IBM Security Systems - India User Group
I have worked as a manual and automation tester.My experience involved working on multiple projects from varied domains. This enabled me gain more knowledge and insights into the different QA processes and models followed by different teams depending upon their development cycles for example Waterfall, Iterative, Rapid Application Development and Agile. Each project and its development life cycle has helped me analyze the real issues and how and where the real improvements can help irrespective of the development model.
Based on my experience I am going to write about one of the most effective process “Defect Analysis”. If done at right time and with right perspective, it enhances the team deliverables and eventually the product quality.
Challenges faced by the QA team
1.Quality of defects.
2. Lengthy defect cycle before closure.
3. Number of defects
4. Quality of code
5. Pressure on the team towards the end.
6. Lack of consistency in QA and development deliverables.
Proposal based on the experience
Historically Defect Analysis is process done after the release. Lot of metrics are derived from all the defects to evaluate the QA and development team performance.
Proposal is to do Defect Analysis during QA cycle. To ensure ongoing quality improvement when it matters.
Project Phases for Defect Analysis
* Phase I- Initial project development. For agile projects we can say sprint 1 of QA
* Phase II - Integration testing stage
* Phase III - Regression cycle
Stake holders in Defect Analysis
* QA lead
* QA Manager
* Development lead
* Project Manager.
Defect Analysis when done during the release helps -
* understand what is going on
* what can be expected
* what needs to be worked upon
The following sections will cover the phases mentioned above in more detail.
Phase-1 - Project development just started, made builds available to QA for testing.
We have to Do Things, if done right the first time itself it saves lot of trouble later for all of us.
Lot of defects at this point could be because of following reasons
1. No Unit testing done
2.Requirements not frozen or not clear between QA and Development team Action
Development Lead need to act here. If the defects are valid, lead should ensure
* Code is Unit tested.
* Code reviews are done.
* Development team will catch as many defects at their end by self review.
If there are lot of invalid defects, QA team lead should ensure that there is a process streamlined that ensures that QA team has access to functional specification and is updated every time there is any change in design or functional requirement.
QA Lead too should check that QA members are entering defect in correct format. The least information that should go in a defect should be
1.Clear, precise title
2.Steps to reproduce
3.Test data if any
4.Test environment details
6.Logs, snapshot, etc to enable easy debugging.
7.Correct priority severity.
Having all the information in first go, helps faster closure of the defect.
Testers should read all the defects been logged. [Defect logged by peers. This should be a daily activity.].
This ensures that the team members don't land verifying/debugging affected components and are also spared from logging duplicate defects.This saves time for both the QA team as well as the development team. Duplicate defects introduces time cost. 2.Try new scenarios around the affected area, before and after fix to catch more defects.
Result of action:-
By giving all possible information and symptoms QA helps locating the problem and location which helps developers to get their act faster. More ever QA 's understand of internal work flows of the product gets clear.
Phase II - Half way through Project development cycle.
Defect count is definitely going to be high at this time and that means everybody is in action.
This is the time when Development Lead and QA Lead should ensure that timely action is taken on the defects. Usually Development Leads ensures that the blocker, critical, high severity defects are immediately resolved. The minor and normal defects may keep piling. That increases the pressure on the team as the defect count increase towards the end of the release.
“Any strategy like target 2 minor, 2 normal defect per week to each developer ensures application cleanup and helps keep defect count low.”
QA Lead should ensure that QA team is not taking long to respond on defect waiting for any action from their side. The defects should be verified and closed as soon as possible. Immediate defect verification is important because it helps in following scenarios:-
If the defect is to be reopened, the developer who worked on it, has all the thoughts fresh in his mind. Reopening the defect after a long duration is time consuming for the developer to resolve it again.
General testing around the fix, ensures that fix has not broken anything new.
QA metrics on response look great !!
Confirm that every defect has a associated test case, this is to help the QA team working on the next version of the product. In case of tight schedules a test case with brief title should be written. The detailed test cases can be taken up after release.
Result of action:-
1.Defect count continuous to be manageable.
Phase III - Thrashing ,Regression testing
Any Severity 1 defect at this time indicates need of more testing.
* This is sign of more defects in hiding. We need to catch them all.
* After a fix, to confirm that defect and related all subroutines are working as expected and no new defect has been introduced.
Ensure faster closure, pull in free developers to regress bugs and positive test cases.
Thumb rule - Any defect analysis done post release will not be as effective as done before release.
By been proactive and by being on the top of the problem from the start helps both QA and development team deliver quality products.
Next Steps and Recommendations
* All projects following Agile processes should make defect analysis an mandatory activity along with their other sprint exit activities.
* Performance and security defects generally crop up towards the end however if code review checklist include evaluation of code for these two factors as well, it would be like icing on the cake.
* Project Lead should continuously monitor defects to track trends and confirm that team strategies are in-line.
IBM is holding annual Software Universe Event in Mumbai on 19th and 20to October 2011. This event is attended by industry and technology leaders from India. IBM, on its side, is lining up some of its best speakers and innovators.
IBM Strategy and security framework to deal with these concerns is summarized in the below image.
Key Deliverable from Tivoli for IBM Security Solutions are categorized as (1) IAM and Compliance products (2) Data Center and Operation Security products
IBM has offerings such as TIM, TDS and PIM in Identity family.
There are products such as TAM, TFIM, etc in Access family
and TSIEM in the compliance family
IBM offers products in Network intrusion prevention, security server protection among many others
IBM also offers an extensive and proven portfolio of market leading software, consultancy and services to help clients with cloud security.
The company has gathered extensive inputs from the customers and has come out with the key themes that are driving its security roadmap:
Participants can look forward to a more elaborate discussion on these important offerings from IBM from the speakers and presenters in Software Universe.
- Alok Jain
I found this diagram as an easy way to explain, what additional security challenges cloud introduces to an organization. What is so different about it?
To me, it is important to understand the holistic picture before one deep dives in to specifics of cloud security. IBM security framework has helped achieving this understanding by explaining host of security requirements in a cloud computing environment.
In my first blog on this topic, I would like to start with this perspective in simple and understandable overview. To continue this chain one can comment with specific solution in each of this area.
Security Governance, Risk Management and Compliance
In a cloud scenario, It is critical and important to demonstrate the Laws of the land and ensure data are stored and accessed within regulatory constraints, Encryption is applied to the data as permitted by country/jurisdiction.
Since public clouds are by definition a black box to the subscriber, potential cloud subscriber need to demonstrate regulatory compliance to the change, image, and incident management, as well as incident reporting for tenants and tenant-specific log and audit data.In addition, providers sometimes are required to support third-party audits, and their clients can be directed to support e-Discovery and forensic investigations when a breach is suspected.
People and Identity
Cloud environments usually support a large and diverse community of users. In addition, clouds introduce a new tier of privileged users: administrators working for the cloud provider. Privileged-user monitoring, including logging activities, becomes an important requirement.
How do you control passwords and access tokens in the cloud?
Data and Information
Typical concerns include the way in which data is stored and accessed, compliance and audit requirements, and business issues involving the cost of data breaches. All sensitive or regulated data needs to be properly segregated on the cloud storage infrastructure, including archived data. Increased control to the data is needed specially for privileged users administering cloud environment.
Encrypting and managing encryption keys of data in transit to the cloud or data at rest in the service provider's data center is critical to protecting data privacy and complying with compliance and regulatory mandates. The encryption of mobile media and the ability to securely share those encryption keys between the cloud service provider and consumer is an important and often overlooked need. It is critical that the data is encrypted and only the cloud provider and consumer have access to the encryption keys.
Application and Process
Typical application security requirements are carried over to the images that host those applications. In addition, cloud users demand support for image provenance and for licensing and usage control. Suspension and destruction of images must be performed carefully, ensuring that sensitive data contained in those images is not exposed.
Organizations need to ensure that the Web services they publish into the cloud are secure, compliant, and meet their business policies.
Network, Server and End point
In the shared cloud environment, subscriber need to ensure that all tenant domains are properly isolated and that no possibility exists for data or transactions to leak from one tenant domain into the next. To help achieve this, clients need the ability to configure trusted virtual domains or policy-based security zones. As data moves further from the client's control, they expect capabilities like Intrusion Detection and Prevention systems to be built into the environment.
Protecting the hypervisor which interacts and manages multiple environments in the cloud is very critical and important. The hypervisor being a potential target to gain access to more systems, and hosted images.
The cloud's infrastructure, including servers, routers, storage devices, power supplies, and other components that support operations, should be physically secure. Safeguards include the adequate control and monitoring of physical access using biometric access control measures and closed circuit television (CCTV) monitoring.
Further details can be extracted from IBM red book and white paper
To solve all the difficult problems you have to start somewhere.
Join the community Managing Tivoli - HA & Monitoring to share your thoughts, problems and experiences with managing Tivoli products.
When the invite mail for the 'Develothon 2010' had hit my mailbox, that very moment I decided - I just cannot afford to miss this eminent event. Because the experience I had at the 'developerWorks Unconference' at Hotel Orchid, Mumbai on Dec 11, 2009 compelled me to attend this even as well (Add on : I had won the "Best speaker" trophy there :)) But, as usual, I was hard at work and I did not realise until a day before this event.And then I thought to give a whirl.To my surprise, I got a consent mail around 11.45 pm.Phew! what next? I started scribbling with the presentation around midnight and finally came up with its finished version around 2 hours later.Now, my clock warned me that I had just few hours to take rest before I reach the venue.But, honestly, I was so turned on to attend this event that I was unperturbed.
When I reached the venue, I met Bharathi Muthu, IBM,developerWorks Manager, who greeted me with a big smile.Trust me, this enthusiastic lady creates a special aura.I was so impressed and glad to meet her. She questioned me "Ankita, you presenting again?" Oh my God! My brain started interpreting in less than a moment whether she did not want me to present but she meant that she was scared whether I will grab the 2nd trophy for the unconference. LOL
Next then, as envisioned, the event was just exemplary.The agenda for the day was "Information Management".It was a learning day because the speakers there, were all my peers but we hardly stepped ahead and shared expertise on those topics since I come from security and identity management domain.So, this event gave a chance to get acquainted with a next door domain and technology thats IM and Cognos.
And then came the last 1 hour of 'Unconference'.I am sure the name must have baffled you as it did to me but Bharathi clarified "Unconference is a conference with no specific agenda.Just come up with any topic which holds the attention of the audience".
When the audience was asked to vote on the order of the presentations they would like to hear, I was astonished to see that I got the least votes :( But, then I decided, that may be audience is unware of the topic I am sharing and yes, its the right thing to share with them.That motivated me to hold on.Finally came my turn to share the presentation on "Federated repository in Websphere Application Server".I gave a 10 mins presenation and shared my experience as a developer and also as a end user for this product.I am sure I must have appeared as if I was the product advocate :).But yeah, it was good to hear to other IBMers as well customers and it was an amazing experience which I carried away while leaving the place.Oops, forgot to mention the most important thing.The results.It was an open voting scheme where audience voted for all speakers and guess what, I got the "Best Speaker" trophy again! :) Yeppie, it was the 2nd developerWorks unconference trophy which I got back home :):) What more can I expect for!
I am looking forward to more such unconferences in future(You guessed it right..to grab the trophies again :) ) because they provide a platform to share on diversified technogies with customers and also get to know from them, that how are they using our as well as other products and technologies.To summarise, 'Develothon 2010' was a very well organised event which itself speaks of the best efforts put in by the developerWorks team.It was a job well done! I really appreciate it.
Vivek C Agarwal 11000082PV 1,565 Views
Just a beginning - mDW(This video is hosted at https://download.boulder.ibm.com/ibmdl/pub/software/dw/ibm/mydw_demo/mydw_demo.html and gives a very good overview on creating profiles on mDW. 5 min video with sufficient information to get started....)
My developerWorks: Helping the World Work Smarter
(This video is hosted at http://www.youtube.com/watch?v=GsSjXiQCF-k&feature=player_embedded and gives a very good overview on how mDW helps us to work better in a Smarter World community. 5 min video with sufficient information you may love to watch....)
Vivek C Agarwal 11000082PV 1,740 Views
Cloud of Videos - Place all video links below... Remembering is easier if you show me..........
1. Cloud Computing Explained - Cloud computing video at youtube
2. Cloud Computing Plain and Simple - Plain and Simple
Cloud of Presentations - Place all presentations links here... Learning becomes more easier when you read something....
1. Cloud_Computing.ppt : Tivoli India -> Files -> Cloud_Computing.ppt
Cloud of Case studies - Place holder for case studies... Experiences many a times influence more....
Cloud of your own thoughts -
Cloud of other References -
Cloud of ... - Feel free to add more