorant people, every detail should be in black and white, since they do not understand the common language of ethics, which defines what they can do but should not. Keeping it legal might help keeping the relationship strain- free. Speakers agreement and Sponsors agreement are good things to have – small but key learning.

The only disappointment I personally have is – not having enough women speakers. We tried to do everything we could, but we failed. We need to continue to work on this aspect.

Women Speakers@ThinkTest

With all the experience and learnings as a tester and organizer that this conference gave us, one thing that I could finally conclude as the highlight of the event , the best outcome of it, for all to notice – There are serious testers in the NCR region. Serious to make things happen. Serious to learn and grow. Serious to defy the law of gravity and move upwards in their career path and learning curve. Thanks to each tester who attended the ThinkTest 2015 with the intent to learn – YOU WERE THE HIGHLIGHT OF THE EVENT. KUDOS TO YOU – YOU MADE IT HAPPEN!!

Data – Making decisions one byte at a time

data In terms of data, anyone who says – I have nothing to hide, has just not thought long enough. So what is data to you? Your address book, contact lists, email lists, bank account details, your list of favorite sites you visit, your blood pressure trend this week, your sugar count in last 5 days, your heart rates, how many cigarettes you smoke, how many steps you walk, how many calories you ate, how many calories you burnt, Your emails, your presentations, updates from friends (FB) and colleagues (Linkedin / Twitter), weather updates, traffic updates, navigation to a place, news, community updates, music, pictures, jokes and forwards on whatsapp…..so on and so forth.

Any or all of these could be “data” for you. How does it make you feel to think of a day in life without access to any of these? Even worse – how would you feel if instead of you, someone else is browsing through your data?

On whom does the onus lie to protect this data? You, Your device manufacturer, your ISP, your app stores, application owners? One may not be able to say for sure who does as a generic rule. However, its easy to figure out the security ownership in a proper context. And this needs to be clearly identified.

All huge companies are protecting their data and fighting for more, they say : “Data is the new Oil”. The start-ups are also giving data its due respect, their perspective: “Data is the new Middle Manager”. This makes it imperative for the data to have high integrity, availability and reliability.

dilbert data

As part of testing community, what is our role in the wide world of data?  It is our job to ensure that our clients and organizations are reaching every goal set forward for data.  We must ensure that we thoroughly test the accuracy of the data, the building of the data, the storage, the security, and the presentation of the data.  Retailers and other organizations are becoming more and more complex in their approaches to how they use data, and we, as testers, must ensure that we are keeping up with the changes and the needs.

Does your testing team work with data?  Are you building data adhoc?  Or have you implemented a methodology that supports data creation, testing, security, and implementation?  If your work is adhoc, I strongly recommend you to think about changes within your team which will improve how you look at data and the testing of data.

My advice for you, as a tester, is to investigate the basic concepts of Big Data, Enterprise Data Warehouse, the ETL Process (Extract, Transport, and Load), and Business Intelligence.  You will see an immediate improvement to your testing practice and your product delivery if you are able to derive and approach to how you handle data.

data scientist

So you may be asking, “How can I best learn about these concepts”?  I would suggest that you look at the upcoming STPCon conference, which is coming to Boston on October 5-8 this year.  I will be conducting a workshop on the concepts of data and data testing called Maximizing success with data testing: one byte at a time on Tuesday, October 6 from 1-5pm.

Hoping to see you at STPCon!

Purpose

Been a week that I am back from an enthralling experience at STPcon Spring 2015 held at San Diego in the week of 30th March – 2nd April. I have attended a few conferences in past – this one being the best so far and plan to attend more in future . And always have a set of expectations and goals with each of them. Majority of which is learning, meeting new people, meeting people I have otherwise known and followed and liked in the online world (thanks to Facebook / Twitter / Linkedin), business networking, making friends. One of my favorite thing to do is to buy items from India that Indian women relish as fashion accessories and gift them to my favorite people when I see them. Makes me happy.

I truly enjoyed meeting so many of my favorite peeps at the STP conf and since I was meeting most of them not for the 1st time, it was easier to have fun and talk more freely. Knowing them from before, following them online and having previous interactions helped me know what subjects could we discuss to make the best of those precious moments of being face to face.

me at conf

Going back to expectations and goals that we have with any event, in this case conferences – lets call it “Purpose” for the lack of a better term. I would like to think everyone going to a conference, builds a purpose in their mind which keeps getting refined at each step – say for an attendee, as they are choosing a conference, a particular package and as they put their preferred sessions on the program. How well you choose your sessions will be a major factor on how meaningful was your experience at the conference.

ours

When I am speaking at a conference, my key purposes with which I measure my success ( how meaningful was my experience) would include – how well I connected with my audience, how much could I impart and if they could learn any bit or atleast get the basics and the approach, even if they take time to ingest all at once and we discuss them (post conference too) over next couple of weeks or months. Another purpose for me is what I learn from the attendees and can I takeaway some new perspectives.

I had an experience this last week at one of my classes that drove me to write about “Purpose” with respect to conferences. IMO – Conferences are one of the best places to learn, experience and network. And it really pained me to see an attendee sitting through the class for 8 hours and then say “I am a technical tester and am not sure if this session is of much use to me” . It pains me because that attendee paid for something that he felt he could not make much use of. Paid not only in terms of money but in terms of time that he can never earn back. Pained me more because I felt inadequate as a teacher. I should have been able to see through his adaptive camouflage during the sessions. I think i did somewhat. But there was so much to cover with respect to my subject that I could not have focused on that 1 out of 30 odd and fixed it right then in the class.

On a side note, I am thankful to STP for sharing each and every feedback and putting so much effort in compiling all of them, for me to come to a relative score that also helps me see if i am improving as a speaker. Back to topic – When I look back, I still believe it would be difficult on me to help this attendee if the same situation repeated. I assessed the attendee over the exercises and realized he needed to learn more of “testing” before he went to understand role of business domains in testing.

I am happy that I could help rest of the class – I got some raving remarks too and overall got rated as 4.42 on a scale of 5. Helps my soul.

But how must that attendee be feeling after the tutorial.Are we at a risk of losing a potential learner? How can we avoid such situations – What can you do to define your purposes better and feel more content with your learnings ?

I encourage you to share your thoughts too on this, while I am sharing a few from my end:

  • Build Purpose by knowing –
    • What skills do you need for your current job
    • What skills would you like to develop for future perspectives
    • What topics interest you
    • What is the direction your organization taking – would you need some new skill to support your firm
  • Map Purpose to Abstract –
    • Read the topic well (but sometimes with a pinch of salt)
    • Read the abstracts carefully – in detail
    • Look at “key takeaways” – almost all conferences have these upfront on their program details
    • Find contact details of the speakers – if in doubt – talk to him/ her in advance to understand what will be taught / discussed
    • Ask speakers to suggest some background study , if possible.
  • After Party
    • Connect with others in the class
    • Stay in touch and discuss how each is implementing the learnings
    • Go back to the speaker for clarifications and more help

Looking forward to your suggestions too. Hope this helps someone. And one last thought – DO NOT GIVE UP LEARNING BECAUSE A PARTICULAR TEACHER OR CLASS COULD NOT TEACH YOU. I AM SURE THERE IS SOMEONE OUT THERE TO HELP YOU.

Looking for a testing job in San Diego?

Few months back, I started a meetup group – Test Practitioner’s Club. We have about 200 + members each on the linkedin group and facebook page and the meetup.

We have been meeting locally, to learn testing from each other and share our experiences. But lately, I noticed, lot of folks who came to the meetups, began to find new jobs with organizations, whose employees frequently participated in our meetups too. And I realized that these meetups were serving as the breeding ground for new relationships. It also became a platform for testers to network and evaluate opportunities – Opportunity to hire as well as to get hired.

Conferences / meetups /public trainings – are perfect places to meet new peers. These serve not only as a networking platform but also give an opportunity to evaluate a tester’s skill at length and in not so formal environment, thus possibly showing more natural side of the tester.

And, for the testers who are looking for a change, conferences serve as a priceless opportunity to find either the right job for them or an impactful referral. The passionate ones who have some fire in their belly to make it in the testing and technology world make the best of the opportunity by meeting maximum testers present there, exchanging thoughts with them, finding mentors and sponsors and leaders. These connects eventually result into more dependable support for one’s overall career growth.

I am about to attend a content rich testing conference that’s attended by big number of testers and decision makers of test department – STPCON Spring 2015 at San Diego. And therefore thought of writing few lines, to those testers, interested in hiring or getting hired, to participate in the conference and make the best of it.

Should you decide to attend STPCON, you could use my discount code – STPS15MISH to get a 10% off.

Would also like to add that I am teaching a class on “Implementing Business Context to Test Heuristics Model”, this could help the testers, in developing a transactional knowledge of various businesses and will help formulate an approach to learn different businesses and setting up the business context while implementing the test heuristics model.

I strongly recommend this class to those testers who have a good job and feel settled but would like to move up in the value chain and become a better tester and add more value to the product and gain respect as an expert. The class would tremendously help those testers, who are seeking for a change in a different business domain or are looking for a job and unable to find one in the same industry that they are familiar with.

Explore the program, find the sessions of your interest. Come and enjoy learning testing. Meet new testers, network and reach greater heights in your career.

Looking forward to see you there. Register at http://www.stpcon.com.

Continuous Integration Testing

Continuous Integration is a software development practice where members of a team integrate their work frequently; usually each person integrates at least daily – leading to multiple integrations per day. Each integration is verified by an (preferably) automated build (including test) to detect integration errors as quickly as possible. This approach leads to significantly reduced integration problems and allows a team to develop cohesive software more rapidly

How it helps…

CI - How it works

  • Greatest and most wide ranging benefit of Continuous Integration is Reduced Risk
  • CIT completely eliminates the blind spot ‘integration in a long and unpredictable process ‘
  • At all times we know what works, what doesn’t and what are the outstanding bugs in our system
  • CIT makes it dramatically easier to find and remove defects
  • Helps get rid of ‘Broken Windows Syndrome’
  • Removes one of the biggest barriers to frequent deployment
  • Allows users to get new features more rapidly
  • Gives more rapid feedback on those features
  • Helps break down the barriers between customers and development

CIT Process Methodology

Continuous Integration Testing is not an independent testing process. It’s a process performed as frequent as the code merge is done and is an end to end process that involves Release Management, Configuration Management, Test Management (environment / data / test cases / automation of fact checking) and Defect Management.

CI - processCI - process2

Continuous Integration Testing Approach

Step wise Testing approach that we normally take. Your project needs could be different. Draw your approach for your context!! Percentage Level of Automation for the fact checking can vary a whole lot, so be prepared to take that into account.

CI - methodology

Career Development for software testers

Hey there – We have some interesting roundtable discussions at the Software Test Professional Fall conference 2014. One of them is about “Career Development for Software Testers”. I am hosting it and plan to have some really meaningful and interesting discussions.

Most of what will be discussed there, will be the inputs from the attendees in the room. However, we are working to collect few data points around common discussion topics for tester groups, and hence am sharing a survey developed to do it.

https://www.surveymonkey.com/s/testerscareer

Please take the survey and be part of the discussions.

The survey results will be shared and discussed at the roundtable at STPCON Fall 2014 at Denver. Register for the same at :

https://www.regonline.com/Register/Checkin.aspx?EventID=1554743

Thanks friends.

Context Driven Testing spreading its wings

Recently, I happened to attend another test meetup in the region. To my pleasant surprise, it was very well organized by Gaurav Bansal of Xebia.

I spoke about the relevance and importance of understanding business and more importantly setting up the business context when performing testing. Further in the talk , I also bought up strategies for inculcating the trend and sustaining this business knowledge in the test teams and ways to ensure it keeps growing with new work , new testers coming in. Difference between business knowledge and business context. It was very well received and thoroughly participated by the testers attending it. It seemed they enjoyed questioning and understanding, as much as I was enjoying, listening to their perspectives, challenges, issues and answering them with my thoughts.

3rd meetup -1  3rd meetup -3

 

I had started with the statement – Testing is a cost for business and in itself adds no value. This sentence was debated by the testers in audience for good 10 minutes or more until we settled on it in the context of our discussion. Which also told me the kind of thought processes the testers were bringing in. I heard all sorts of terms – ROI, Quality, Value add, etc – coming to “Testing’s” defense. Some of the testers did seem to be very aggressively defending but it was fun.

Post my session – Gaurav and Rajneesh from Xebia gave sessions on Behavior driven testing and Exploratory testing. I could hear lot of resonance of thoughts from the likes of James Bach, Elizabeth Hendrickson and Michael Bolton. Both sessions were very interesting and informative. Attendees were loving these sessions. Brilliant job – Gaurav and Rajneesh!!

Rajneesh @3rd meetup

There was a surprise item of Lightening talks were the speakers could write their names and their talks on a whiteboard and speak to them for 5 minutes with or without presentations. There was a host of exciting topics and the speakers spoke to the topics with utter sincerity and thorough research and with lot of experience sharing examples.

Lightening Talks

 

I was proudly watching my fellow testers speak and learn through the enthusiastic cross debates amongst the attendees themselves, and with the speakers too. I had so much fun learning.

3rd meetup -2

As I was enjoying all the action &  looking around – I couldnt help but notice pretty faces sitting all over and it was such a pleasure to see such a huge turnout of women testers. I remembered those 4 girls at my earlier meetup. And then this one had so many more and all participated. It was a through treat to my heart and mind both.

Last meet up we did and then this meetup – number of women attendees increased manifold.

Women at 2nd meetup       Women in Testing- 3rd meetup

Thanks to Gaurav from Xebia and Kapil Saxena from Magic software to get so many team members from their teams to participate in the meetup.

All_Xebians

 

One thing that was noticeable was – James Bach was thoroughly loved and followed there. Everyone at the meetup knew James and mostly just him from the testing community. Mere mention of James, made folks standing nearby join our conversations. I hope James you read this blog.

This time I had a particular point on my agenda – to know what our testers thought about certification. So I mentioned that on the whiteboard and spoke on it as a lightening talk. To my surprise – everyone was looking forward to the talk that I hadnt even prepared for.

The moment I said – what do you think about certifications in Testing – the testers who had contained this thought with them for a long time now, suddenly burst with questions like  –

– What are the best certification in testing

– What are the most popular ones

– Will I get a better job if i do a certain certification

– if not ISTQB then what?

At this point I was tempted to tear apart the myths and tell these naive souls how they were getting caught in the populist theory. But I realized they were not to blame. Almost all of the attending testers said their organization gives preferences to ISTQB certification for promotions or hiring. As I tried to understand – what did they gain out of this certification – they clearly said –  does it matter?  I know i will get the job if i am certified so I will do it anyways. Plus we get a “common language” that we can speak across as testers. Standardized meaning of testing. One such tester also said – Exploratory testing was Monkey testing – only to realize later that he was absolutely wrong and the place he learnt that definition, actually taught him incorrect definitions thus resulting in “non- standardized language”. They really didnt know why would they even do this certification.

Okay – all those who are taking time to read this blog need to observe something – the speakers and topics were more than a hundred percent “context driven” in their souls and approach. But attendees clearly showed the lack of it. They were here to learn and they did learn but there will be so much unlearning to do before we learn right testing.

When I spoke to them – I mentioned that they shouldn’t focus on certification a whole lot. They should be keen on learning testing and that they should go for BBST.  And oh boy – who knew BBST there ? 2 of the lot. Only 2 had heard about it. Thats all.

But the bigger worry was – the way I looked at them – I felt they werent prepared for larger doses right now. I asked them to not bother about certification or even BBST but first go to http://www.satisfice.com and learn some testing. Then we can talk more about BBST. One of the attendees who knew BBST said – there wasnt enough information about it. Most of the attendees said – we can do BBST and would love to (after I could explain them somewhat , what BBST is) but our managements dont support them . The managements want all testers to be ISTQB certified.

As a tester who practices Context Driven testing, I have to admit that I was pleased to see what the speakers wanted to talk about and teach the crowd. But the level of ignorance testers had, about ways to learn testing was not encouraging one bit.

I am calling all CD testers to do better story telling, making ourselves more heard. We need to not only influence testers but also the managements to understand right testing.

For the benefit of those, who asked at the meetup – Will be publishing shortly what BBST means, in James Bach’ s own words. Meanwhile – go through http://www.satisfice.com.