Testing in a Brave New World: The Importance of Data Masking

As testers today, we face a brave new world. Our conundrum, providing effective testing with less time, is more difficult that it has ever been. Challenges from disruptive technologies such as cloud, mobile devices and big data have taken testing to a whole new level of complexity. At the same time, we are also challenged with the “need for speed” as agile methodologies evolve into continuous delivery and continuous deployment. We can engage in only so much risk-based testing, so often, we are tempted to use production data to speed up the test process. Ironically, those very same technologies make this practice increasingly more dangerous. So what gives?

If production data is also privacy-protected data, our use of it in testing may be illegal. At the very least, it opens up the data for compromise.

Testers must collaborate with security professionals to develop a test data privacy approach which is usually based on data masking. Data masking involves changing or obfuscating personal and non-public information. Data masking does not prevent access to the data; it only makes private data unrecognizable. Data masking can be accomplished by several methods depending upon the complexity required. These range from simply blanking out the data to replacing it with more generic data to using algorithms to scramble the data. The challenge of data masking is that the data not only has to be unrecognizable, but also still useful for testing.

There are two main types of data masking – static and dynamic. The usual approach is static data masking where the data is masked prior to loading into the test environment. In this approach, a new database is created (which is especially important when testing is outsourced). However, the database may not contain the same data or data in the same states as the actual database, issues which are very important in testing.

Dynamic data masking where production data is masked in real time as users request the data. The main advantage of this approach is that even users who are authorized to access the production database never see the private or non-public data. Furthermore, dynamic data masking can be user role specific; what data is masked depends upon the entitlements of the user who is requesting the data.

Automated software tools are required to mask data efficiently and effectively. When evaluating data masking tools, it is important to consider the following attributes. Most important, the tool should mask the data so that it cannot be reversed and is realistic enough for testing. Ideally, the tool should provide both static and dynamic data masking functionality and possibly, data redaction, a technique that is used for data masking in PDFs , spreadsheets and documents. Also, the tool should mask data for distributed platforms including cloud. Here is a brief look at a variety of the vendors in this arena. As with any tool evaluation, organizations must consider their own specific needs when choosing a vendor.

According to Gartner’s Magic Quadrant, IBM, Oracle and Infomatica are the market leaders in data masking for privacy purposes. All offer both static and dynamic data masking as well as data redaction. IBM offers integration with its Rational Suite. Oracle offers an API tool for data redaction and provides templates for Oracle eBusiness Suite and Oracle Fusion. Both IBM and Oracle products are priced relatively high as compared to other vendors.

Infomatica offers data redaction for many types of files and is a top player in dynamic data masking for big data. It offers Dynamic Data Masking for Hadoop, Cloudera, Hortonworks and MapR. Infomatica’s product is integrated with PowerCenter and its Application Information Lifecycle Management (ILM) which makes it a good choice of organizations who use those products.

Mentis offers a suite of products for static and dynamic data masking and data redaction as well as data access monitoring and data intrusion prevention at a reasonable cost. One of the most exciting features of these products is usability; not only are there are templates available for several vendor packages including Oracle eBusiness and Peoplesoft, but also the user interface is designed for use by the business as well as IT. Mentis was rated as a “challenger” by Gartner in 2013.

One of the least expensive products on the market, Net 2000 offers usability as its main feature. Net 2000 provides only static data masking for Oracle and SQL servers. It is rated as a “Niche” player by Gartner in 2013. This tool is a good choice for a small organization with a simple environment.

Data privacy is one of the most important issues facing test managers and testers today. Private and non-public data must not be compromised during testing; therefore, an understanding of data masking methodologies, approaches and tools is critical to effective testing and test management.

Agile Teams: When Collaboration becomes Groupthink

Does your agile team overestimate its velocity and capacity? Is the team consistently in agreement, with little debate or discussion during daily standups, iteration planning or review meetings? Is silence perceived as acceptance? If so, the collaboration that you believed you had may have become groupthink, and that could be a bad thing for the team, and for the project as a whole. Some aspects of the agile team that are meant to foster collaboration including self-organization and physical insulation may also set the stage for groupthink.
Groupthink is a group dynamics concept developed by Irving Janus in 1971. Janus described it as the tendency of some groups to try to minimize conflict and reach consensus without sufficiently testing, analyzing, and evaluating their ideas. Janus’s research suggested that the development of a group’s norms tends to place limits around the independent and creative thinking of the group members. As a result, group analysis may be biased leading to poor decisions.
Groupthink begins in the storming phase of group development as team members vie for leadership roles and team values are established. Symptoms of groupthink that are especially noticeable in agile teams include illusion of invulnerability which may show in unrealistic time estimates and collective rationalization and self-censorship during meetings and team discussions. Stereotyped views of out-groups may show in groups where testing or usability professionals’ views are not valued.

Dealing with Groupthink
One way to mitigate groupthink is by using an approach known as Container Difference and Exchange or CDE. The agile team is a perfect example of a specialized task group. In group dynamics theory, a task group comes together for the purpose of accomplishing a narrow range of goals within a short period of time. Agile teams have the additional aspect of self-organization which is both beneficial and challenging for both the team and its managers.
Since the agile self-organized teams are cohesive units usually physically insulated from the mainstream, they learn agile processes, learn to work together and work to accomplish their sprint goals all at the same time. As much as an agile team is managed by servant leadership, leaders emerge with different personalities, leadership styles and types of influence. All these factors set the stage for Groupthink and can be managed using Container Differences Exchange theory.
Self-organizing agile teams can manage by specifically asking each member of the team to be a critical evaluator and find reasons why a decision is not a good idea or appointing a “devil’s advocate” and discussing decisions with stakeholders outside the team. However, managers need a way to subtly influence agile team dynamics and that tool can be CDE.
Glenda Eoyang developed the CDE theory from her research on organizational behavior. CDE, or Container Difference and Exchange, are factors that influence how a team self-organizes, thinks and acts as a group. The container is creates the bounds which the system forms. For the agile team this is the physically collocated space. The difference is the ways which the team deals with the divergent backgrounds of its individual members; the various technical backgrounds and specializations of the developers. The exchange is how the group interacts among itself and with its stakeholders.
Managers can influence group dynamics by changing one or more of the factors. For example, a manager can change difference factor by adding a team member with a different point of view or personality or the exchange factor can be changed by increasing or decreasing the budget for the sprint.
It’s easy for collaboration to become groupthink in close-knit agile teams. However, both team members and managers can recognize the symptoms, and use team dynamics theory to make adjustments guide the teams back to high performance.

Testing the Internet of Things: The Human Experience of a Watch, a Chip and the Boston Marathon

Mobile and embedded devices, more than any other technology, are an integral part of our lives and have the potential to become a part of us. This generation of mobile and embedded devices interacts with us, not just awaits our keystrokes. They operate in response to our voice, our touch, and the motion of our bodies.

Since all of these devices actually function with us, testing how the human experiences these devices becomes imperative. If we do not test the human interaction, our assessments and judgments of quality will be lacking some of the most important information needed to determine whether or not the device is ready to ship.

“Human experience” testing, or lack thereof, can lead to redesign of software, and sometimes, of the device itself. So what is testing the “human experience”? Although initially, usability comes to mind, human experience testing goes much deeper. Usability testing focuses the ways in which users accomplish tasks through the application under test.

Then the question becomes just how does “human experience” testing differ from usability testing? The answer lies in the scope, depth and approach.

“Human experience” testing focuses on the actual interaction. It involves not only the look and feel and ease of use, but also our emotional, physical and sensory reactions, our biases and our mindsets. It involves testing in the “real world” of the user; when, where and how the user and the device will function together.

Why is “human experience” testing so important to mobile and embedded devices?
Because when a mobile device is physically attached to us and works with us and through us, the more important the results of the interaction or collaboration becomes to us emotionally and physically. .

In conclusion, I’ll share a very personal example. It is a tale of two mobile devices attached to one woman, a marathon runner.

Join me on the starting line of the 115th running of the Boston Marathon, April 18th 2011. I’m standing in my corral, excitedly anticipating the sound of the starting gun. Last year, I surprised myself by qualifying for Boston, only 10% of runners do, and I’m hoping for another qualifying run.
I have pinned on my bib carefully keeping it flat as it contains the chip that will record my race for the Boston Athletic Association. The chip will record my time as I run over mats at various miles in the race. My current time, location on the course and my anticipated finish time will appear on the BAA website and will be texted to my friend’s and family’s smartphones so they can track my progress during the run.

I click on my Garmin watch and anxiously await it’s catching the satellite to start the GPS. It’s ready and the gun goes off. I’m careful to click the start button at the exact moment I step over the starting line to ensure a correct timing. As I run along during the early miles, I check my watch for the pace, to validate that I’m running the speed I’ll need to qualify. As I push myself up Heartbreak Hill at mile 20, I check my heart rate monitor for feedback confirming that I can continue to run my current pace or that I can continue at all. It reassures me that as exhausted as I feel, I’m doing fine.

As I look at the elapsed time on my watch, I confirm that I’m on pace to reach my goal of another qualifying run. As I turn left on Boylston and the finish line is in sight, look at my watch to see that, not only a qualifying run, but also personal record, is in reach! I dig in and give it everything I have left. As I cross the finish line, physically totally spent but emotionally charged, I click my watch off and I see it… My qualifying time and my personal record! The feeling of accomplishment and elation is beyond description!

Now I’m in the car, riding home, just basking in my own glory. My cell phone rings and a friend asks my gently what happened. I hear concern in his voice and wonder why as I tell him about the best run of my entire life. And then he tells me, “Your run isn’t on the BAA website”. My elation immediately turns to grief. The chip, the timing device embedded in my bib, had failed to track my run. The only record of my qualifying run and my personal record is held within my watch. At that moment my watch becomes a part of me. As one runner once said, “the pain is temporary, but the time lasts forever”. And now my Garmin holds the only record of my accomplishment. What if it didn’t save?

Immediately upon arriving home, I go directly to my laptop and download my watch. My heart is literally in my mouth as I wait for the time to come up on the screen, documenting my time forever. And there it is, 3:51:58! My qualifying run and personal record are mine forever. And I will be on the starting line in Hopkinton for the 116th running of the Boston Marathon next year due to the collaboration among my body, my mind my emotions and my watch.

The lesson is that devices that interact intimately with the user require a different type of testing than other types of embedded systems. The closer a device is to the human user, the more it requires human testing; it requires testing the interaction between the device and users’ actions, senses and emotions.

The Challenge of Change

Is your organization becoming Agile?  Is your organization merging or outsourcing?  Are you wondering how, where or even if you will fit?  Are you feeling a loss of control over your work life?  If there is only one guarantee in the world of information technology, or in any work environment, it is change.  Let’s face it; life itself is a series of changes.

So how do we deal with change?  We can take the “ostrich approach”, burying our heads in the sand, pretending that it isn’t happening, or we can face it and embrace it.  We all know and accept that change is hard.  But have we ever thought about why change is so hard?  A colleague of mine expressed it very well yesterday when he said it’s the fear of the unknown.  What you don’t know, you can’t control. 

So the question becomes how do we deal with uncertainty?  We can start by examining our mindset or our attitudes and habits toward to succeeding when there is uncertainty.  In her book “Mindset The New Psychology of Success”, Carol Dweck, PhD. defines two mindsets, fixed and growth.  Those who have a fixed mindset feel that their success or lack thereof, is a result of basic personality traits that cannot be changed.  Those who have a growth mindset believe that success is the result of hard work and see failure as an opportunity to learn.    The good news here is that mindsets can be changed.  Therefore we can start to deal with change and uncertainty by evaluating our mindset and changing our approach toward it.

We can begin by taking control of what we can control.   For example, if your organization becomes Agile, why not learn everything you possibly can about Agile development.  In the process you have a great chance of discovering where and how you will fit.  If your organization is downsizing, merging or outsoucing, yes, you may get laid off and yes, you have absolutely no control over whether or not that happens.  However, you can update your resume, start networking in your field, test the waters by applying and interviewing for positions in your field.  And in doing those things, you will feel a sense of control.  I know; I did it.

In Spencer Johnson, M.D., 1990’s book “Who Moved My Cheese?,” it was Haw who adopted the growth mindset. He followed the example of the mice, Sniff and Scurry, who saw change coming and took early action. He put on his running shoes and headed into the maze to find new sources of cheese.  Hem remained in the fixed mindset.

We can alleviate the fear of the unknown.  First we must willingly embrace the growth mindset, approach change as an opportunity to learn.  Second, we must be willing take the actions necessary to control what we can control within the change.  As “Humorista” Christine Cashen puts in “The Good Stuff Quipes and Tips on Life, Love, Work and Happiness,” we need to “BOOGIE” or Be Outstanding Or Get Involved Elsewhere.”

When you find yourself standing at the edge of a cliff looking into the water below, you may not have the choice to jump or not, but you sure can be ready, willing and able to swim!

AGILE…Methodology or Mindset?

Agile is a mindset; it is an established set of attitudes and habits about how to succeed at getting work done.  Wow, what a concept!  At a recent Agile New England meeting, Ahmed Sidky, PH.D applied the mindset research of Carol Dweck PH.D to agile transformations.   He defines the “Agile Mindset” as a growth mindset; an approach to managing uncertainty by learning as much as possible in the most efficient way possible.

As organizations adopt agile, they may begin by doing agile, following the practices as in Shu.  They may move on to Ha and break the rules, beginning to adapt agile methodologies and practices to their own needs.  However, Dr. Sidky argues that true agile exists in Ri.  An organization only becomes agile when it collectively internalizes the mindset, the four agile values and twelve guiding principles and then chooses the right the practices and methodologies that meet the needs of the individual situations. 

I think the “agile mindset” has lots of practical applications in many areas of software development.  Whether or not an organization is attempting an “agile transformation”, encouraging an agile mindset can only improve the software development process, no matter what methodology and tool set is used.  For example, if we encourage developers to ask for feedback early from testers and business analysts, we begin to build a culture of collaboration.  When we encourage testers to perform exploratory testing and to submit what they see as bugs even though these observations are not strictly deviations from specifications, we are encouraging continuous learning. 

When an organization builds an “agile mindset”, it has developed a foundation for commitment not only for an agile transformation but also for other types of organizational change, whether these changes involve reorganizations, geographically distributed teams or even mergers and acquisitions. 

Just as agile development practices have dramatically improved the speed and quality of software development, I think the “agile mindset” has the potential make the same dramatic impact on organizational change management.

Join Me at QA&TEST 2013

I’m going to SPAIN!!!! I was just accepted as a speaker at QA&TEST 2013 in Bilbao, Spain on October 29, 30 and 31. I’m really excited to be part of this conference! The purpose of the conference is to showcase the latest quality assurance technological innovations and best practices; its aim is to give the attendees a lead in global competition. With the wide variety of tracks and impressive line-up of speakers, I’m sure the conference will meet and even exceed its goal.

This conference is for everyone including directors, project managers and all types of test professionals. There’s a great mix of technical and management tracks which means all the attendees will learn lots of valuable information. With technical tracks such as Test Automation, Testing Mobile Devices and Applications and Verification and Validation, and management tracks including QA Management and Test Team Organization and Testing, there is really something for everyone.

The speaker line-up is an exceptional mix of practitioners and thought leaders from many industries including banking, insurance, aeronautics and medical systems and academia. I’m really looking forward to seeing Carol Oliver’s presentation on using oracles in high volume testing. Carol is a Computer Science PhD student of Dr. Cem Kaner at the Florida Institute of Technology.

Bilbao is such an exciting location with the Guggenheim Museum and lots of scenic coastal areas and beaches nearby. It’s no wonder that the beginning of The World Is Not Enough was filmed here. Although I don’t think I’ll get to meet James Bond, I can’t wait to go. I hope to see you there.

My Smartphone Goes Hands-Free

I’ve become so used to my new device that I’m making and receiving calls on the road. Oops..that’s a no no! Don’t worry, at least I don’t text and drive; I couldn’t if I so desired as I’m still mastering the thumb movement. Perhaps it is taking a while to become a fast texter since I don’t play video games? Never mind, I’m digressing.

Anyway since I’ve started talking and driving, I decided that it is time to enter the brave new world of hands free devices, and I’m now the proud owner of a fine new Plantronics Voyager Legend. It boasts of features such as smart call routing, precision audio, voice commands and caller announce, but for me, the most important feature is that it’s hands free! But what does “hands free” actually mean? It means that I can talk and drive with both hands on the wheel, of course. Yippee!

The first time I try it out is in the house and of course everything works perfectly. Doesn’t everything always work perfectly in test? Now it’s time to try it in the car. Much to my surprise, the hands free turns out not to be completely hands free. Since I have carefully set up all my contacts with their home and mobile phone numbers, the hands free offers me a choice of numbers for each contact. Much to my chagrin, I have to manually, using my finger, tap the number I wish to call. Now I’m not blaming the hands free device, it’s a user error or more accurately, a user design error.

Not to be deterred from becoming complete hands free, I create separate contacts for all of the numbers that I will call from the car. So now that I’m completely hands free, I find that not only can I talk with both hands on the wheel, but also, I now have the opportunity to experience the joy and frustration of speech recognition technology. I confidently make my initial call, responding to the device’s “What would you like to do?” with “Call Peter”. And instead of seamlessly being connected to Peter, I am offered the entire listing of pizza restaurants in my contacts, and yes there are many. It was still morning, but what the heck, I ordered a pizza.

So as much as there is a learning curve to swiping and tapping and texting, apparently there is also an art to hands free speaking. I’ll let you know when I master it. For now, I’ve implemented a workaround. Since Peter sounds so much like pizza, I changed Peter’s name to Andy. And if Andy answers, I’ll be very surprised since Andy is Peter’s cat. I wonder how the hands free would interpret a “meow”.