Test Strategies and the Importance of Security: An Interview with Randy Rice

[interview]
Summary:
In this interview, Randy Rice, a leading author, speaker, and consultant in software testing and software quality, details the importance of being able to articulate your test strategy. He also explains why you need to have security at the top of your mind when dealing with software.

Jennifer Bonine: All right, we are back with our final interview of STAREAST. It's hard to believe we're already at the end, right?

Randy Rice: Incredible.

Jennifer Bonine: I know, Randy. Where does the time go?

Randy Rice: Cincinnati.

Jennifer Bonine: Right.

Randy Rice: Yeah.

Jennifer Bonine: Yeah. That's where it goes. Now we know. The time goes to Cincinnati. See?

Randy Rice: That's right.

Jennifer Bonine: Thank you. I've learned so much today. Hopefully our virtual audience has as well. But I'm here with Randy Rice, who you all probably, maybe already know Randy and who he is. We should shout out to your wife, Randy, just in case she's watching.

Randy Rice: Yeah. Hey, Janet.

Jennifer Bonine: Yeah. He's here. He really is here, just so you know. He's at the conference.

Randy Rice: Yep. Yep.

Jennifer Bonine: Good to know.

Randy Rice: Rolling alibi, right?

Jennifer Bonine: Right. Right? We're all just a big show for you. Yep. No, he's here. He's gonna be our closer, so you're the closing keynote as well, Randy.

Randy Rice: That's right. The pressure's on.

Jennifer Bonine: I know. It's got to be good. You're the last thing they all remember.

Randy Rice: That's scary.

Jennifer Bonine: Right?

Randy Rice: Yeah, it really is.

Jennifer Bonine: It's a good spot, though. What are you gonna talk to them about?

Randy Rice: Well, I'm going to talk about test strategies.

Jennifer Bonine: Okay.

Randy Rice: It's kind of a confused topic, because a lot of people sometimes have a little bit of trouble distinguishing between the strategy and a tactic.

Jennifer Bonine: Yeah.

Randy Rice: It's really, really important, though, because everything we do really flows from the strategies that we have. Not that you have it on paper necessarily, or anything, but that you at least can articulate it.

Jennifer Bonine: Right.

Randy Rice: It affects how you look at testing, what your objectives are. Most importantly, it defines why you're doing what you're doing. It doesn't make much sense to design a really great test for the wrong thing, right?

Jennifer Bonine: Right. Right. Yeah.

Randy Rice: That's kind of where we're gonna be going. I'm gonna tell a few stories along the way. One case study to end up with, about how we had several resets, actually, of test design before we were able to nuke the system.

Jennifer Bonine: Wow. It's okay. Sometimes you do have to do that, right?

Randy Rice: Absolutely.

Jennifer Bonine: You have to go back and iterate on it, and figure out the why, and the why can change, sometimes, of what we're trying to do here.

Randy Rice: Yes. Very common.

Jennifer Bonine: Yeah. So that's great. You guys are gonna hear about that. Those folks that are watching will get the full keynote after this. Let's talk about a few other things that people may think are hot topics this week. What day did you get here, Randy?

Randy Rice: I got in Tuesday evening. I've just really been here Wednesday and today.

Jennifer Bonine: And today. Okay.

Randy Rice: Yeah. Yeah.

Jennifer Bonine: So great. Did you have other sessions this week? This is a big moment.

Randy Rice: It's a weird feeling, you know.

Jennifer Bonine: Yeah.

Randy Rice: Usually I have all my stuff over and done with by Tuesday or Wednesday. Now this is just kind of hanging out there. Yeah.

Jennifer Bonine: Lingering.

Randy Rice: It's like the ninth inning, you know.

Jennifer Bonine: Right? Just lingering, waiting for it to happen. We're excited to see that, and it'll be neat to see that. You also talk about topics like cyber security, I heard.

Randy Rice: Right. Right. That's been an area I've been getting a lot more involved with, even though I've been teaching on it since, like, 2001. And of course the landscape has changed dramatically.

Jennifer Bonine: Right.

Randy Rice: And you know how it is when you try to explain to family and friends what it is you do as a tester.

Jennifer Bonine: Right.

Randy Rice: You know, you say software tester. They go, "Who? What?" So now I say, "Well, I'm kind of a hacker, actually."

Jennifer Bonine: Right?

Randy Rice: They say, "Well, I don't want to tell you my user name or anything." I say, "Don't worry. I can find it out."

Jennifer Bonine: Right. "I don't need you to tell me."

Randy Rice: You don't have to tell me.

Jennifer Bonine: Right. That's the beauty of hacking. It was interesting. I heard someone explain to me once about security, just in general, and how we used to think about security. I'd love your analogy for it. This made so much sense to me, and where we've changed as a world is just, like, you know, in olden days. Right? You'd have a castle, and the castle would have, you know, stone walls to keep people out. And then you'd have a moat, right, so they couldn't get through the moat. You may put some scary alligators or other animals in there to keep people out.

Randy Rice: Right.

Jennifer Bonine: If they get in, they'll get eaten. And then the drawbridge with the big doors, so people can't get in. Right? That was how we used to secure was, all these external things. Firewalls, all this stuff on the outside our organizations have to keep all the bad guys from getting in. And then, what people said is, what happened was, the bad guys are already in. We don't know who they are.

Randy Rice: Right.

Jennifer Bonine: But they're in. It's not a matter of if they're gonna attack, it's when, and how is that gonna look when it happens? How do we deal with it?

Randy Rice: That's true. That's true. It even gets worse than that, because the people who live in the castle now are more than willing to open up the doors to anybody that wants to get in.

Jennifer Bonine: Yeah.

Randy Rice: Clicking on those unknown links, picking up a USB stick they find on the floor and putting it in their computer. I mean, there's all kind of ways that a criminal attacker can get in. I use the analogy, it's like buying this really fancy alarm system for your home. In fact, there was an episode of Seinfeld like this. He buys this super-duper lock, and Kramer forgets to lock it. His apartment gets broken into, well ...

Jennifer Bonine: Right.

Randy Rice: Who would buy a really fancy alarm system, monitoring, all that, and never check to see if the alarm sounds? That's where a lot of companies are. They have all the technology.

Jennifer Bonine: Yeah.

Randy Rice: Sometimes the people have been trained, but none of it has ever been tested in probably, I would say, about 80 percent of the cases.

Jennifer Bonine: Yeah. It's that false sense of security. Right?

Randy Rice: Yeah.

Jennifer Bonine: So we're like, "Ooh. I have all the fancy stuff, and the alarm system and stuff, but I've never actually checked that it's actually working and will help me."

Randy Rice: Right.

Jennifer Bonine: I'm lulled into this false sense of security, and that's especially what people like that are trying to get in, is that you do some of these things you're talking about, like click on the links, or the USB drives. They get really smart. I've seen really sophisticated emails now that they send that trick you. Even people who are IT can trick you to open up the stuff, going, "Oh, I've put a link to something that's a Dropbox thing that you need to get."

Randy Rice: Right.

Jennifer Bonine: It sounds like a normal name, like someone you might know. You're like, "Ooh, I better click on it." 'Cause we're all moving so quickly, right, to get work done, and we make mistakes.

Randy Rice: That's true, and the spearfishing attacks, you know, very targeted.

Jennifer Bonine: Yeah.

Randy Rice: And so, one of the things that I'm really trying to do is to build this awareness, not only within the testing community, but more importantly, even within the cyber community, because people say, "Oh, it's been pen tested," or "We've done this or that." There's a big role for software testers here.

Jennifer Bonine: Yes.

Randy Rice: Even though you may not think of yourself as a security tester or hacker, you have so many opportunities as a tester, to find ... There are so many deficiencies. Even in code reviews.

Jennifer Bonine: Yep. Absolutely.

Randy Rice: There are just tons of things.

Jennifer Bonine: And that awareness, right? Your point, awareness. I talk about that, too. I talk a lot about internet of things and the next-gen technologies. It used to be testers would be like, "Oh, well we have a CSO. We have a chief security officer. It's their job." Right?

Randy Rice: Right. Right.

Jennifer Bonine: They have this team of people, and those guys take care of it. It's like, we have to get away from that, just like we're all collaborating, working together as a team. Security is all of our problems.

Randy Rice: It absolutely is.

Jennifer Bonine: You know, it's not just this group that sits over here that takes care of it. I think you're absolutely right that, you know, testers need to become educated.

Randy Rice: Right. I mean, even the physical security. Things laying around. You know, people wandering around the facility. Some of the most elaborate attacks, or actually some of the simplest ones at the same time, there's a degree of surveillance that has to occur.

Jennifer Bonine: Right.

Randy Rice: People will stake out an organization to see who comes and goes. They get little pieces of information, assemble it together. I'm gonna say, the typical functional tester, as if there is such a thing—you know what I mean.

Jennifer Bonine: Yeah.

Randy Rice: We mess with test cases. We design tests. We can still pick up on things, that no one else would ever pick up on.

Jennifer Bonine: Yeah. I heard that here this week at the conference. It was one of the automation architects and testers said, you know, he noticed ... It was a group of people, like, seven people sitting at a table. All of a sudden, one person just almost tipped their glass over, right, with a beverage in it that would have fallen on the other people, but he quickly grabbed it, you know, so that he thought no one else had noticed. One of the testers goes, "Oh. I caught that. I catch all those little things." Right? That no one catches.

Randy Rice: Yes.

Jennifer Bonine: That's the nature of testers. Right? They catch these little things. Putting into your conscious, the awareness of, catching those little things ...

Randy Rice: That's right.

Jennifer Bonine: You'll look for the stuff that's out of the norm, or the things laying around, and be cautious and conscientious about those things is important.

Randy Rice: It's very important. Very important.

Jennifer Bonine: Yeah, to do those types of things. If someone's out there and says, "You know, I'm a software tester. I really did think it was someone else's job to do the security thing. We have these tools and they run these tests, and then they give us reports. How do I go about getting some information on, just creating my own awareness of, how to get educated on security?"

Randy Rice: Well, there's several avenues. One of the things ... We've developed an advanced syllabus for the ISTQB. I was the leader of that team for advanced security testing. You can download it freely from the ASTQB website. A lot of what we based our work on there was from the National Institute of Standards and Technology. They have an amazing amount of information that you can download, a complete risk assessment methodology. You can also ... There are other websites, if you just do a search for common weaknesses and vulnerabilities in software. There's about 1,500 of 'em, just to begin with. That's not probably the place to necessarily start, but there's a lot of resources, and OWASP, owasp.org. The Open Web Application Security Project is an excellent resource as well. You know, if someone just downloaded that syllabus, we actually designed that to be something that people could take and use.

Jennifer Bonine: Yeah.

Randy Rice: Whether you take the exam or not, you're going to see a holistic view of security testing.

Jennifer Bonine: Wow. That's amazing.

Randy Rice: Not just penetration testing, even though that's important. Not just controls testing. You're gonna see what testing can actually contribute into the lifecycle from security.

Jennifer Bonine: Wow. A great reference and resource for folks out there, ASTQB. It's the advanced security course. You can download.

Randy Rice: Right. Get the syllabus for free.

Jennifer Bonine: That's amazing. For free.

Randy Rice: Yeah.

Jennifer Bonine: I think that's a call for all of you out there. At least download it, right?

Randy Rice: Right.

Jennifer Bonine: Get aware. Get some information. Get educated. That's a good place to start with security testing. We don't want to keep you from your keynote, 'cause you're gonna have ... I see people streaming in, getting ready to listen to you close it out for them, so ...

Randy Rice: Yeah. I think some of them have some rotten tomatoes in their hands. That's kind of concerning, too. We'll see.

Jennifer Bonine: Thanks, Randy, for being here with us. As always, it's a pleasure to get an opportunity to talk with you and have you here. If people are interested, want to get in touch with you, ask you more questions I maybe didn't ask, how can they find you?

Randy Rice: Riceconsulting.com.

Jennifer Bonine: Perfect.

Randy Rice: One of the easiest URLs out there. I love to talk with people over the phone, answer questions. Answer questions by email. Just visit my website and there's all kind of articles ...

Jennifer Bonine: Great.

Randy Rice: ... all kinds of stuff out there, so ...

Jennifer Bonine: Perfect. Riceconsulting.com. Randy, they will see you in just a minute. Everyone hang on and you'll get more of Randy in a bit here, in the closing keynote. Thanks to all of you for tuning in and watching all the interviews. We've had fun again. We'll see you at STARWEST. Thanks, everyone.

Randy Rice: Thank you, Jennifer.

Jennifer Bonine: Thanks, Randy.

Randy RiceRandall (Randy) Rice is a leading author, speaker, and consultant in software testing and software quality. With more than thirty-eight years of experience building and testing software projects, Randy has authored more than sixty training courses in software testing and software engineering. He is coauthor (with William E. Perry) of Surviving the Top Ten Challenges of Software Testing and Testing Dirty Systems. In 1990 Randy founded Rice Consulting Services where he trains, mentors, and consults with testers and test managers worldwide regarding complex testing problems in critical applications. Randy is on the board of the American Software Testing Qualifications Board (ASTQB). Find more information at riceconsulting.com and on Randy’s blog.

About the author

Upcoming Events

Apr 27
Jun 08
Sep 21