Better Software - April 2008 - (Page 9) Picks Bumper stickers for testers By harry roBinson Why is software testing perceived as dull? How many other jobs can list “crash, “hang, and “death march” ” ” in their daily vocabularies? In this column, Harry Robinson encourages testers to embrace a little pride and excitement in what they do, and Harry has just the mottos for bumper stickers that announce Tester Pride. Author’s note: Feel free to add your own favorite slogan in the comment section at the end! www.stickyMinds.com/eLetterpick10-3a How do You think? By fiona Charles What are the attributes of a good tester—of a great tester? As every test manager knows, identifying the right people for a test team can be a struggle. In this column, Fiona Charles describes the qualities of mind she looks for in testers, and the interview questions she asks candidates so she can evaluate how they think. www.stickyMinds.com/eLetterpick10-3b When requirements collide By karl wiegers Could it be that not every set of business requirements has the customer’s best interest in mind? Karl Wiegers had always believed that implemented software functionality should enable users to accomplish their goals and help the business achieve its objectives. But a recent experience with a less-than-helpful parking meter system suggested to him that conflicts sometimes might exist between business and user requirements. www.stickyMinds.com/eLetterpick10-3c enEWsLEttEr ExtrA A sampling of content from our eNewsletter archives sticky toolLook: November 9, 2006 A Word with the Wise: security tools with Gary McGraw by Joseph McAllister This month’s installment of A Word with the Wise is a Q&A with software security expert Gary McGraw. He’s the CTO of Cigital and the author of numerous books, including Software Security: Building Security In and the upcoming Exploiting Online Games. Joseph McAllister: How are security issues changing the way development organizations look at software quality and the development and testing tools that are needed? Gary McGraw: It’s not clear that developers adopting software security tools are understanding that those are actually kind of QA tools. In fact, I’m a little concerned about the first generation of software testing tools for security that are coming down the pike. These tools supposedly capture a whole bunch of black box tests, and you can run them against any arbitrary program. If you run all those tests and you don’t find any problems, you don’t know anything—you just ran some tests. On the other hand, if you run them and you do find some problems, you know that you’re in deep trouble, because a stupid test knocked your program over. I liken those to badness-ometers that range from “deep trouble” to “I’m not really sure.” I think everybody should use them, because it’s good to know if you’re in deep trouble—maybe you’ll do something about it. On the other hand, they’re not security-meters, so if you run one of these test things against your program and it doesn’t find any problems, you can’t declare victory. You have to declare ignorance. JM: Do you think that the tools will become more effective? GM: There is no completely off-the-shelf, hacker-in-a-box solution that you just plug in, press return, and off you go. What you need to do is arm a real tester with the kinds of technology that you need to build seriously good security tests. But you’ll never get the human out of the loop. JM: And are there any other particular security issues on which tools will have little impact? GM: There are these application firewall tools that are pretty silly, too, and they work by watching network traffic and trying to say, “That’s bad input, that should never go to the program.” If you’re going to try to do some filtering, you should do it inside your program, not at the firewall or on the network wire. JM: Who knows better how your program should handle input than you, the guy who wrote your program? Not the security guy, who doesn’t even know what a compiler is. GM: On the other hand, there are some new tools that have only been out for a year or two that take a very deep look at source code for software and help to identify vulnerabilities at the source-code level. PointEr Your Job - requirements = Less Value By Dion Johnson An effective Project Customer can turn a good product into a great one. But he’s got to know how. Mike Cohn gives Project Customers seven simple rules for communicating product goals effectively to development. www.stickyMinds.com/eLetterpick10-3d They are based on compiler technology. That kind of technology is very useful for those testers and QA people who practice white box testing and who do things like code review for a living. I think [those tools are] still in fairly low use out there, but I also see people beginning to adopt them quickly. If you’re a QA person and you’re responsible for code review, you should take a look at those static analysis tools for security right away. JM: And those will become more effective as more people hear about them? GM: They’re already pretty effective. They’ll have more impact as more people wield them. The funny thing about security is, there are about 500 or 600 things you could do wrong in C and C++ based on APIs, system calls, library calls, and just language idiocies. I don’t know about you, but I can’t remember all 500 of those while I’m staring at code trying to figure out what the heck it does. Those tools can help you remember those things while you’re doing your review. If they identify areas in the code that you should worry about, you can probe those dynamically with reasonable testing. www.StickyMinds.com APRIL 2008 BETTER SOFTWARE 9 http://www.StickyMinds.com/eLetterpick10-3a http://www.StickyMinds.com/eLetterpick10-3b http://www.StickyMinds.com/eLetterpick10-3c http://www.StickyMinds.com/eLetterpick10-3d http://www.StickyMinds.com
Table of Contents Feed for the Digital Edition of Better Software - April 2008 Better Software - April 2008 Contents Mark Your Calendar Contributions eLightenment Technology Speaking - A Change Would Do You Good Code Craft - A "D" In Programming, Part 1 Test Connection - Learning the Hardware Lessons Management Chronicles - The Art of Persuading Management Cover Story - Incremental and Iterative Development Developers...Start Your Engines Where Do I Go From Here Product Announcements 10 Things You Might Not Know About... The Last Word - Software Quality and the Prisoner's Dilemma Ad Index Better Software - April 2008 Better Software - April 2008 - (Page Intro) Better Software - April 2008 - Better Software - April 2008 (Page Cover1) Better Software - April 2008 - Better Software - April 2008 (Page Cover2) Better Software - April 2008 - Better Software - April 2008 (Page 1) Better Software - April 2008 - Better Software - April 2008 (Page 2) Better Software - April 2008 - Contents (Page 3) Better Software - April 2008 - Mark Your Calendar (Page 4) Better Software - April 2008 - Mark Your Calendar (Page 5) Better Software - April 2008 - Contributions (Page 6) Better Software - April 2008 - Contributions (Page 7) Better Software - April 2008 - eLightenment (Page 8) Better Software - April 2008 - eLightenment (Page 9) Better Software - April 2008 - eLightenment (Page 10) Better Software - April 2008 - eLightenment (Page 11) Better Software - April 2008 - eLightenment (Page 12) Better Software - April 2008 - Technology Speaking - A Change Would Do You Good (Page 13) Better Software - April 2008 - Code Craft - A "D" In Programming, Part 1 (Page 14) Better Software - April 2008 - Code Craft - A "D" In Programming, Part 1 (Page 15) Better Software - April 2008 - Code Craft - A "D" In Programming, Part 1 (Page 16) Better Software - April 2008 - Code Craft - A "D" In Programming, Part 1 (Page 17) Better Software - April 2008 - Test Connection - Learning the Hardware Lessons (Page 18) Better Software - April 2008 - Test Connection - Learning the Hardware Lessons (Page 19) Better Software - April 2008 - Management Chronicles - The Art of Persuading Management (Page 20) Better Software - April 2008 - Management Chronicles - The Art of Persuading Management (Page 21) Better Software - April 2008 - Management Chronicles - The Art of Persuading Management (Page 22) Better Software - April 2008 - Management Chronicles - The Art of Persuading Management (Page 23) Better Software - April 2008 - Cover Story - Incremental and Iterative Development (Page 24) Better Software - April 2008 - Cover Story - Incremental and Iterative Development (Page 25) Better Software - April 2008 - Cover Story - Incremental and Iterative Development (Page 26) Better Software - April 2008 - Cover Story - Incremental and Iterative Development (Page 27) Better Software - April 2008 - Cover Story - Incremental and Iterative Development (Page 28) Better Software - April 2008 - Cover Story - Incremental and Iterative Development (Page 29) Better Software - April 2008 - Developers...Start Your Engines (Page 30) Better Software - April 2008 - Developers...Start Your Engines (Page 31) Better Software - April 2008 - Developers...Start Your Engines (Page 32) Better Software - April 2008 - Developers...Start Your Engines (Page 33) Better Software - April 2008 - Developers...Start Your Engines (Page 34) Better Software - April 2008 - Developers...Start Your Engines (Page 35) Better Software - April 2008 - Where Do I Go From Here (Page 36) Better Software - April 2008 - Where Do I Go From Here (Page 37) Better Software - April 2008 - Where Do I Go From Here (Page 38) Better Software - April 2008 - Where Do I Go From Here (Page 39) Better Software - April 2008 - Where Do I Go From Here (Page 40) Better Software - April 2008 - Where Do I Go From Here (Page 41) Better Software - April 2008 - Where Do I Go From Here (Page 42) Better Software - April 2008 - Product Announcements (Page 43) Better Software - April 2008 - Product Announcements (Page 44) Better Software - April 2008 - Product Announcements (Page 45) Better Software - April 2008 - 10 Things You Might Not Know About... (Page 46) Better Software - April 2008 - The Last Word - Software Quality and the Prisoner's Dilemma (Page 47) Better Software - April 2008 - Ad Index (Page 48) Better Software - April 2008 - Ad Index (Page Cover3) Better Software - April 2008 - Ad Index (Page Cover4)
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.