Introducing…Ticket Magpie

Solving a problem of learning

I’d like to introduce you to a little project that David Hatanian and I have been working on. David is a member of the fantastic team at Codurance, and we first started working together on this project in February 2016.

Following my experiences at European Testing Conference in Bucharest, I realised the time had come for me to create and build my own vulnerable application. This was so that I would be able to run my own workshops on security testing, coach my colleagues and other testers aswell as demonstrating vulnerabilities; such as the OWASP Top 10.

My initial forays into learning security testing relied upon learning from a number of publicly available web applications. These include AltoroMutual, Gruyere from Google, and  Supercar Showdown by Troy Hunt.

I also worked closely with Bill Matthews, initially shadowing him, but then helping him to deliver workshops at international conferences. For these workshops, he built his own web application, Ace Encounters, which is a travel and wild adventure website.

Of course, using a real world application to practice these skills is highly illegal. So, students of security testing need a safe place to practice and learn. We aren’t hackers after all, we are testers. We aren’t there to steal, undermine or attack. We are there to explore and learn.

Pairing with David has been incredibly rewarding for us both. I’ve supported him with his understanding of security vulnerabilities, and he has supported me with my learning of object orientated programming (in this case Java).

A couple of months ago I ran a session using Ticket Magpie,  for the testers at NewVoiceMedia. The session was well received, and everyone appeared to have fun. The team there are really great at generating interesting test ideas, developing their skills, and following through with practical application of their learning. Taking this out into the wider community of testers was to be the next step, at Test Masters Academy.

i-love-shiny-things

Get Ticket Magpie

Ticket Magpie is easy to get, from David’s Github project. Check it out here and follow the instructions on the page. Here is some additional installation guidance.

Local Installation

  1. Install the components locally on your machine. You’ll need Maven, Java Development Kit and the Ticket Magpie project.
  2. Configure the JAVA_HOME and PATH environment variables, appropriate to your operating system. (Supports MacOS, Windows and Linux)
  3.  Run the application from the command line.
  4. You may choose to set up your own database, or run it in memory whilst the application is running.

Virtual Machine Installation

  1. Install Oracle VirtualBox or your favourite virtualisation tool on your machine
  2. Create a virtual machine using your OS of choice.
    • I like to use Linux Mint for this. It’s lightweight and easy to configure.
    • Remember to give your VM enough space, or make it dynamic. 8gb should more than suffice
  3. Follow the steps above and on the Github page for the project and you can’t go wrong.

Docker (this is by far the quickest and easiest way of getting things running)

  1. Install Docker on your machine
  2. Run the application from the Docker Hub image, using the provided command line:
    docker run -e "SPRING_PROFILES_ACTIVE=hsqldb" -p8080:8080 "dhatanian/ticketmagpie"

Running TicketMagpie

Once TicketMagpie is installed on your chosen environment, run the appropriate command line, then navigate your browser to:

http://localhost:8080

If you are successful, your browser should display the application, and it should look like this:

ticketmagpie-the-place-to-get-all-the-tickets

Ticket Magpie

Bug Hunt

I invite you to have a go at exploring Ticket Magpie. There are some fun features for you to take a look at. I’m not going to spoil things for you by listing everything here. You might also find some interesting problems.

Because the application runs on your local machine, docker or VM, you can use any technique, tool and gnarly hack you want, without harming anything or anyone else.

Take your time and let me know what you think. If you feel the need, you are welcome to use this form to provide feedback about the application: Ticket Magpie Survey. Alternatively, just message me on Twitter, or comment on this blog.

Good Luck, and Thanks!

game-over-man-game-over

 

The MEWTation of Communication

It’s taken a while for me to digest and understand the impact of attending MEWT a couple of weeks ago now. I normally try and blog quickly after an event, whilst my memory, notes and personal response are fresh. In this case, I haven’t been able to do so.

Visiting a conference or attending a few track talks and workshops is an exciting experience. There is always an opportunity to learn more about a technical skill, tools and current thinking around testing. Never before have I been able to learn very much about myself as a tester, and as a human being than I did at MEWT.

Set in the fabulous surroundings of the Attenborough nature reserve in Nottingham, MEWT (Midlands Exploratory Workshop in Testing) is a very intimate workshop day hosted by Richard Bradshaw, Vernon Richards, Bill Matthews and Simon Knight. I felt extremely privileged to be invited to attend, so I wanted to ensure that the content I provided was both pertinent to the topic and expressed my personal challenges with communication, some of which I will talk about here.

The Attenborough nature reserve, Nottingham

The Attenborough nature reserve, Nottingham

My talk was Communication, Influence and the Geek, the slides for which are available from the MEWT website.

During my time on this planet, and latterly as a software tester, I have encountered a few challenges to communication. Being a geek, which to some is a pejorative term for someone who has a deep interest in science, technology, certain hobbies or non mainstream culture; can present certain problems for folk who identified as such, or who have been labelled as such by others.

The photo below adequately demonstrates my main source of geeky inspiration:

The Dalek Supreme

The Dalek Supreme in “The Stolen Earth/Journeys End” in BBC TV’s Doctor Who

Communication is an exchange of ideas and viewpoints, as much as it is about information and facts. Its about disecting and evaluating the information that is presented to you in the context of the emotional feedback you have to it. Testing, in my view, is partly an expression of that.

In deep debate at MEWT

In deep debate at MEWT


I won’t dwell too much on my personal experiences here, because they are not for this place. However, the feedback from the peers that I met and worked with at MEWT was greatly positive, and nourishing. It has fed my desire to learn more about my craft, and support others who wish to learn more. Whilst we should be mindful not to label ourselves, allow ourselves to get pigeon holed by how either society, others and even our own prejudices, it is important to recognise and play to your own strengths.

Simon, Vernon, Christian and Christopher

Simon, Vernon, Christian and Christopher

The environment created at MEWT allows professional, non judgemental, challenging but friendly debate around the ideas and thinking generated during the day. Ahead of this session I was terribly nervous about sharing some of my deepest thoughts and feelings on the problems I have faced as a tester. I am not sure I could have put all this out in the open in any other conference or workshop.  

 

Dorothy Graham

Dorothy Graham

  
Raji Bhamidipati

Raji Bhamidipati

 
This was a message that has been impressed upon me not only by the MEWT attendees, but also a number of my colleagues, to whom I will always be grateful.  One point was made to me, and that was to not be afraid to  embrace the influence that my personal interests and idiosyncracies have upon my approach to testing. They make me who I am, and it is that allows me to add value to my employer and those around me.

  

Back in the game

The last few months of 2014 brought on quite a few new professional challenges. Unfortunately this means that I have been unable to do any blogging of late.

So…a quick catch up.

I’ve recently run two Weekend Testing sessions on Security Testing. The info for these are here:

http://weekendtesting.com/archives/3744

http://weekendtesting.com/archives/3804

I’ve since been invited to help run the Weekend Testing Europe chapter by Amy Phillips and Neil Studd, so keep your eyes open for future sessions! Amy is running one this week on API testing. It should be awesome. Go check out the details here and register:

http://weekendtesting.com/archives/3898

During these sessions I referred to the work of security blogger Troy Hunt. He kindly let us use his website http://hackyourselffirst.troyhunt.com/ , which also forms the subject of his two courses Hack Yourself First and Hack Your API First.

Both courses work together as a fantastic way to get to grips with some tricky concepts, which are explained clearly, succinctly, and with humour.

Often these sorts of online courses can be quite boring, heavily laden with dry facts rather than useful examples and experience. Troy draws on examples in the course material, web and mobile applications, as well as real world vulnerabilities he has discovered during his work.

I can definitely recommend both of them, which are available on Pluralsight. The courses aren’t free, but they do a trial period. It’s worth investing in them if you can. Enjoy!

Reflections on TestBash 2014

The events of this years TestBash are just starting to sink in. You see, Brighton is basically my home town. I love it there. I grew up in nearby Burgess Hill and my family still live in the area. Brighton’s wondrous variety was always a massive draw, pulling you in like a magnet.  Brighton has a creative beating heart like no other city in the country. So coming to Brighton for TestBash now for the second time, is a bit emotional for me. I’m proud that TestBash is in Brighton, and that Rosie puts such hard work and dedication into the events surrounding the big day, and of course the conference itself.

So the week of TestBash began with a trip up to the Sheffield Tester Gathering, organised by Stephen Blower. Info about the meetup can be found here: http://www.stephenblower.co.uk/events/ I was lucky enough to go and present my talk “New Adventures in Security Testing”. It was a great experience being able to share ideas about how to go about kickstarting Security Testing from scratch with little experience. Here’s the Storify for the meetup: https://storify.com/bAdbUd65/sheffield-test-gathering-event-7-8. We even had a round of the “Coin Game”…which I think is for another post.

Back down to Sussex for TestBash…led to catching the end of Stephen Janaway’s course on Mobile testing, hosted by Ministry of Testing. http://stephenjanaway.co.uk/ It’s a fascinating area of testing I know very little about, so it was good to pick his brains over this and other topics afterwards at the pub. I’m looking forward to catching up with Stephen and his colleague Dan Ashby on the Testing in the Pub podcast soon, where I will be talking about Security Testing. You can find their podcast here: http://testinginthepub.co.uk/testinginthepub/

Whilst there, I bumped into someone I have been following on Twitter for a while; one Emma Keavney (@EmJayKay80) who immediately made an impact on me with her enthusiasm for her new career, looking to make connections anywhere she could find them; and generally being the reason why TestBash exists. That is I feel to give passionate testers a forum, a place to talk, learn and explore ideas and generate contacts in the industry. Her 99 second talk at the end of the day earned a well deserved cheer!  Here she is in the TestBash Flickr album! https://flic.kr/p/mATpoS

Lean Coffee is a great way to start the day, with discussion and debate going on across the room. Chris George at RedGate facilitated this year, following on from Lisa Crispin last year. You are timeboxed and voted for and against the topics you chose, so you need to keep on your toes…but it is breakfast after all, so not too stressful.

Obviously we go to TestBash to see the speakers as well! I enjoyed something from all the talks, but  big highlights for me came in the form of Mark Tomlinson, Jez Nicholson, Stephen Blower and Keith Klain.

Mark had a fascinating talk on Contextual Decision Making in Testing demonstrated how our minds operate when testing, examining the unknown and known factors that come into play whilst we test…as well as the infamous spinning cat.

Jez was talking about how we can we as testers can engender great relationships in the workplace, with developers and managers alike. His insights resonated with how I have grown to feel about the dev/test relationship over time and that is we aren’t in competition with developers and other testers but need to work together effectively.

Similarly Keith Klain explained how as testers we need to improve we way we discuss (or not discuss) testing with senior managers, who don’t necessarily want all the nitty gritty detail of a bug, or test results. It’s just about shipping product that works, on time and to cost and nailing those messages.

20140331-235259.jpg

Stephen Blower: Inspiring Testers

 

Inspiring Testers was the name of the game for Stephen Blower. Earlier in this post I mentioned that Stephen runs the Sheffield Tester Gathering. He uses this forum to inspire testers in his area, and from all over the place. He wasn’t afraid to say that if he felt that he wasn’t adding value, or getting what he wanted from a business, he was happy to move on or make big changes to get things done. Stephen is a really supportive chap anyway, leads a lot of the social activities, testing games and chat that goes on afterward at the pub. If you get a chance to play the coin game or pen game with him, then these will certainly stretch your thinking. Be prepared!

TestBash after party with Stephen Blower @badbud65 and Richard Bradshaw @FriendlyTester

TestBash after party with Stephen Blower @badbud65 and Richard Bradshaw @FriendlyTester

And there we have it. To the pub. The social side of TestBash is what attracts me as much as anything else. There is a great, relaxed atmosphere. All the really interesting conversations happen at the pre and post TestBash meetups. If you miss them, then you really are missing out on the heart and soul of TestBash. In 2015 I will definitely be there…and I will almost certainly be submitting a talk. I can’t wait.

Keep Talking

Somone once told me that if you speak about something you are interested in and passionate about, then someone else will always be interested in what you have to say. We all move in different social and cultural circles, and whilst it is true to say that there will always be someone out there who wants to hear what you have to say, you need to pick and choose your audiences carefully. 

If I speak about my favourite movies and tv shows in front of a bunch of art critics or zooologists, it will probably fall on deaf ears. Unless of course they are shows about art or natural history. I have two active Twitter handles for this very reason. Not everyone wants to know what I thought of last nights football match or the latest episode of a TV show.
Last nights Sheffield Tester Gathering afforded me the chance to talk about Security testing. It’s an aspect of testing that I am very passionate about, not only because it is complex and varied, but because the challenge of it seems almost endless. There is lots to learn; lots to share with other people.
The people who I was speaking to were other testers, test managers, managers who test (thanks Peter Nairn for that one). There were also one or two developers, and also testers who do some development. They came along because they wanted to learn something new, explore an idea, or speak to other like minded people.
Peter Nairn spoke to us about ‘The Ideal Tester’, which was his notion of what a tester should be. He wants testers to be; part of the community, passionate about their craft, learning new skills and sharing them with others, use humility and honesty in their approach but also celebrate their achievements. A whole host of other behaviours and capabilities were on the list. Too many to list here. He also that the ideal tester does not exist.
Blogging by no means makes me an ideal tester. I love sharing, talking and being part of a dynamic team. But some of my colleagues, and certainly my wife might agree that I can’t stop talking…usually waffling about some irrelevent trivia. This is part of the challenge I face on a personal level…how do we share our passions, creativity, knowledge and ideas without coming across like Hermione Grainger (look, another pop culture reference) or even worse…Jeremy Clarkson.
At one of the many warm up events and gatherings before TestBash this evening, I’ve gotten to meet some really passionate testers who I’ve never met before, some who I’ve been following on Twitter, some folk that have been on my testing radar for a long time. All of them have different stories to tell,  varied experiences to share, and different goals they want to achieve.
Meetups, conferences and gatherings are my absolutely favourite way of generating ideas as well as sharing them. Without events like this, and pioneers in the test community to organise, promote and champion them. We might not be ideal testers, but we are all making changes, engaging and learning so that we can be the best testers we can be. And that has to be worthwhile.
I hope that those of you going to TestBash this weekend have a great time, take home some learning from it, maybe meet and talk to some interesting and influential people. And don’t forget to have fun. Just like Rosie here.

Hackathon! Working with new people on cool stuff!

The last couple of days have brought an entirely new experience. Every quarter the R&D team at New Voice Media has a whole 2.5 days where the team can work on their own ideas that will add value to the business that are outside of the normal day to day feature development. The plan is that developers, testers and product owners come together to learn, create and innovate.

Earlier this morning Rob Lambert wrote in his blog (http://thesocialtester.co.uk/hackathon-how-can-testers-take-part/) about how the testers were getting involved with the Hackathon. Historically it has been difficult for testers to get involved with these kinds of events here, as sometimes there were competing priorities, a lack of engagement on the part of both developers and testers alike, or perhaps a view that our skills and expertise weren’t needed for such a short term project, that might not even make it in to production code.
This time round I was determined to get involved (last time, I was a contractor) as I felt it would be a great way to engage with members of the team that I don’t usually get to work with. As a newbie to the team, I felt it would be key to make sure that I could develop my skills and help others do the same. Also it was a chance to work on actual code that would make it in to production that would help our Professional Services team, and ultimately the customers. I normally work on the infrastructure side, security testing and other bits and pieces; rather than features and user functionality.
In the last couple of days we have collaborated on creating our acceptance criteria, developing a great suite of unit and automated tests, refactoring and improving the UI, performance tuning of the database, as well as some really exciting exploratory testing that facilitated the mentoring of a new member of the team who is completely new to testing. 
It’s been one of the most exciting and interesting times of my career, where the feedback from exploratory tests have been greatly welcomed by the team, exposing some interesting bugs which were then fed back in to the developers to ensure the delivered product was as good as possible in the time allowed.
We also got to see how the other teams got on, the products they produced and how they worked together. There were some really exciting projects and ideas knocking about, where the team really got to stretch their legs, bring together interesting technologies and processes. We all voted at the end for best in show, pushing the envelope and the epic fail 🙂 (no one fails really, its just a bit of a laugh). It’s also a great time for the team to socialise and to get to know each other.
If you are a tester, part of a development team and you aren’t getting a chance to take part in these sorts of activities then get involved by championing your skill set, collaborating with your peers, making connections and generating great ideas that make your customers happy and want to use your products. 
If your team isn’t doing a Ship it, Hackathon or similar, then how about setting something up yourself. You won’t regret it! Trust me – I’m The Test Doctor!

(here’s the team during our Show and Tell this afternoon!)

A year of change and new beginings

2013 – What a year! Both personally and professionally. The last few months especially have been a huge challenge, and those that know me well will understand why. This year has presented a number of huge challenges, and has presented a whole new range of opportunities.
In 2010 I made the huge decision to go contracting, especially where in the South West of England there was a dearth of decent contract roles. However at the time I felt that this was the right move for myself personally and professionally. It has had its ups and downs, but has never been boring. I would heartily recommend it to those who aren’t afraid of change.
However the last six months has brought an even bigger challenge…which is what I would like to share with you now.
Since June 2013 I have been working as a Contract Test Engineer at New Voice Media in Basingstoke. NVM produce great solutions for business to manage their contact and customer service centres, including a raft of call centre applications and services. As part of my work in the development team there has been the opportunity to grow and develop my testing skills, specifically in exploratory and security testing.
The technical and professional challenge is huge, with a steep learning curve. Exposure to a DevOps environment has meant that upskilling and knowledge sharing has been key to developing the test capabilities within the team. Without that, we would be always be on the back foot.
If the environment I was invited into hadn’t been so exciting and interesting, then I wouldnt have felt that moving away from contracting would have been a step forward. Instead, I find myself now a pemenant job in a fantastic team of people, both developers and testers. Sure, some personal circumstances have been a driver to this decision, but at this moment I feel it has been a positive step.
I can hear the cries of derision from my colleagues in the contract market, who would say that I would be resting on my laurels and trying to get comfortable, missing out on the big bucks. Not a bit of it. Skill development and knowledge sharing within a great, positive environment were a major motivator in this decision to go back to permenant work. 
I had a good run at contracting, with several great contracts, including one ongoing for sometime. I’d developed a good, but not great reputation, for reliability, solidity and innovation at other organisations in the past. Resting on my laurels would be to soley rely on that reputation, to remain static despite having the nomadic life of a contractor. This I feel would eventually lead to some kind of professional inertia, where I was only considering my daily rate; not my daily learning.
During the time I was contracting, I felt disconnected with the community of testers. Being based predominately in the south west hasn’t exactly helped with this, but now there is a burgeoning testing community in the Bristol area who are active in their desire to learn and develop from each other. 2013 brought with it the challenge of interacting and egaging with the test community much more. It opened doors to challenges and opportunities not necessarily open to me in the contract world. 
I’m now working with a team of highly skilled people, but also people who don’t get comfortable. It is a team that is constantly trying to find ways to improve how they work and do their jobs, in order to help make fantastic products. I’m also going to get to mentor other testers, whilst not exactly new to me, hasn’t always been my first priority. Now on top of my other work, it is a key part of my role, and one that I am looking forward to greatly.
2014 is going to be very hard work, both professionally and personally. But I know that the community is there for you to support your learning and development, if only you are willing to take that deep breath and big step into giving back to it. 
This photo of Crooklets Beach in Bude sums up what I feel right now…under the crystal blue skies, new beginings and a huge open space to play on. I can’t wait.

Gaming! – Playing to be a better tester?

I’m a tester. I love it. But without doubt the pastime that first got me into IT as a career, and latterly testing, is undoubtedly gaming. I owe those early home computing pioneers a debt, like many of us in IT careers now. I first played games on the ZX Spectrum and Commodore Amiga machines, and this is where I first learned to program in BASIC, from all those dog eared copies of code printed in magazines. It was a joy. 

Latterly, as a PC gamer I was a member of clans on various games such as the Jedi Knight and Soldier of Fortune series. Since then I have had various home consoles, such as the Wii, X-Box and PS3…which are all now reaching the next stage in their evolution in home entertainment.

Now many of you might question the value of gaming as a pasttime. I can agree that it is a distraction from more serious and worthy pursuits. However it does provide a degree of relaxation and a way of blowing off steam following a day at the office that a work out, game of squash or a walk in the countryside cannot provide. I only play for a few hours per week, unlike hardcore gamers who will go for days at a time without interacting with another human being.

Recently I have been playing the fifth title in the Grand Theft Auto series. This series of games has introduced a number of controversial themes and scenarios to gamers over the last 10-15 years, but they are without doubt one of the most successful game franchises of all time. I will not be discussing the associated social and political problems with such games as part of this post, but will instead be looking at them in terms of their value as a software product. I’m not going to justify my choice of hobby here.

Firstly, the budget. This is reported by various sources to be in the region of $170 million. This would make it the most expensive video game ever made. But riding on that budget is a reputation for gameplay, narrative and quality that has more than surpassed its peers, such as the Call of Duty or Batman Arkham franchises. 

If you further question its validity as a software product worth discussing, then within 24 hours of release it earned approximately $800 million in sales, and $1 billion within 3 days. This surpasses any entertainment product, from the most successful games to the massive blockbuster movies such as Titanic, the Harry Potter series or the most recent James Bond movie. In a word, this is big business. The game producers, Rockstar, needed to ensure that not only did the game sold well, but that it exceeded the bar in terms of quality.

Whilst playing the game one evening, I thought of a testing challenge I have recently been a part of. I considered the potential elements of the game that would need to be explored by the Rockstar testers (of which there are many)..and this quickly became a morass of thoughts in my head within only a few minutes. 

Similar to the task of exploring a large commercial software product I was new to, I attempted to mind-map the game, in terms of it’s functionality, gameplay elements, user interface and so on. As much as anything this was an exercise for me in learning to use mind mapping as a process for me to understand the scope of the application under test, and potential areas of interest for testing.

It might surprise you that I had not used mind mapping as a test tool before, so this process was new to me. I am now using this process to derive exploratory and security tests on a daily basis. Its a powerful process, that if used well can help to visualise the challenge of exploratory testing for all sorts of applications. I’m using it more and more now, and I am still learning how to do it better. 

I know that by no means have I explored all the game using the mind map (I simply don’t have that much time to play the game) and that I have barely scratched the surface. The learning process I went through whilst playing the game I felt went beyond the simple pleasure of following the narrative, interacting with the characters and gameplay elements. 

At this stage I have not derived any tests that I could explore and execute, but merely those elements that might need exploring further, the relationships between elements of the game such as gameplay, characters, environments, user interfaces and so on. I found this a really useful exercise as I have attempted to explore the game and find new things in it to enjoy once I had completed the main narrative.

Through additional gameplay I might come to develop further ideas regarding how to explore the game from a testing perspective, but I don’t want this exercise to detract in my enjoyment of the game. I need to strike a balance.

It may seem that through doing this I am somehow trying to justify the number of hours I have put into playing the game, but I am not apologetic. It is a hobby like any other, and hobbies are important. 

The mind map I have developed so far is attached so you can take a look. I’d welcome any comments and suggestions. 

GTA 5 Mind Map