Comments on: Checklists -The Preserve of the Intelligent http://securitybuddha.com/2008/02/17/checklists-the-preserve-of-the-intelligent/ Security Enlightenment - Mark Curphey Tue, 02 Dec 2008 21:49:34 +0000 http://wordpress.org/?v=MU hourly 1 By: Andre Gironda http://securitybuddha.com/2008/02/17/checklists-the-preserve-of-the-intelligent/#comment-11823 Andre Gironda Wed, 20 Feb 2008 00:51:01 +0000 http://securitybuddha.com/2008/02/17/checklists-the-preserve-of-the-intelligent/#comment-11823 @ MikeA: Excellent point. Exploratory testing assumes a lack of a checklist (i.e. test cases) and allows the testers to work by building a test charter while learning the application. It doesn't mean that other testing methods can't be used. Exploratory testing also sets itself apart from ad-hoc testing, but maybe that is a separate argument. I also don't feel that it has to be "timeboxed" unless of course you are referring to the idiom that humans repeat themselves every half-hour. In this situation, it's best to set aside time buckets for Exploratory testing, with test case improvements in between that time. I'm also a fan of the Think Aloud Protocol and pair-testing. The testing reputation system put forward by Ramya Venkataramu and Ryan Gerard while at Symantec is one of my favorite concepts for this type of testing. @ MikeA:

Excellent point. Exploratory testing assumes a lack of a checklist (i.e. test cases) and allows the testers to work by building a test charter while learning the application. It doesn’t mean that other testing methods can’t be used. Exploratory testing also sets itself apart from ad-hoc testing, but maybe that is a separate argument. I also don’t feel that it has to be “timeboxed” unless of course you are referring to the idiom that humans repeat themselves every half-hour. In this situation, it’s best to set aside time buckets for Exploratory testing, with test case improvements in between that time.

I’m also a fan of the Think Aloud Protocol and pair-testing. The testing reputation system put forward by Ramya Venkataramu and Ryan Gerard while at Symantec is one of my favorite concepts for this type of testing.

]]> By: MikeA http://securitybuddha.com/2008/02/17/checklists-the-preserve-of-the-intelligent/#comment-11793 MikeA Sun, 17 Feb 2008 17:59:41 +0000 http://securitybuddha.com/2008/02/17/checklists-the-preserve-of-the-intelligent/#comment-11793 (specifically talking about testing here - as that's my field, but appropriate to other areas as well) Um, if a methodology is't a (form of) checklist, then what is it? You need a checklist/methodology, or you just end up doing ad-hoc stuff. There's nothing "wrong" with an ad-hoc approach, as it can (and does) find thing that you wouldn't usually, but it has to be timeboxed. I would be very surprised to know that people doing testing, or configuring machines, etc, are not using some checklist or methodology. When it comes to system design/programming on the other hand, I've too often seen these things left until the last moment. (specifically talking about testing here - as that’s my field, but appropriate to other areas as well)

Um, if a methodology is’t a (form of) checklist, then what is it?

You need a checklist/methodology, or you just end up doing ad-hoc stuff. There’s nothing “wrong” with an ad-hoc approach, as it can (and does) find thing that you wouldn’t usually, but it has to be timeboxed.

I would be very surprised to know that people doing testing, or configuring machines, etc, are not using some checklist or methodology. When it comes to system design/programming on the other hand, I’ve too often seen these things left until the last moment.

]]> By: Kees Leune http://securitybuddha.com/2008/02/17/checklists-the-preserve-of-the-intelligent/#comment-11792 Kees Leune Sun, 17 Feb 2008 13:23:41 +0000 http://securitybuddha.com/2008/02/17/checklists-the-preserve-of-the-intelligent/#comment-11792 (apologies for the typos in the above comment; my toddler was "helping") (apologies for the typos in the above comment; my toddler was “helping”)

]]> By: Kees Leune http://securitybuddha.com/2008/02/17/checklists-the-preserve-of-the-intelligent/#comment-11791 Kees Leune Sun, 17 Feb 2008 13:22:49 +0000 http://securitybuddha.com/2008/02/17/checklists-the-preserve-of-the-intelligent/#comment-11791 That robot checklist is awesome, but I rather than making this an argument for good checklists, I would say that this is an excellent argument for the power of well-done <em>technical documentation</em>. Documation is something that most people in our industry abhor, because that is not what they went to school for. Programmers need to program. security peeps need to secure, <em>documentalists</em> need to <em>document</em> and <em>librarians</em> need to <em>librarify</em>(?). The latter two are common position in "old-school technical" professions, such as aviation, engineering, etc. I still need to see many of these job titles in Information Security. That robot checklist is awesome, but I rather than making this an argument for good checklists, I would say that this is an excellent argument for the power of well-done technical documentation. Documation is something that most people in our industry abhor, because that is not what they went to school for. Programmers need to program. security peeps need to secure, documentalists need to document and librarians need to librarify(?). The latter two are common position in “old-school technical” professions, such as aviation, engineering, etc. I still need to see many of these job titles in Information Security.

]]>