Is Production Environment Really Sacred?Testing in Production

I was once tasked with testing a service that was integrated with ATM. We approached a 3rd party ATM Integrator to set up an ATM in our staging environment to test this scenario. The cost involved was very high and our testing budget did not permit us to use a third part ATM integrator. So what was the alternative? It was an unanimous decision in the program steering group to test in production, since the feature was tested properly in the previous version. A couple of internal users were tasked with testing this feature immediately after deploying the newer version to production.

Recently, I have been noticing that testing in production is becoming a popular practice, as part of the defect and incident analysis, or as a concluding test before going live, aiming to eliminate uncertainty, and give confidence to management and operations teams.

There are many factors why organizations are forced to test particular scenarios in production. First, with shrinking IT budgets, organizations are having difficulty in creating test environments that represent the full functionality the production environment contains, some of these include, load balancers, ATMs, SMS Gateways, billing, etc. Most of these aspects are tested using simulators in test environments, but ideally organizations would like actual integration with all these hardwares/softwares in the staging environment, to perform UAT before moving to production. At the same time, business process are becoming more and more integrated, which in turn demands test environments that are connected end-to-end. It is always a challenge to create a test environment that is equal to production.

With advancement of technology, the nature of services that are rolled out is complex. One of the projects I was worked on involved a mobile payment service for financial inclusion, that spanned across multiple organizations, 3rd party integrators, geographically distributed teams, and many stakeholders in the service. For example, we had to work with different stakeholders such as banks, merchants, SMS Integrators, ATMs, payment terminal vendors, billing payment aggregators and mobile payment platform provider. Add to this, all hardwares in data centers like servers, load balancers. Testing particular scenarios in such an integrated environment is possible only in the production environment (or spend huge sums of money to set up and maintain a staging environment with such a complicated integration).

Of course there are many risks associated with this practice such as creating and maintaining test accounts and test data in production, security controls and accountability, testing in production can cause production incidents, postponing real testing until deployment. (a separate blog is required to address these risks). but Testing in Production (TiP) when performed in a controlled manner within the organization’s IT policy, is a better way to ensure elimination of any remaining risks or uncertainity before GTM.

Adopting Agile Testing

The term agile is sometimes used to represent anything that is dynamic or an unstructured way of working with others. However, as per the document “Agile Manifesto” conceived by a group of software engineers, it is a focused and yet rapidly iterative software process adhering to a set of principles, and aims to promote a more efficient, humane and collaborative way of developing computer programs and IT systems.  Agile testing is the practice of software testing for bugs or performance issues that are within the context of the agile workflow. It focuses on the concept of  Whole Team, getting as much feedback as possible on code, and building the quality as early as possible. Agile testing has shorter feedback loop between product owner and team members. Agile testers are an integral part of the cross-functional team, and have their say in all the phases of SDLC (Software Development Life Cycle). The flow of information is uninterrupted due to collocated teams. Let us take a closer look at some of the key features of agile testing methodology, and why more and more companies are adopting it.

Why Become Agile?

Agile and traditional waterfall methodologies differ in terms of mentality of teams, role of testers in the team, and at what stage the testing begins.

  • In conventional testing, test execution does not start until after the complete functional development.
  • In traditional testing methods, there is usually significant delay between when the software is written and developers get the feedback. Defects and bugs are found quite late in the process which can cause serious issues if any major changes are required.
  • If the business requirement changes, it affects the already developed test cases.
  • As the communication and testing is siloed, the chances are that different groups will have different final product expectations.
  • Also, as testing is the last activity before the decided release date, the quality of testing suffers.

Traditional QA engineers rely heavily on documents, however, generating test cases may not be as cut-and-dried in agile, as agile testing QA engineers do not get big requirements documents as a base for test cases, and do not get months to write the test cases. They directly become the part of the communication streams which can be written, verbal or virtual, and collect the information they require. In agile, it is accepted that the change is healthy.  Some of the key features of agile testing are:

  1. In the Agile approach, testers and developers are seen as two sides of the same production coin that meet regularly and compare notes daily. Testers, developers and quality-assurance personnel work closely together replacing siloed functions. The split between software testers and software developers in the traditional waterfall process positions them as separate entities at different points along the production cycle, and this is the most fundamental problem that agile helps resolve.
  2. Agile testing is testing when possible, even as early as requirements gathering phase and there is Test Driven Development (TDD). Agile testing drives development by questioning stories and refining acceptance criteria during the iteration planning. It starts by working on stories, and continues with the TDD.
  3. Agile requires continuous and elaborate collaboration between stakeholders throughout the company, throughout the production process. In each and every phase of the development, testing is an essential component, and quality is built in at every stage through constant feedback from all who are responsible for the final product. Hence, the working versions with essential features of the final system are frequently produced. Each of these working systems are fully integrated and carefully tested, just like final delivery.
  4. It is a team effort where anyone can pick-up and execute a testing task. Developers and design experts also think about the testability of the product and testers can give their inputs in the early stages of software architecture or designing interface.
  5. Testing starts when the Sprint starts and entire team is responsible for the result. Testing includes test planning, build acceptance testing, functional testing, regression testing, demo testing and test automation.
  6. Testers are an integral part of the team, and their experience is fully utilized where they participate in planning and requirement analysis.
  7. The feedback loop is short and testers actively participate in the Retrospective and Planning meetings.
  8. Pair testing can be used together with the developer or other tester. Testers can also help developers create automated tests or design tests which are beneficial for both.
  9. There is continuous integration for every change committed to the source code repository.
  10. Teams switch to agile due to simplicity of the principles, transparent communication with customers and accurate planning.
  11. Agile testing may seem complex, however if implemented successfully, it leads to greater simplicity as it is more risk and priority focused, faster, adaptable, flexible and efficient.

Critics of Agile

The experience of Agile can vary, and for some, it just results in lower quality, chaotic processes, miscommunication, and a bundle of several other issues. A research was conducted by Voke Media with 200 software companies on their attempt to embrace Agile, and their report stated:

Out of over 200 participants, 64 percent said that switching to Agile Development was harder than it initially seemed.  Forty percent of respondents did not identify an obvious benefit to the practice.  Out of those who did, 14 percent thought it resulted in faster releases, and 13 percent—that it created more feedback.  Seven percent of participants noted that Agile developers were happier due to reduced future planning and documentation.

There is no doubt that there are certain challenges involved in implementing agile testing methodology. As testing happens on the fly, there is minimum documentation, which can cause problem if the team member is unfamiliar with the project. In such case, handing over the project to someone completely new can be disastrous as only senior executives are capable of taking the decisions required in agile testing. If the customer is not clear about the final outcome they want, the project can easily get taken off the track.

Additionally, agile testing principles can be quite demanding on the developers’ time, and require their commitment for collaboration throughout the project. Agile testing also requires more effort from the entire team as testing continuously gets modified or interrupted to fit the need of the situation. Agile can be quite time consuming as developers and testers spend a lot of time through the iterations to ensure the best quality throughout the project.

In the agile environment, there are frequent changes in the system, and to test each change, regression testing is required to ensure that there are no new defects in the previously developed features. Planning regression testing is difficult as agile testers are busy testing new stories for current sprint. Hence, it is necessary to have automated tests for previous sprints checked into the source repository.

Inadaptability to Agile could be due to difficulty in leaving the traditional understanding of the roles, and resistance to change. Agile is not a panacea that will solve all testing problems, however, its principles are great tools to reveal several problems, and it is up to people how effectively they are able to resolve them. Agile development and agile testing go hand in hand, and together they complete the idea of agile methodology. Frequent testing along the lines of iterative guidelines are the benchmarks of the agile testing. For the best chances of success, the testing engineers must become embedded agile team members, and embrace agile team dynamics.

Get Paid to Find Other People’s Mistakes

In any profession or field, there is a difference between being a good professional and being an exceptional professional. On the same lines, anyone can be a good testing professional; however, it takes some unique skill set to be an exceptional tester. No application is ever bug free, and the success lies in nailing the most crucial bugs by being devious and curious.

Testing is not just a job; it’s also about imagination, and critical thinking. It is about not accepting anything at face value, and maintaining a questioning mindset for the product. If you wish to be exceptional, you always expand your knowledge and hone your testing strategies for improvement. So, as a tester, what mindset and skill dimensions that you should invest in, what areas to be avoided, how to make best use of available resources? Here are few tips that can help you gain that competitive edge:

1. Gain Perspective– As a tester, there are many different aspects to be considered in addition to comparing specifications with the implementation. These include consistency with the comparable products, user expectations, history of the product and so on. Your judgement will be better if you know what is important for your business. To gain perspective, talk to the customers, interact with customer supports, and have a day out with the marketing team.

2. Aim for Quality– Never shoot for quantity, as identifying few important glitches and bugs is going to be much more valuable than testing volumes.

3. Prioritize– Prioritizing is important. Rather than focusing on the minute details of the application, pay attention to the mission critical parts and identify the most valuable bugs first. This helps the development team to address critical issues as quickly as possible.

4. Improve Verbal and Written Skills– Conveying information is almost as important as finding an important piece of information. As an excellent tester, you need to have excellent written communication skills to write test cases, bug reports etc. which are important part of QA. These artefacts should be detailed, and easy to understand. Sometimes you will be in a situation where you will have to defend your findings, and explain why they are relevant. Describe your findings and be alert to the new information that comes up in the communication.

5. Learn from Mistakes– And not only yours. We all make mistakes, however, these mistakes must help you learn, understand and not repeat them. Prioritize better, communicate better, plan better. Constantly ask questions, and incorporate your knowledge to bring positive changes in your work and approach. It might be a good idea to keep a track of your past bug reports and understand which ones created confusion, and how could you have written them differently for better understanding.

6. Eye to the Details– Observation is the ability to notice significant and important details. As a tester, you need to observe the situations that are unusual. Slow down and observe by looking closer and keep your channels wide open. Go beyond the checklists.

7. Think like the User– Keep in mind that you need to find each and every possible bug before the software is deployed and used by the end customers. Don’t be humble, question everything, and do not take anything for granted. If you don’t understand something, chances are, neither would the end user. At the same time, maintain a healthy scepticism about the capabilities of the product while exploring its limitations and capabilities. It is important to maintain a balance between curiosity and questioning every decision made. Testing needs objectivity and fresh perspective. Keep an open mind and keep the end users’ perspective in mind.

8. Efficient Reporting– Make your bug report informative by adding screen shots and sufficient details. This will help developer understand the bug clearly and fix it. Give information such as when, how, where, under what OS, on which devices and so on. Free your report from irrelevant information so that it can influence right people to act.

9. Have Passion– Being passionate about what you do is the key to excellence. Stay informed about your field, attend trainings, do courses and certifications, do whatever you can to immerse yourself in QA. Keep in mind that knowledge is not static, especially in the technical domain. Improve your technical education, as well as understand how the machines work. BBST (Black Box Software Testing) and RST (Rapid Software Testing) are the two basic courses that are recommended for every tester as they give extensive hand-on experience to different test scenarios. Continual learning is the most important personal value. Invest in yourself.

In addition to these, it is equally important to have social skills to have collaboration, humour to sustain your sanity and staying focused, and practicing your skills to reach higher level of proficiency. Find the areas for improvement and make your actions self-reflective. Seek help when required.

Becoming an exceptional tester is a constant journey. Keep in mind: Testing is all about information discovery and information delivery. Test On.

Mobile Application Security Testing for Startups

Any startup company developing mobile or web applications go through a great deal of ordeal to deliver these projects. There is always so much to do, always a deadline to meet, and always a crunch of resources (financial and human). While combating all these challenges, it is easy for entrepreneurs to overlook some mission-critical tasks and one of such tasks is Application Security Testing.

Onboard the right resources: For any startup, it is extremely essential to get a good start to the testing culture. So where does this process begin? Well, it starts right from the hiring process. Look for candidates who are curious about technology, are insightful and show willingness to accept and adapt. The candidate should have a passion for testing and should appreciate the challenges involved. It is equally essential that you have a testing team with diverse skills, including platforms, languages, hardware and software.

Identify the target Platform: Keep in mind that the testing matrix can be quite big and complex. Choose your platforms carefully if you have limited resources and time. Ensure that your app works perfectly well on a few selected platforms. Also, as there will always be a limited testing budget and rapidly-evolving application, manual testing is a better approach (until your product stabilizes) as it can help find real bugs and can be altered quickly with the changing features.

Do not miss out on Usability: For a startup planning to launch a mobile application, usability testing is one of the most vital tasks. Evaluate the page layout and color schemes. Ensure that the layout is intuitive. Users should be instinctively drawn to the main features of the application. Important features such as Search, About, Help and other instructions should be easily visible and accessible. If the application is to be launched in non-English speaking markets, ensure that your application shows consistency in terms of messages, symbols and text. Usability testing should be done once the application is ready, but before it is made available to end users or paying customers.

Data testing is important: Data test must be a part of the test strategy and include data archival and deletion in the scope of testing. Even the most basic of applications must be tested for different carriers and operating systems, as the performance can greatly vary. For any mobile application, keep in mind the screen size discrepancies. Also, check your application for performance at different battery levels and when the user gets a message, call or MMS. The displayed messages must be concise, clear and actionable.

Learn from others’ mistakes: While developing and testing your mobile application, look at similar apps and find out, as a user, what you like and what you don’t. You can use this knowledge to include additional features and avoid mistakes. Also find out user reviews about competitor’s applications and take advantage of their weak spots. There are also some free tools available that shows the developers how well their application functions in real-world conditions. The tools score the application based on download, installation and usage, and reports the issues.

Secure applications gain customer confidence: For a startup, security testing can be daunting, and can become highly complex. However, availability, authentication, authorization, integrity, confidentiality and non-repudiation are some of the most basic testing concepts. Keep in mind that security testing can be challenging. However, investing in security testing will eventually gain customer confidence. Some of the free security testing tools and resource include Open Web Application Security Project (OWASP), Paros Proxy, Wireshark, Tamper Data, Burp Suite and SQL inject Me.

An unsuccessful first launch will cost you a lot of money and reputation. Ensure a successful launch and make a name for yourself by planning well and Testing well!

Can Automation replace manual testers?

“Is Test Automation going to help my business?”

We received this question from our customers for the umpteenth time:

To answer that question, we take a methodical approach… we assess the maturity level of the customer’s quality assurance organization. Many of the organizations do not treat Test Automation as a core practice but a supporting practice within the practice. Changing this perception and adopting Test Automation as core practice requires great shift in thinking and visualizing the benefits.

Once we are convinced with their existing practice, process and team’s mindset we recommend the test automation to our client. At this point, we face the next question:

“What is the ROI from Test Automation?”

For most of the project managers this is just a quantifiable number in terms of running more tests faster with fewer people. This number is used to justify the adoption of Test Automation in their projects. How do we arrive at this figure? There are many simple calculations in software testing organization to calculate the ROI, one such calculation is:

ROI = (Cost of manual testing – Cost of test automation)/cost of test automation

This looks simple, straight-forward and easy… this entire exercise builds a business case “We will run more test cases faster, with fewer people.

Many of the thought leaders do not completely agree with the business case and have a plethora of questions like:

“Do running more tests, faster produce better software?”

“Does manual testing and manual testers can be replaced by test automation?”

“Can we compare the cost of multiple executions of automation tests against manual tests?”

“Can we devalue the tester’s role in software testing? “

We at Idexcel believe that, Test Automation (once proven ROI is established) must be used to optimize the testing efforts but at the same time balance the Automation and Manual elements. Test Managers should not get sucked by the ROI black-hole. They should utilize their human (manual testers) element to test changes to the application (new and incremental functionality), cases that requires human judgment, situations that involve complex and implicit business knowledge. And utilize the Automation element for tests that are explicit, repetitive and black & white.

Now, coming to the subject of the blog:

“Can Automation replace manual testers?”

Our answer is a resounding NO!, especially when we are talking about applications and systems that are incrementally maturing.

When we address the automation needs of our clients, we don’t only convince our client solely on ROI. But we provide the detailed analysis of how we combine right set of tool with right set of people and process which can improve

• Reduce time to market
• Increase test efficiency
• Increase test effectiveness
• Improve test repeatability
• Decrease test defects escaping to production
• Select right set of test suite for a particular cycle
• Optimizing the test cases as software evolves
• More importantly Quality

MOBILE APPLICATIONS SECURITY TESTING- TEST FOR THE WORST

We all love apps, especially, the fancy, colourful apps, that promise all-your-problems-end here kind of euphoria. You wish! Really, as if the world could be so simple. However, some apps undoubtedly make our lives much simpler (Ahem, no pun intended).

So what types of applications are we talking about here? Well, that’s not the point. What I would like to elaborate here are the risks that come as a package with our life saving (sometimes literally) mobile apps, which threaten our identity, productivity and other areas critical for our day to day communication.

Why? What’s wrong with those lovely looking apps?

In simple terms, A LOT. In more complex terms, if your device or credentials have been compromised, you got a lot to lose. Now, picture this on a bigger scale, at the business or corporate level. The extent of loss is unfathomable if even a single employee downloads the app that gives the access of internal resources to malicious users who can then access the individual systems and get hold of confidential information. Phishers and hackers are constantly inventing newer ways to compromise such vulnerabilities related to web security. Users want more and more apps, and companies try to develop and deploy these apps quickly, which puts security in the back seat.

Top Mobile apps vulnerabilities and Dealing with them

As per the tests run by HP Fortify, 86% of apps that accessed potentially private data sources such as Bluetooth connections or address books, lacked security measures to protect the data from access. 86% of the apps lacked binary hardening protection, 75% apps did not encrypt data before storing it on the device and 18% of apps transmitted data over the network without using SSL encryption. Another 18% used SSL, but did so incorrectly.

The report compiled by WhiteHat shows that whilst many different attack methods exist, XSS (Cross Site Scripting) is the most popular, followed by Content Spoofing. To add to this, many other attack methods, such as SQL Injections, Information Leakage, and Stolen Credentials could all be the side-effects of an XSS attack.

Reference: WhiteHat-Security Statistics report 2012 (https://www.whitehatsec.com/resource/stats.html)

The 2013 Threat Report from the Websense ® Security Labs (WSL) also revealed how often malicious apps abuse permissions, especially in the use of SMS communications, something very few legitimate apps do. Risks increased as the mobile devices are used for web surfing and social media more often than actually making the calls.

So let’s dig a little deeper, and understand these vulnerabilities, and best practices to deal with them.

1. Excessive Permissions and Privileges– This is one of the most serious and common vulnerability that creates a great deal of privacy concerns in the mobile devices. Applications that have more access are easy target for attackers due to broad attack surface. Applications that reside on the mobile device have excessive access privileges and permissions such as access to contact list, receiving and sending messages, update rights, location and access to other devices such as microphone, camera etc.

Best Practice– App Developers should restrict granting privileges and permissions to the applications. Users should periodically check the device setting and apps for any excess permission, and if they feel that any application has excessive access, and should invoke the access rights.

2. Malware– Just like web apps, mobile applications also use web services and HTTP requests to communicate between server and client. Common vulnerabilities such as SQL injection, cross-site scripting, XML bomb, buffer overflow etc. get discovered during dynamic analysis. This enables attacker to propagate malware and gain access to devices information without having the privileges.

Best Practices– Applications should validate all form inputs and convert scripts and script tags to a non-executable form. Ensure that the executables on your server do not return scripts in executable form. You can convert HTML and JavaScript tags into alternate HTML encoding.

3. Ineffective Session Termination– When the user clicks logout button, the session gets terminated only locally on the client side, without terminating the session at the server end. This coding flaw makes the server susceptible to unauthorized access where attacker can access victim’s session and this can lead to identity threat.

Best Practice– After logout, always invalidate the session at the server and client side. If session has not been active for more than 15-20 minutes, terminate the session. Long sessions must be re-authenticated.

4. Buffer Overflow– Attacker uses buffer overflows to corrupt the execution stack of the application. Attacker sends the carefully crafted input to the application, and causes it to execute arbitrary code which can take over the device. The attack relies on writing data to particular memory address, or have the OS mishandle data types.

Best Practice– Buffer overflow protection techniques can be used during software development to enhance the security of executable programs by detecting buffer overflows on stack-allocated variables as soon after they occur, and prevent them from becoming serious security vulnerabilities. You can also scan your application with scanner that looks for buffer overflow flaws.

5. SQL Injection– It is used by hackers to steal data from the applications where user input is not validated. As a result, the user can inject SQL statements into the database and have them executed.

Best Practice– The only way to check if your application is vulnerable to SQL injection is by scanning it with the automated web application security scanner.

6. Bad Data Storage Practice– Insecure or bad data storage occurs when developers assume that users will not have access to the device file system, and hence they store sensitive information in data-stores in the devices. If data is not protected property, jailbreaking or rooting the device circumvents any encryption protections, leading to loss of data including username, password, cookies, location data, personal information and application data. SQLite databases, Plist files, Log files, Binary data stores, XML data stores, SD card, cookie stores and cloud synced are the places where data is stored most insecurely.

Best Practice– Do not store data unless absolutely necessary. Scrutinize the data security API’s of the platform, and ensure that they are being called appropriately. Do not store credentials on the device file system.

7. Cross Site Scripting– This attack requires the user to execute a malicious URL which could have been crafted in a manner that appears to be legitimate. Attacker then effectively executes something malicious in the user’s browser.

Best Practice– Use web vulnerability scanner that checks for the XXS vulnerabilities. It will show which scripts/URLs are vulnerable to these attacks.

Some of the other common vulnerabilities include weak server side controls, poor authentication and authorization, weak or broken encryption, insufficient transport layer protection and broken cryptography. The solution to deal with these threats lies in employing a vulnerability analysis solution that can automate security quality testing.

Testing Techniques to Deal with these Vulnerabilities

The mobile applications need to be exhaustively tested for vulnerabilities that put data and device at risk. Threat-profile based test cases are used, and threat profiles are derived from different types of mobile applications. Once the vulnerabilities are identified, these need to be patched, and retested. Some of the most common testing techniques include:
Black box/Dynamic Testing– Also known as behavioral testing. It analyzes code as it runs to identify vulnerabilities that any hacker can find when the application is running in the production. This testing identifies if any weakness can be exploited, or identifies the type of weakness so that human penetration tester can verify this exploitability manually.

Code Review– It identifies the vulnerabilities at the source-code level. It can detect injection flaws, backdoors or suspicious code, hardcoded passwords and secret keys, weak algorithm usage and hardcoded keys and data storage definitions.

Penetration Testing– For any mobile application, one of the most critical tests can be penetration test. It is an ethical attack simulation intended to expose security controls of the application by highlighting risks posed by exploitable vulnerabilities. The vulnerabilities identified by penetration testing include input validation, buffer overflow, cross site scripting, SQL injection, URL manipulation, hidden variable manipulation, authentication bypass, cookie modification, code execution, and few other common software attacks.

Mobile Application Security Assessment– It is a holistic security assessment of mobile applications, the associated backend systems and data flows and interactions between them.

Failures occur, for different reasons such as poor design, faulty code, inefficient security measures or a combination of the above. However, the fact remains that it is important to identify these security risks and minimize security breaches. To protect your users from the attacks, you need to stay updated with the latest threats, and ways to deal with them. Hence, it is essential to stay in touch with the latest vulnerabilities, patches and hacks to ensure that the mobile applications are safe. When it comes to application testing, there is no silver bullet, and no single approach does it all. You need multiple approaches looking from different angles to have the confidence that your application is secure.

Hope for the Best, but Test for the Worst.

Web Performance – A Critical Success Factor for eRetailers

Since the rise of online shopping in the late 1990s, we have seen many evolutions in the underlying technology infrastructure and in consumer expectations. The rise of broadband access in homes, businesses and the advent of Mobile surely have placed the ‘Online Channel’ ahead of other retail channels.

In a recent survey it is found that, around 80% of shoppers will research online before making a purchase, and they hop across devices to suit their needs. And, 3 in 4 shoppers will abandon the site if the site does not load in under 3 seconds. These are staggering facts and these user behavior and expectations have serious consequences for an online retailer with an underperforming site.
Let’s look at some of the facts that are making ‘Web Performance’ a critical success factor for eRetailers (Online Retailers).

Fact 1: Need for Back-end IT integration and providing a ‘Seamless Experience’ to the end customer

The rise in the ‘Online’ channel did not eliminate the need for other B&M channels, but it only made it very important for the retailers to maintain a consistent messaging across all the channels so that the consumers sees ‘One Brand’ and not multiple competing channels. This has been proven by a recent survey conducted by ‘Sterling Commerce’ and ‘DemandWare’, in which 85% of the respondents expect a seamless experience across all the channels. So, to project a ‘One Brand’ image and to meet the customer’s expectation of ‘Seamless Experience’, the retailers must integrate the back-end IT landscape. This integration brings in a lot of advantages such as:

  • A single view of the customer and Products
  • Continuous state of interactions
  • Opportunity to optimize processed and run insightful analytics
  • Consistent Messaging and Branding

This means that an immense amount of data has to be gathered, collated and presented. Additionally there are many process intensive actions. Adding all this data to the webpage is going to bloat the page size, consume more CPU and Memory and impact the overall performance of the retailer’s website.

Fact 2: Increase in Mobile and Social Media adoption in consumers
The trends in Mobile and Social Media also indicate that there is growth in the retailer presence and sales through these channels. For example, the sales from Mobile devices will reach 37% of the total online sales by Sep-2013 as compared to 17% a year back. Also, the number of Smart phones and the shopping apps on them, are on the rise.
This means that the retailers not only have to provide a mobile enabled retail store but also have to support the various makes and models of the devices and types of operating systems on these devices. The app has to perform better on all the combinations and if it does not, users have apps-stores and mobile browsers at their finger-tips and can jump to a competitor’s store in a flash!

Fact 3: Rich User Experience demands of the consumers
Online customers want a rich and engaging experience, but at the same time, they love their websites to perform and respond quickly.
The retailers really want to meet or exceed the consumers’ expectations in this area. They do Channel Integration, Customized Recommendations, Product Review/ Alternatives/Comparisons, Interactive UI, Video Demonstrations, Past history of the customer purchases and Social Media integration. In fact, the average web-page size over the last few years has grown tremendously. The average page size has crossed 1MB with over 100 objects per page.
The page size along with any 3rd party code integration is surely going to have a negative impact on performance. Here are some examples of the impacts of underperforming online retail sites:

  • A study of a travel website shows that 57% of the users will abandon the site if it does not respond within 3 seconds.
  • 60% of the mobile users expect their site to load in under 3 seconds, if it does not load in under 5 seconds, 74% of the users will abandon the site.
  • 79% of the online shoppers who experience dissatisfaction are likely to no longer buy from that website again
  • 46% of the dissatisfied online shoppers develop ‘negative perception’ of the company. With ease of access to various social media, the ‘negative perception’ propagates quickly and can damage the company’s reputation and brand image, in-turn impacting prospective sales.

Conclusion:
Surprising as all these may be, the financial implications of the user impatience are even more shocking.

  • Slowing down the page load by just one second could cost Amazon $1.6 billion in sales each year.
  • Almost 3 billion searches are done on Google each day and 95% of Google’s revenue comes from advertising. Slowing Google’s search results by just four tenths of a second could result in a loss of 8 million searches per day, meaning they’d serve up many millions fewer online adverts.

This is how important performance of the website is. Poor web performance cost retailers:

  • Loss of loyal customers
  • Loss of Brand Reputation
  • Loss of revenue (because of fewer page visits, Higher page abandonments, less customer satisfaction and fewer conversions)

The bottom line is “Poor online retail site performance = Poor user experience = Less time on site = Lower conversions”. When conversion of a visit to a purchase online is where the money is for the retailers, Web Performance Matters!!

Note: Please go through the webinar we conducted recently sharing a holistic approach on technology, process & tools to leverage in achieving a “world class web performance” for online retail store fronts.

Startup Sutra: To Scale Quick, Ride A Cloud

Small is Big makes a catchy label for a startup to stick at the office water cooler. But Small is Big with cloud computing makes for business gyan. To put it in another way, Startup + Cloud = Another Facebook kind of valuation in the works (read on to know how). So think big. Work smart. Keep it lean and mean. Deliver stuff that works straight off the shelf. That’s what the cloud is all about, particularly for a startup. Enabling anyone to do any work or any play anywhere, anyplace, anytime. Is that not why when people say they are on cloud, they mean they are on cloud nine, eight times out of nine?

Reverse the equation for a moment. What if you are a startup actually offering cloud services? Impossible is nothing! You can potentially set the investors’ pulse racing and have over-eager venture capitalists knocking on your doors! Workday, a young Californian firm selling cloud-based software hit pay dirt managing the back-offices of large companies and ended up with a valuation of nearly $4 billion at the New York bourses. Another company, Yammer that offers social networking software, was snapped up by Microsoft for $1.2 billion.

Let’s rewind to Ground Zero when you have just buckled your straps and are starting from scratch. As a startup, you cannot afford to be straight-jacketed. You need to keep your options open. Like, one door should open when another closes.

Suppose you start with investing big on creating an all-purpose fully loaded virtual architecture, and this model ends up as a white elephant? All the more sensible therefore that you keep your investment on virtual architecture lean and mean and to the minimum, and fully leverage Cloud Service to the maximum by using it for accessing application infrastructure, processing, storage, etc.

Unless you are starting your enterprise with a billion dollars (!) your number one concern will be about how to thread your costs thin. Remember Google’s pay-per-click (PPC) concept? It’s the same with startups using cloud service. You only pay per spend, or pay per user or per quantity of processing/storage.
With cloud services, your resources are “elastic”, and you enjoy out of the box mobility by way of easy and instant access to IT facilities from any suitably configured device, including faster access to latest software and hardware upgrades on the cutting edge. For instance, days after your new state-of-art server farm arrives on its pallets, the market is abuzz about the launch of a new server that has double the processing power and is available at half the cost of your server! But if you have adopted the cloud model, you are able to access up-to-date hardware resources and software functionality, and its newly added features, at little or no extra cost.

However, many startups would like to cross the bridge to the cloud only when it becomes par for the course and not when it is still a fashion statement.

For instance, in situations where data requirements are huge, working on a smart phone view is like watching the spectacular Avatar on a 9’ inch screen and writing a review of it!

When a startup relies on a network provider for most, if not all, its IT needs, how will it cope in the event of a network disruption? How will you ensure uptime in case you lose connectivity to your data? How will you manage your Windows Active Directory servers?

Cloud for startups has its advocates and critics and it would be fair to say that it is an idea whose time will not go for some time to come. Wish we had Steve Jobs to ask the right questions and provide better answers. Or is it that he is on cloud ??

If you want to bootstrap your way to scale, your ticket is a cloud away.

Mapping the Organizations in Year 2020

Year 2020: Don’t bet your company will be the same as now. And by the way, don’t bet your company will change beyond description. There will be change, but it won’t be disruptive.

Recent research conducted by the Economist Intelligence Unit says companies will be larger and more globally integrated, with better information flow and collaboration across borders, less centralized, a flatter hierarchy and more empowered employees.

Employees will not just be knowledge workers of today, but active stakeholders in decision-making. They will double as data scientists, not because of a decree from the boss, but because of their ability to play multiple roles. For example, a LinkedIn employee uses analytics to come up with the popular “People You May Know” feature. A Facebook team creates a new coding language. And the boss cannot turn around and say, ‘I told you so’.

Size will not matter. It doesn’t really even today. Anecdotal stories of David vs Goliath will become more routine than rare, more fact than fiction. In fact, size could well be a disadvantage. Value creation will not depend on a company being a 800-pound gorilla, but on the ability of individuals to connect with one another.
Speed to market and speed to work will be the new dynamic on demand. To study it in contrast, consider the term “spinning the tape”, a fashionable jargon used by balance sheet accountants. Spinning the tape refers to the static way of analyzing accounting data for years. The new paradigm could be described as “speeding the tape”. Eg: You could be working on a deadline that is yesterday and expected to deliver just-in-time.
Employee loyalty will get virtually extinct. Blame it on global operations, emerging markets, and demographic pressure. 360-degree appraisals will be the norm. The boss will review your performance, and you will be reviewing his. It cuts both ways.

Management could be localized while company outlook will be globalized. Cross-cultural hires will be more frequent and people with poor soft skills will not be able to get a foot in. Perform or perish will be the universal credo of all organizations.

More organizations will invest in R&D and use data silos to test product launches. The metrics will vary from division to division. For instance, Google manages its various offices at Paris and New York in different ways, for there is no such thing as one-size-fits-all for organizations in the future.
But not everything will be hunky dory. Just like it always is in all enterprise history. Serving different kinds of customers in different countries through a workforce which is equally drawn from different lands, speaking different languages, create a whole new and different set of challenges for organizations. Consider working at odd hours. Outsourcing to call centers began as a great cost-cutting idea – and still is – but the intangible costs such as employee migration, employee retention, and the emotional costs on account of graveyard shifts will pose difficult and formidable challenges.

The future workplace calls for leaders with a holistic view of conducting business and managing people. Organizations will have to speed up to the science, step out of the fast lane and work on themselves. We shall be reminded often that Success, as Bill Gates famously said, is a lousy teacher…

Cloud based QA Infrastructure

A silver bullet to ward off traditional challenges

If you have some spare time at the office, spare a thought to the CIO in the IT industry. A blitzkrieg of challenges invite the CIO every day as he settles down on his desk after greeting his colleagues, rather ironically for him, a “good morning”. Here’s how the dice rolls for him every day at work:

Existing Scenario:

a)    Shrinking budget

b)    Increasing cost pressures

Expectations:

a)    Cut IT spend

b)    Deliver value and technology edge

Preferred Solution:

a)    Enhance ROI generated from IT components

b)    Increase focus on QA infrastructure and maintenance costs

c)    Lean on test managers to reduce QA infra costs as they form a major chunk of IT infrastructure budgeting.

Cutting costs, a Catch-22 situation

On the other side, test managers face a catch-22 situation as cut in QA infrastructure spend could potentially impact the quality of software deliverables. Here are a few examples of the challenges that drive cost of IT upwards while creating and managing QA infrastructure:

  • Testing operations are recurring but non-continuous. This means test infrastructure is sub-optimally utilized and therefore has a significant impact on ROI.
  • Testing work areas span a wide spectrum such as On-time QA environment provisioning for multiple projects, decommissioning of QA environment to other projects, QA environment support, managing incidents, and managing configurations for multiple projects. All these necessitate an organization to allocate and maintain proportionate skilled resources at all times which in turn drives costs upwards.
  • CIOs and Test Managers are expected to ensure testing is commissioned on recommended hardware, because most of the issues linked to later stages of the quality gate are attributed to testing on inadequate hardware. This again accounts for a significant chunk of the total IT budget
  • Creating appropriately defined QA infrastructure up and running in time (including procurement and leasing of these elements) to meet the set timelines demands more IT staffing resources
  • Many Test Managers give the goby to staging environment and directly deploy to production because of budget constraints, however creating a staging environment that mimics production is more critical to quality of software in production. Creating such environment also necessitates huge chunk of total IT budget.
  • Today’s complex application architecture involves multiple hardware and software tools which require a lot of investment in terms of time, money, resources on coordination, managing SLAs, procurement;  with multiple vendors. All these taken together add up more allocations in the budget.
  • For conducting performance testing, test managers need to set up a huge number of machines in the lab to generate desired number of virtual users demanding more budget from CIOs

The Case for QA infrastructure as a Service in Cloud

All the above challenges force CIOs and Test Managers to move away from on-premises QA infrastructure and scout for alternatives such as cloud computing for creating and managing QA environments. Organizations are leveraging cloud computing to significantly lower IT infra spend towards QA environments while at the same time deliver value, quality and efficient QA lifecycle. Already, many players, big and small, such as Amazon, IBM, Skytap, CMT, Joyent, Rackspace;  offer QA infrastructure as a service in cloud. Using this service, organizations can set up QA infrastructure in cloud, shifting focus from CAPEX to OPEX.  CIOs too are able to significantly squeeze both CAPEX and OPEX elements thereby meeting the budget cap without compromising on the quality of the solution.

How does it work?

Assume that a QA team needs a highly complex test environment configuration in order to conduct testing on a new application. Instead of setting up on-premises QA environment (which requires hardware procurement, set up, maintenance), a QA team member logs in to the QA infrastructure service provider’s self-service portal and:

* Creates an environment template with each tier of the application and network elements like web server, application servers, load balancer, database and storage.  For example a QA team member can fill the web server template like “web server with large instance and windows server 2008”.

* Submits the request through the IaaS service provider’s portal

* The service provider provisions this configuration and hardware in minutes and sends a mail to the QA team.

* The QA team uses this testing environment for required time and completes the testing.

* the QA team releases the test environment at the end of the testing cycle.

* For subsequent releases, the environment can simply be set up from the same template and the QA team can deploy the new code and start testing.

* The service provider bills for only the actual usage of the QA environment.

How does it help?

Elastic and scalable data center with no CAPEX investment: CIOs/Test Managers don’t have to worry about budgeting, procurement, setting up and maintenance of QA environment. Organizations simply need to develop applications and create a template of the required environment and request the service provider who enables the test environment. The QA team then deploys the application on a production like environment, thus saving time and expenses over traditional on-premises deployment. This shifts the focus from CAPEX to OPEX for IT infrastructure spending.

QA teams can provision their own environment: With this facility, QA teams can provision their own environment on-demand, rather than going though long IT procurement process, to set up an on-premises test environment.

Multiple parallel environments: QA teams can create different environments with different platforms and application stacks, with no investment in capex and multiple hardware, reducing the Go to Market time.

Minimize resource hoarding: Instead of setting up on-premises test environments and investing capital on hardware, QA teams can deploy the environments on cloud on a need-basis and release the resources after completion of testing. Some service providers provide ‘suspend and resume’ facility, in which case QA teams can suspend an environment saving the entire state including memory and resume at a later stage when required.

The bottom line: QA environments in cloud are lifesavers for companies. CIOs are slowly adapting cloud based QA infrastructure and moving away from on-premises QA infrastructures which demands huge CAPEX and OPEX and yields less ROI. Cloud-based QA infrastructure, if managed smartly, is a silver bullet that can neutralize most of the challenges faced by CIOs/Test Managers in traditional QA infrastructure.