Tuesday, March 30, 2010

Developing Skills for Web Quality Assurance

A good friend of mine who also works in the Quality Assurance sphere sent me the following:

"Mike: I need your help to be a better Web/ Flash QA dude. I'm currently enrolled in a Flash Actionscript class, and I plan on taking a JavaScript class/ continuing w/ my web dev engineering courses. What else can I do to be a better web/dev QA?"


In many ways, the web is both easier to test and more difficult to test. It’s easier in the sense that many of the options to be tested can be modified on the fly and deployed rapidly, so test iterations can be quick and focused. It’s more difficult in the sense that the platform options are wide open. Operating systems, devices used, browsers and browser iterations, plug-ins, and that’s not getting into the unique challenges of displaying the pages on mobile devices. Testing aspects like Flash and JavaScript apps have their own unique domain knowledge requirements, but just as important are the issues that come with any web application, that of testing the client and the server in the areas of functionality, performance, and, most critically, security.



The web is an interesting development paradigm, in the sense that most transactions, ideally, are stateless. This allows for many users to access a server at scattered times and not bring the server to its knees; web servers can be gauged as to how they handle concurrent connections, so being able to test and confirm that applications run as expected while maintaining a high rate of concurrent connections would be a definite positive step. There are various load testing tools that can help simulate high network traffic and provide the ability to simulate a server under varying loads (I would recommend looking at open source options for these; while they may not be exactly transferrable to certain jobs because they don’t use a particular tool, the skills learned and the understanding of the methods most certainly are).


Learning how to do some client side automation would be helpful. A great tool for doing this if you use Firefox is the Selenium IDE. Selenium has a number of tools that are useful in different areas, but the Selenium IDE is a plug-in that goes right into your Firefox browser and gives you a bunch of options to record and modify tests.


Understanding HTML, CSS, XML, and other markup and scripting languages (ASP, JavaScript, CGI, etc.) all play a role in the presentation of pages. Additionally, understanding the underlying protocol requests and responses is also very helpful. You can be much more effective testing web sites and web interaction if you have a solid understanding of the options associated with HTTP (and there are a lot of them!). You can read the most current drafts and standards for the HTTP 1.1 protocol (RFC 2616). Hand in hand with learning about the HTTP protocol is learning how to work with protocol driver applications. Several are on the market today, both in the commercial and the open source spheres. One that I enjoy using currently is called twill. This is a command line interface that allows you to send HTTP requests and receive HTTP responses in a framework (effectively, verify that a site is returning the proper objects and responses without even firing up a browser).


The area with the greatest risks and the largest potential for issues is security. Security can be compromised in any number of places; in the client, in the web server, in the database server and even through proxy servers set up to capture data. SQL injection can be used to compromise sites and gain access to databases. Social engineering tricks can be applied to see how to get access to sites and to hack into sites… and yes, to get good at doing web Q.A., you need to learn a few hacker skills and know how to apply them, as well as how to prevent them. A book worth reading is “The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws” by Dayfydd Stuttard and Marcus Pinto (Wiley Publishing, 2008). Also, for a good and entertaining primer on the topic of Security, I recommend Randy Rice’s Software Quality Podcast Episode 5 (this was recorded in June of 2006, but the general ideas discussed are still very valid, and Randy does a great job of presenting the ideas and issues).


If you want to build as much knowledge about the web as possible and really cover a lot of different techniques, I would be remiss if I didn’t mention W3Schools site. This is a terrific and comprehensive reference site for web technologies, and it gives the users many opportunities to practice the principles right in the site, and make changes and see how the changes work against the example code. This has been my go-to site for many years, and it has proven to be tremendously helpful to me.


In my opinion, the best way to learn and practice Web Quality Assurance is to get together with a few other people, set up a server or two (you can do this easily in virtualized space with tools like Hyper-V, VMware or Virtual PC if you don’t have spare boxes) and design some applications and pages to interact with. From there, take turns trying to see who can bring the server to its knees. Once you have done so, have a debriefing between you and your friends to determine who did what and how, and then look to see how you can harden the server . Repeat the process, letting someone else attack the server and another person's example applications and setup. Note: do be careful to set this up in a way that potential “over-spill” is contained; it’s not wise to try exploits or use tools on open networks, as your end results may go way beyond your area of testing, affect more than just your target machines, and might get some people really mad at you (not to mention some law enforcement interest if you go really hog wild!).


To TESTHEAD readers, do you have additional suggestions? If so, please feel free to add them to the comments section.

No comments: