Is there a problem with Healthcare.gov?

I have discovered a number of issues with Healthcare.gov.  I have blogged details on some of these on my other blog, Is There A Problem Here?

These issues include, but are not limited to:

1) The site creates more cookie data than it will accept. It returns HTTP 400 errors (displaying blank screens to the user) when the cookie data it generates gets larger than parts of the site are configured to accept.

2) The site requires users create an account and verify identity and submit an application to get information about plan options. This creates a bottleneck that could have been avoided with different design.

3) The client-side Javascript code I've reviewed contains some errors and is overly complex -- complex in a way that adds overhead and risk that makes current understanding and future maintenance of the code unnecessarily difficult.

4) The site processed an application I did not submit -- and that I explicitly told it to not process.

5) There are so many obvious security flaws that I doubt they took security seriously. This gives me reason to be concerned about security of parts I can't see. Some of the security issues I've seen are:

• Personal data sent unsecured over HTTP
• Error messages that reveal the existence of usernames and email addresses in the system
• Stack traces returned to the browser that reveal information about the internal system components
• Usernames and password reset codes and questionnauire (not the application) answers sent to 3rd party analytics companies
• Password reset codes returned to the browser
• Email addresses associated with an account returned to the browser without authentication
• An email validation system that returns the info to needed validate an email address to the browser -- enabling people to create accounts using others' email addresses

If you want to see details, please visit my other blog at http://blog.isthereaproblemhere.com/search/label/Healthcare.gov

Ben Simo

What is Performance?

As we design and test for performance, let's look beyond speed. Let's look beyond basic stability. Let's look at the many facets of performance. Consider in which ways your system needs to perform. How fast does it need to be? How long does it need to keep running? Does it need to grow? Does it need to be available at all times? How much can we spend? Can we make it faster?

There are endless questions we could ask. Therefore, categorizing facets of performance and creating tests for each category can be helpful. However, let's not fail to look at the interaction between these categories.

OFAT (One Factor At a Time) testing (as exampled in the above performance testing checklist excerpt) often fails to provide information related to the interaction between the categories. Let's do some MFAT (Multiple Factors At a Time) testing and analysis. Let's look at the system as a whole. Let's mix it up. Let's consider how these facets interact. Let's create test scenarios that include multiple facets.

Time Machine: Devops, 45 Years Ago

"Two major inputs are required 

to provide computer service: 

equipment and manpower. 

For development, 

employees such as 

programmers and systems analysts are needed;

for operation, 

the services of managers, operators, etc., are essential. 

In practice the two activities usually coexist. 

Some sort of computer installation 

is required 

to check out development efforts. 

And almost every installation 

engages in continuing development 

as old systems are modified and new ones begun."

- William F. Sharpe, Economics of Computers, 1969

The above suggests that Devops is not at all a new concept. Forty-five years ago, computer rental cost slightly more than the Devops staff required to use it. Non-personnel operations cost typically rounded out the final third of the total cost. Today, hardware is cheap and people are expensive.

So, what did a Devops organization look like forty-five years ago?  The table below presents some data gathered in a "nation-wide census of data processing personnel" in 1967.

William F. Sharpe, Economics of Computers, 1969 

How do these wages add up in today's dollars?

Check out

The Co$t of Living.

Compared to my experience over the past couple decades, this seems to be heavy on management -- both in cost and percent of personnel. The roles of computer operator and librarian are pretty much gone. Programming and analyst roles have since blurred. Software has replaced many things that people used to do.  As the user base has moved from specialist operators to the general public, new testing and user experience design roles have evolved.

What else has changed?

What do you think devops will look like forty-five years into the future?

The Right Stuff?

Update: I haz new job. I am no longer seeking work. (12 June 2012)

You cannot be anything you want to be

-- but you can be a lot more of who you already are.

- Tom Rath, StrengthsFinder 2.0

Given that I resigned a couple weeks ago and am looking for new work, I've been asking myself a lot of questions about what I want to do next. Do I want to do detailed technical work? Do I want to lead people? Do I want to consult? Do I want to be someone's employee, or do I want to do short term contract work? Do I want to stay in Arizona, go back to Colorado, or go somewhere new? I've not yet decided. I am considering a number of options.


What I do know is that I want to find work that is a good match for my strengths and mindset. When looking for new work for myself, and when I've been involved in hiring, matching strengths and mindset has been more important to me than matching specific technical skills. People who are enabled to exercise their strengths and philosophy tend to have the intrinsic motivation needed to update their skills as each situation demands.

Rightshifting:

Improving the effectiveness 

of knowledge-work businesses.

I am intrigued by the Rightshifting ideas coming from Bob Marshall, the Flowchain Sensei. The basic idea of the Rightshifting model is that the curve shown below indicates that the majority of organizations (peak of the curve) are ineffective compared to the few effective organizations on the right side of the curve. While organizations to the right of Bob's model tend to better match my personal mindset, finding work with such organizations is difficult -- there aren't many of them. My experience suggests that organizations further to the left can better benefit from what I have to offer than organizations to the right. However, if such organizations have no desire to improve their effectiveness, I am likely to get frustrated. Therefore, one more question I am asking myself is whether I prefer to be more of a hero in the midst of analytical dysfunction or more of a team member in a synergistic organization. I suspect my place is somewhere in the middle -- with an organization that is shifting right.

Side Note: One way in which I think I may disagree with Bob Marshall's model is the assertion that the chaotic organizations on the left are less productive than the analytic organizations to their right. I suspect many of the majority (the analytical organizations) are just better at measuring (or pretending to measure) their productivity than the organizations to their left. What we label chaos is often order we don't yet understand well enough to describe. I'm also not convinced that organizations need to take a trip through the dehumanizing methods of many analytical organizations in order to become more productive.

I recently watched a video in which Bob Marshall recommended the Strengths Finder book and the associated online assessment as a useful tool in discovering your strengths. I am typically skeptical of such assessments. I fear they tend to provoke the Forer effect in which people tend to demonstrate a confirmation bias and attribute accuracy to generalized information about themselves when it is presented as being specifically tailored for them. However, I decided to give Strengths Finder a try. Despite my reservations and desire to critically evaluate the timed questionnaire as I completed it, I found the resulting top "themes" to be a surprisingly accurate description of my strengths. Perhaps this only demonstrates that even a skeptic like me can succumb to the Forer effect.

According to Strengths Finder, my top five strengths are:

1. Ideation
2. Command
3. Activator
4. Individualization
5. Relator

Whether this is based on a meaningful algorithm or is total BS, I found the results useful. (All models are wrong, but some are useful.)  These five strengths seem to example what I believe can make a good context-driven tester; but then, I'm biased. :)

So, back to what do I want in my next job or independent business venture: I want to exercise my strengths in an environment where I don't have to suffer cognitive dissonance in order to serve my employer or clients.

In thinking about this, I created a mind map of the strengths from Strengths Finder and things I like, as well as things I don't like. Following up on my desire to find a mindset match over simply matching skills, I've decided to ignore typical job hunting advice and share this.

Think I might be a match for your organization? Hire me. :)

Target Tested ✔

Computers empower us to create and manipulate things in ways that don't produce quite what we intended. This requires testing for what we don't expect.

There is a problem with this advertisement from Target Australia. Can you spot it? 

Do the math!

Sometimes numbers that make no sense are presented in ways that seem to make sense... or not. :)
 

uTest Interview

uTest invited me to be interviewed for Testing the Limits series this month.  They have graciously referred to me as "one of the most insightful and entertaining testers in the business". Please give the interview a read.  And if you have additional questions, please send them my way.

• Part I. Worst bug, testing philosophy, defensive pessimism, certifications
• Part II. Trusting automation, why Quality Assurance is a bad title, overstructured managemenet
• Part III. How I got into testing, what would I be doing if there were no such thing as software

What Sesame Street taught me about problem solving

A checklist for buying a new computer

Buying a computer has changed significantly in the past 25 years. Or not?

From Melbourne's The Age, 18 June 1984

Some features that are really important to me:

• on-off switching (the most important feature)
• security against blow-up (because I fear burns and shrapnel from exploding computers)
• position of reset key (a reset key next to the shift key would be a pain)
• big yellow bus (aren't computers good for education?)
• radiation shielding (don't want to be sterilized while playing Pole Position)
• movable screen (I might want to take the screen home with me)
• ease of plug-in ROM installation (cartridges are better than tapes)
• recognize commands in u/l case (I expect the computer to understand me -- EVEN WHEN I YELL AT IT!)
• hard disc option (I prefer to save data to tape, but a hard disc would be a nice option)
• stand-alone capability of slaves (I want slaves that can work without being micro-managed)
• octave range (I need a computer that can sing soprano)
• RS-232C port (In case I want to interface it to my lawn sprinkler system)
• Paddles (to spank the computer when it misbehaves)
• key-word dictionary (to understand this check list)
• country of origin (can I get a machine made in the USA?)
• dynamic debugging tool (certainly don't want a static debugging tool)
• Logo (because I just love that little turtle)
  

Wait != Hesitate

Metrics from where the sun don't shine

Numbers don't lie, people do.

“despite its mathematical base, 
statistics is as much an art as it is a science.
… Often the statistician must choose among methods,
a subjective process,
and find the one
 that he will use to represent the facts.
This suggests giving statistical material …
a very sharp second look
 before accepting any of them. …
But arbitrarily rejecting statistical methods 
makes no sense either.

That is like refusing to read 
because writers sometimes
use words to hide facts and relationships
rather than to reveal them.”

- Darrell Huff,
How To Lie With Statistics, 1954


“No doubt 
some graphics do distort
 the underlying data,
making it hard for the viewer 
to learn the truth.
But data graphics are no different 
from words in this regard,
for any means of communication 
can be used to deceive.”

- Edward Tufte,
The Visual Display of Quantitative Information

Talkin' 'bout test in a differrent light

Pullin' out my big black book
Cause when I need a word defined that's where I look
So I move to the L's quick, fast, in a hurry
Threw on my specs, thought my vision was blurry
I look again but to my dismay
It was black and white with no room for grey
Ya see, a big "V" stood beyond my word
And yo that's when it hit me, that luv is a verb.

Words come easy but they don't mean much
When the words they're sayin' we can put trust in
We're talkin' 'bout love in a different light
And if we all learn to love it would be just right.

- DC Talk


The DC Talk song "Luv is a Verb" points out that love is something to be acted out. Real love is action, not just words and feelings. Love is expressed through action.

Like love, the word test is both a noun and a verb. Also like love, test requires action. Even the noun definitions for test describe action.

test

noun

• trying something out to find out about it
• any standardized procedure for measuring sensitivity or memory or intelligence or aptitude or personality, etc.
• a set of questions or exercises evaluating skill or knowledge
• the act of undergoing testing
• the act of testing something

verb

• put to the test, as for its quality, or give experimental use to
• test or examine for the presence of disease or infection
• examine someone's knowledge of something
• show a certain characteristic when tested
• achieve a certain score or rating on a test
• determine the presence or properties of (a substance)
• undergo a test
  

from Princeton WordNet

While I don't think we'll find anyone that argues that test is not a verb, people involved in software development seem to use it primarily as a noun. I have nothing against the many things we create that we call tests. Our test cases, test code, test charters, and whatever test things we create can be useful tools -- but they are not the test.


Let's think about test in a different light.

Several years ago, Shrini Kulkarni challenged me in questioning whether there can be such a thing as an automated test. I don't think I disagreed with Shrini. I've not been one to trust testing to machines, but I've been a fan of automation throughout my testing career. I've automated many testing tasks, but not believed I can automate the testing itself.

Earlier this year, Michael Bolton told me of a distinction he was thinking about between checking and testing. While I had no disagreement with this distinction, I wasn't thrilled with the terms. I wanted something more descriptive. I thought Michael was making a distinction I had been trying to make: a distinction between validation and investigation. I've since come to understand that Michael is making a slightly different distinction. Michael has recently written a series of blog posts better describing the Checking vs. Testing distinction. Michael has limited the scope of checking to observations and decisions rules that can be executed without sapience -- without a brain-engaged human. If something requires human sapience, it is testing, not checking.

Yesterday, an insightful tester, Lanette Cream, made a nice attempt at defining test on her blog. In her latest revision, she defines test as follows.

A test is
an action
which produces discoveries
that can be used to evaluate product quality.

I like that this definition identifies action, discovery, and evaluation as being core to testing. However, I'm thinking of pushing, or rather constraining, this just a bit further.

What if we were to say that the evaluation is the action and discovery is the goal?

A test would then be the sapient part of validation or investigation -- the thinking and learning that cannot be automated. All those other things we do to test are really support activities that help us evaluate.

Test is not a document. Test is not code. Test is not executing a program. Test is not applying a procedural decision rule. Test is not anything that can be done by a machine. Test is the act of evaluating. Test requires sapience.

Test is thinking and learning that leads to discovery. We may test by evaluating existing data. We may test by running experiments that produce new data. We may take the output of automated checks to test. We may provide what we learn as input to coding new automated checks. The test is the action we perform in our minds.

This may come across as nitpicking vocabulary. That's not my intent. My goal is not to limit anyone's definition of test, but rather to shed a different light on what I believe sets testing apart from checking, and gives both checking and testing value.

If a check fails in a forest and no one is around to hear it, does it make a sound?

The true value of our checking and testing is in the mind of a sapient tester. What value is there in all the things we call checks and tests without a tester (whatever their role or title) evaluating information and learning?

Test is sapient evaluation that leads to discovery

.

I'm not quite comfortable with this. I want the emphasis to be on the sapient activity; and not generating and collecting data to support the thinking without ignoring that it is a necessary part of testing.

Regardless of where we shine the light or draw lines, let's keep in mind that test is a verb.

What do you think? Testing of my half-baked ideas is welcome and appreciated.

Comprehensive Understanding?

"Anyone who feels
that he
can precisely define
the boundaries of his profession
either
possesses a skill of little importance
or
is incredibly naive."

- William F. Sharpe,
The Economics of Computers, 1969

Marginal value & cost of software

* Image from the Economics of Computers, by William F. Sharpe.

Cost of additional copies approaches zero ONLY IF no maintenance or customer support costs are associated with sales of additional copies.

If your quality stinks, expect that supposedly 99% profit copy you sold me to increase your costs.

Quality improvement that reduces maintenance and support costs can have great value!

If scripted tests can't find bugs...

Shrini Kulkarni (@shrinik) tweeted that a friend told him if exploratory testing finds bugs not found by scripted testing, it may be due to insufficient or incorrect test planning and review.

Perhaps there aren't enough test cases. Perhaps testing techniques weren't applied properly. Perhaps the review of tests was done wrong.

However, perhaps -- just perhaps -- people are fallible and can't completely understand or work through the complexity of their customer's problems and the technical implementation of a solution with finite knowledge, finances, and time.

If it is reasonable to expect testers to design enough tests to exercise near-infinite paths with near-infinite data variations in a software system, then I think it should be reasonable to expect software designers and coders to anticipate everything that could go wrong and prevent all threats to the value of the software they produce -- all with finite finances and time.

If this were reasonable, then it would be reasonable to skip testing altogether.

In the real world, it is just as unreasonable to expect perfection from test case designers as it is to expect perfection from all the other people involved in developing software. Is it not?

One of the things exploratory testing helps avoid is locking in our level of ignorance that exists at the start. An explorer can use information gained as they explore to help guide where they go and what they do next.

So you think you've achieved maturity?

Some people say that Ada may be the last major high level language that will ever be developed, since automatic program generation techniques may be available in the not too distant future. Thus it seems fitting that the last major programming language be named in honor of the first female prorammer.

- Richard Wiener and Richard Sincovec,

Programming in Ada, 1983

Arrogance combined with foolish optimism? :)

Freedom & Responsibility Culture

Cool. Based on this slide deck, it appears that Netflix has a good understanding of developing and sustaining a corporate culture of Freedom & Responsibility.

Culture

View more presentations from reed2001.

F.A.I.L.U.R.E.

F.A.I.L.U.R.E.

A mnemonic for testing error handling & reporting.

F.A.I.L.U.R.E.

View more presentations from Ben Simo.

Is There A Problem Here?

Over the years, I have collected a number of examples of software failures in the wild -- some I've encountered myself, some were shared by others. I've had intentions to create a blog for sharing these software failures, and new ones as they are discovered, with hope that software designers, developers, and testers can discuss and learn from them. I have finally launched that blog. It is titled Is There A Problem Here?

I invite you to visit the blog and contribute at http://IsThereAProblemHere.com.