a Flying Tester…

I missed the deadline of submitting my answers to Santhosh Tuppad’s Software Testing quiz contest.

Here is my answers

1. What if you click on something (A hyperlink) and to process or navigate to that webpage you need to be signed in? Currently, you are not signed in. Should you be taken to Sign up form or Sign in form? What is the better solution that you can provide?

This does not provide complete information to decide what and why I suppose to test as a tester. My answer would depend on context in which I will be testing. There could be many scenarios to handle sign in & sign up.

Anyways let’s assume that there are two different scenarios in which user would take two different paths and these two scenarios I will test.

1. Let say I am testing a bank’s website. The scenarios is customer receives his netbanking credentials through which he try to access online his bank’s account. If customer is accessing it first time then system should prompt for new password and if not then sign in screen. As per my understanding Bank’s website does not have sign up form because based on account registration bank provides netbanking facility.

• Now I will test this scenario based on certain assumptions where I receive netbanking system generated auto password. I will test whether system prompts ‘change password’ or not. I will observe system’s state. I will also try to pause while entering a password.
• Other scenario in which I would test sign in form to access account second time.

2. In second case if user try to download songs, movies or books then system prompts user for user authentications.

• In first scenario I will test if user is visiting first time and try to download songs from website then system should prompt for sign in where there should be button available which ask user to do sign up
• In second scenario I will test if user is already registered but did not logged in and she try to download songs then system must prompt for sign in.

The conclusion is I can’t answer you what is better solution unless and until I understand in which context this problem is.

2. Using “Close” naming convention to go back to the homepage is good or it should be named as “Cancel” or it is not really required because there is a “Home” link which is accessible. What are your thoughts?

Without context it is very difficult for me to answer this question. I try real hard to model such requirement on web application because I am assuming that ‘Home’ link will appear on websites not in any desktop applications. I might be wrong.

In spite of my assumptions I would suggest if it is website having ‘home’ link then creating breadcrumb would serve the purpose of SEO and Usability of website.

3. Logout should be placed on top right hand side? What if it is on the top left hand side or in the left hand sidebar which is menu widget like “My Profile”, “Change Password” etc. – Is it a problem or what is your thought process?

As per my understanding most of websites has login and logout facility at right hand side on the top because most users hold mouse in right hand. It’s easy and convenient to keep these facilities at right hand side at top. It will be more visible and handy.

• I would say it’s usability issue if you keep log out (or log in) at left hand side in menu bar.
• Any window you close, you find that cross or close button at right hand side at top because of mouse design as per user’s convenience placed at right hand side.
• Keeping at right hand side at top would remind users to logout from highly secured applications like banks.

4. Current design of forgot password asks for username and security answer and then sends a link to e-mail inbox to set new password. How does “security answer” increase the cost of operations? Also, what questions do you frame for security questions?

I think many possibilities in which security questions would increase the cost of operations internally as well as from user side.

1. Users who forgets thing may not remember the security question or security answer. Because of this they may not get their account back and company may lose one user
2. When user is unable to recall his security answer then he needs further help to extra his password. It may increase company’s cost to assign someone to do this job.
3. When user asks for password then firing a query and extracting results would cost to company.

What security questions I would frame for security. First of all I am not in favour this functionality however below are my framed security questions

• What is your nick name?
• What is your first girlfriend / boyfriend’s name

I am unable to find more than this because criteria of framing security question is quite challenging. You need to make sure that hacker would not be able to crack these questions. Questions need to be very personal but memorable answers. Generic questions would get easily hacked by hackers.

5. If you had to design “Forgot Password” working, how would you do it and why? You are free to give different many functional designs.

I would keep it very simple. I would not user tricky security questions where it would be inconvenient for user to recall those details.

I would design a form in which text box for accepting an email id and action button (name ‘send link’)  and next page appears with a message and if user did not receive password reset link then resending the password link to email address.

I want user should not get irritated by asking security related questions. User might be anxious because he must be worried about his data or security of his account. He may not be in position to answer security questions or other extra stuff.

It is also easy to maintain at operation end. You don’t need to fire extra query to get those details.

6. There is neither account lockout policy nor captcha for the login or security answer forms; what kind of problems do you see with the current implementation and what do you propose?

• I think it’s highly vulnerable to security concerns & threat of spammers.
• Hackers can easily extract data from user’s account & data can be misused
• User might lose her account permanently
• Her account get loaded with spam messages
• User might lose valuable information like her credit card details, policy details or other account details

I would propose to have logout policy rather than Captcha or Security answer. Because system is not forcing user to think on some security answers which she might have forgotten or that catpcha which is takes few seconds or minute to enter the data. I think system should smartly handle logout functionality. It may be that if user is idle for more than 5 minutes then automatically logout from the system. Or when user closes browser without loggin out then system should logout from user’s account.

7. Well, it is about context and there are no best practices in general. What are your thoughts on usage of captcha? Where should they be used and why?

Captcha is used to protect sites from spammer & attackers. The captcha image or text is difficult to interpret to computers but human can easily read.

Practice is something that actually individual does. We call a practice best when you are sure the guaranteed results.

Using Captcha is good in particular context because it saves sites like webmails gmail or yahoo from injecting thousands of account data to break the system.

I think Captcha are vulnerable to attack. Human can easily break this security by gathering all available Captach database & put them in one code.

I will not call Captch as best practice, it is good practice to avoid spammers.

8. If you are the solution architect for a retail website which has to be developed; what kind of questions would you ask with respect to “Scalability” purpose with respect to “Technology” being used for the website?

Scalability is system ability to perform with increasing load of users & their transactions. System must be scalable with minimum cost of hardware or technologies.

I am being an architect for retail website, below questions I will ask:

1. What is hardware requirement?
2. What database is going to use? & Why?
3.  How much is the budget?
4. Is the technology latest?
5. Can we update new definition or patch if required to the technology?
6. Does this scalable solution adds any administrative or maintenance cost?
7. How much load is expected on system every day, every month & yearly?

9. How do you think “Deactivate Account” should work functionally keeping in mind about “Usability” & “Security” quality criteria?

With respect to Usability where user should able to easily use the system. It’s good feature to provide to user if she wants to deactivate her account then system have that option.

What if system does not provide deactivate account feature then user might get irritated & she thinks that it is violating the security because as I do not want to deactivate my account & system does not have that option. User might feel that she is deceived.

10. For every registration, there is an e-mail sent with activation link. Once this activation link is used account is activated and a “Welcome E-mail” is sent to the end-users e-mail inbox. Now, list down the test ideas which could result in spamming if specific tests are not done.

One of the test would be System should not allow duplicate email ids.

11. In what different ways can you use “Tamper Data” add-on from “Mozilla Firefox” web browser? If you have not used it till date then how about exploring it and using it; then you can share your experience here.

I almost spent 4 hours to learn the Tamper Data firefox plug in. I must conclude that it is great to tool to hack websites.

How I used Tamper Data? I experimented with ibibo.com website to try to change my password, I tamper that data & from plug in I submitted the changed information to server. I was extremely happy to see that from Tamper Data you can change the values which you want to send it to server.

I think online game websites are more vulnerable to such plug ins because easily game score or points can be changed.

Using this plug in, hacker can easily change information specially in public internet services if user forgets to logout.

I have not tried but it could be possible to alter information from cookies & send the changed information to get control over account

12. Application is being launched in a month from now and management has decided not to test for “Usability” or there are no testers in the team who can perform it and it is a web application. What is your take on this?

First of all I will insist them to do usability testing atleast for couple of days. However as you said that there are no testers in the team who can perform usability testing.

• If that is the case then I may call a expert to teach my test team some tips of usability.
• I may gather information of competitor’s web application, to convince management to take up usability testing.
• If they do not want to spend time & efforts then I may suggest for crowd source testing for atleast for 2 days
• There is other alternative way to testing the application too, that is in-house testing bug bash
• Or Beta release where end user would give feedback on web application

13. Share your experience wherein; the developer did not accept security vulnerability and you did great bug advocacy to prove that it is a bug and finally it was fixed. Even if it was not fixed then please let me know about what was the bug and how did you do bug advocacy without revealing the application / company details.

I have not got a chance to debate on Security related bugs however I had long day discussions on bug advocacy which help developers to fix those bugs. I learned working developer that

1. They are under high pressure
2. They are tired with monotonous bug fixing tasks
3. They do not want to see their baby is not in shape J

As a tester I used to have lot of discussion to prove that this is a bug. At times I have to involve other stakeholders in discussion. I worked in the project which was in red, so our company’s Vice president used to seat on same floor to monitor project’s progress with our client.

There cases where I have to hear that test team is raising false alarms & in other scenario my team used to receive appreciation for raising critical & complex bugs.

14. What do you have in your tester’s toolkit? Name at least 10 such tools or utilities. Please do not list like QTP, LoadRunner, SilkTest and such things. Something which you have discovered (Example: Process Explorer from SysInternals) on your own or from your colleague. If you can also share how you use it then it would be fantastic.

• Word document – recording & note purpose
• Notepad – recording purpose & note purpose
• Perl Clip by James Bach – helps me to get long strings with various combinations
• Mind Map by Free Mind – design my test, test plan & strategy
• qTrace by QASymphon- screen capturing tool
• BBFlash Player –to record my test
• Rapid Reporter – create session reports
• Software Testing books or non software testing books
• Mspaint – highlighting the bug screen & creating a .jpeg file
• My Brain – it’s most important tool required while testing 
• Google – helps me to search information
• Testing related Articles, blogs & contest
• Puzzles – helps me to produce test ideas
• Wikipedia – find required information
• Heuristics – helps me to find potential problems without any guarantee
• Log files – helps me to track every transactions in detail
• My emotions (frustrations & irritations emotions – helps me to decide usability of application, surprise – helps me to find more details on the features & redesign my test, monotonous- helps me to identify tests for automations)

15. Let us say there is a commenting feature for the blog post; there are 100 comments currently. How would you load / render every comment. Is it one by one or all 100 at once? Justify.

There are many ways to show comments in comment section. Definitely I will not show 1 comment at a time because clicking on ‘Next’ button is monotonous & generally reader will not like that blog anymore.

I think rendering comments 50 or 100 first then if there are more then use the HTML feature of ‘Load more’. If user is willing to see further then load next 50 or 100

Because loading 50 or 100 would help a user to glance comments if anything interesting she may read further.

16. Have you ever done check automation using open-source tools? How did you identify the checks and what value did you add by automating them? Explain.

I have not done so far. I tried doing with selenium however I have not learned fully.

17.  What kind of information do you gather before starting to test a software? (Example: Purpose of this application)

It depends on the context. It depends on when I receive the software to test.

1. First iteration

• What is the purpose of testing?
• How do I claim that this is bug? Do I have any authority documents?
• Do I have any similar kind of application?
• Which is most critical area of the application?
• Which is loosely coded area?
• Who are customers?
• What is purpose of this application? What is it trying to solve?
• What are hardware & software requirements?
• What is durations given to test?
• What are features testing trying to cover?
• How do a test team report the bug? Bug tracking tool
• Gather information on Company’s image in market
• What kind of data is required?
• Who are stakeholders?
• Who is my test team?
• Do I know test environment?
• Is there any training given to learn this application?
• What is the test approach?
• What is the test techniques used?
• What skills are required?
• I will find out if there is similar feature within the project
• Who are end users?
• What are the quality criteria?

2. Second or many times iterations

• I included all the above points with some additions
• I will find out bug history of the product
• I will review the bug fixes of previous cycle
• I compare previous release with latest to declare bugs in latest build
• I will have a look at bugs in bug tracking tool

3. Pre-production

• I included all the above points with some additions
• I will find out if any ‘help’ file is available

18. How do you achieve data coverage (Inputs coverage) for a specific form with text fields like mobile number, date of birth etc? There are so many character sets and how do you achieve the coverage? You could share your past experience. If not any then you can talk about how it could be done.

• I will study the limits given in requirement documents about input data for the form.
• I will create positive data inputs
• I will also create negative data inputs
• I will test with boundary values e.g. if it is allow to enter 0-9 digits then / and ; will be boundary because the ASCII code after 0 and 9 is / and ;
• If the keyboard is locked except some inputs like alphabets then I will enter special characters & digits and combinations of both