"Some birds aren't meant to be caged, their feathers are just too bright"- Morgan Freeman, Shawshank Redemption. This blog is from one such bird who couldn't be caged by organizations who mandate scripted software testing. Pradeep Soundararajan welcomes you to this blog and wishes you a good time here and even otherwise.

Tuesday, March 01, 2011

Coaching testers how to email and influence stakeholders

One of the ways Moolya is going to become a great organization is by attracting, hiring and retaining good testers. Sreenuraj Varma who won our heart for this blog post asked us if he could work for Moolya. We got him to test things out and send us test reports.  We found that we liked him to work with us and he liked to work with us. So, we hired him a couple of weeks ago.


Before the project work kicks off, I asked him, what he'd like to develop himself on and he made a list of things that impressed me. I then sat with him to get more specific and identified "writing influentially" as one of the things he wanted to develop. I created an exercise and got him to work on it. I have done this before so I knew what to expect.


I wrote down the goal he had to accomplish:


You are hired as a tester in a team and in your first week you discover that there are many important tests that the team is missing. Your objective is to send a mail to all test team members pointing out the tests they are missing and the impact it has on the project.

To consider:
·         You are new to the team
·         The team has lot of experienced testers and they know about the project more than you
·         You don’t know how they would take your advice
·         If your English is bad some people may not take your advice seriously
·         This email can help you build or break your credibility with the team




So, he worked on it and got back with the following:



Dear All,


For the last week I was going through the application and the important bugs reported on each module. I feel like there is a lack of concentration on the issues related to security, which I feel important because the application is meant to be used by common people and also the modules are designed to be getting in-cooperated with the bank API’s where there is a possibility that we may lead our users to compromise their valuable details.

As we are in the stage of completion of second round of testing I would suggest that it will be good if we can do a quick analysis in the area of security were our application have to be  checked for most common security issues.

Looking forward for your suggestions



-- Sreenuraj


I then reviewed the above email with him stating things that is causing me to not think of it as an influential email and provided specific feedback and asked him to work on it. After a couple of hours, he came back with the following




Dear All,


Last week I was going through the application and was learning the work flow happening in the important modules. I have also gone through the first and second phase test reports we have for the modules. But I think we have not done a security testing for our application. I feel it is important because of the following reasons.

a)      Loss of customer confidence
b)      Can increase the web sites down time (reinstalling services, restoring from backups etc)
c)       Harm to our brand

When I was in module “A” which is the most important one, I found that some basic validations missing for the text fields. No checking was found for validating the special characters. This is found repeated in almost every module I have gone through. Below I am mentioning some of the issues I have came across.

a)      Cross site scripting is possible in almost every module
b)       Data tampering is allowed
c)       The cookies which are used in one session can be used again

As we are in the stage of completion of second round of testing I would suggest that it will be good if we can do a quick analysis in the area of security were our application have to be  checked for most common issues.

Looking forward for your suggestions

Thanks&Regards
Sreenuraj Varma M

Yo, I again sat with him for the next set of feedback about why I still think the email is not influential enough and pointed him to links such as An open letter to the Prime Minister of India by Rajdeep Sardesai.

He read through it, gained some ideas and started to work on the next version of it.

Hi Team,

This is Sreenuraj recently recruited for the position Software tester for the organization. My last week assignment was to learn the project work flow and to refer the available documents which QA holds against each modules of the project like test plans, reports, bug reports etc.

As we are in the completion of second phase I think we have covered almost all the important things in functionality testing. Most of the bugs are fixed and retesting for the same is also done. But some of the bugs reported against the security testing done in important modules are found to be in open state. I have also noted that some of the bugs were raised in the first stage of testing. Because of that I think the number of issues reported against security testing in the second phase have gone down. Also there is no status report available for those bugs from the development side.

Below mentioned are some of the important issues I have came across in the application which was not found in the bug reports may be not reported because of the above said reasons:
a)      The validations for text boxes in the Login screen and the home page for special characters were missing.
b)      User is allowed to insert html scripts into the text fields for the above said pages.
c)       The data which is submitted for the module “A” can be tampered and user is able to alter the data which is transferred .(Bypass the client side validations)
d)      Data tampering was also success in the module “B” where file type can be changed and user is able to include a file with unsupported extension (like exe .. )

Some of the points I would like to suggest are
1.       - Before the completion of phase 2 of testing we should conduct a security testing in the application for the important modules and report the issues found.
2.       - Discussion with the development team in regards with the Issues reported and which are still in open stage, also record the status before second phase of testing ends.
3.      -  It will be good if we can conduct a workshop/training session for both the development & testing team where importance of security related matters in the project can be discussed. Also we can emphasis on client’s expectation in the area of security which is described in the requirement document.

Looking forward for your suggestions

Thanks & Regards
Sreenuraj Varma M

Nah Nah! Not good enough for me. After having coached many testers, I have gained wisdom to understand the point at which I have to step in and do something different than saying, "Not good. I hope you work on these points". So, I decided to send him, my version of the same.

Dear Team,

Greetings!

It is a pleasure to be starting to work with you. In just a week, I was glad to discover that there is great energy you people are bringing in. Its motivating for me to work with you. As I see that a new team member brings in fresh and different value, I'd like to present some kind of value addition I could do.

In this email, I'd like to bring a few points to your notice that might interest you. I am aware that some of the points I am going to bring up here might already be known to you all but I felt it is my responsibility to let you know of what I found.

Security issues for NNNCC Web App (Just an example)
  • I found that the directory listing is enabled. As we hold confidential information with us and not all pages are exposed to all users, we might be in a position of risking our customers data.
  • I found that there are error messages that can be customized at the URL. For example, I can make an error message saying, "As Pradeep is on leave, we can't service this" to appear from the page by editing the URL.
  • I also found that there is a way to bypass the security by storing and using cookies of previous session. When our customers use a public machine to access their data, we are risking the customers data to be known to others who may discover cookies.


Based on the above, I'd like to make a few humble suggestions:


  • I understand that the focus is on getting our software functionally right but on the effort of trying to get that, we appear to be sacrificing security.
  • I would love your opinions on budgeting for security testing for every release henceforth. As I am a new hire to this project, I would take up the responsibility for testing security for the next couple of releases till I ramp up on other things.
  • I would be extremely delighted to meet with you all on this, so am planning to setup a meeting on Friday 24th Feb 3 PM. I have looked into your calendars and have chosen the mutual free time. I am open to suggestions of other date and time.


Thanks and Regards,


-- Pradeep Soundararajan

This time, he came back with the notes he made about this exercise while continuing to work on the skill of writing influential emails. This is going to go to a point where he would learn to practice on his own. He in on the third exercise with me working on test strategy. Our clients are going to be happy to have him on the team. He is showing lots of enthusiasm, hard work and effort. We are happy.

At Moolya, we are going to lay emphasis on how people write and communicate. We might sound stupid but we have realized that people who can write well, get things done quicker and better. In my own consulting experience, I took an email which had not received a favorable response from the management and helped the test team re-write it. We waited for a day and there came a response to it and things got moving.

Add "influential emailing" to your wanna have skills if you are a tester. There's a good example to it in Michael Bolton's blog as well. I am working on a tutorial to help testers write and communicate influentially to stakeholders. Maybe I will take it Star East or Star West. 

21 comments:

Unknown said...

My Best Wishes to Sreenuraj Varma M.

You will do well, as you are passionate in what you do and the mentor you have is one of the best tester here.

Pradeep is lucky to have a tester like you in his team.

Good thing is, you are getting the best from James, Michael and other passionate testers experience. All these things from one Man Pradeep.

Cheers
Suresh

Karthik said...

A must have skill for an effective tester. Unfortunately population of testing folks has diluted the quality of Testing in large services organization. These qualities make a "good" tester stand out from the herd.

I'm already itching to take a look at Pradeep's tutorial.

Cheers
Karthik

Prabhat Nayak said...

A great post!!! The thing that impressed me most here is Pradeep's patience and perseverance in putting efforts for the betterment of others. This is one of the reason why you are one of the best, sir!!

Within merely a day and 3 attempts, the level of quality in writing Sreenuraj has acheived is worth praising. It is because he has the passion to learn. I have come across many people who are very reluctant in admitting the bad skills they possess. For such kind people it is a good source they should draw inspiration from and for those who are always eager to learn, it certainly is a gift.

Kimmo said...

Great post from my behalf also. Over and over again I have stumbled across the same issue that message I want to tell is not understood on the stakeholder side. From now I will start to work on quality of communication like this.

Kamesh said...

Hi Pradeep,

Out of curiosity, your posts seem to be like advertising your company moolya always..boosting your work as always and recently you have started boosting your company everytime.....
Just my 2 cents...

Pradeep Soundararajan said...

@Kamesh,

I have lived 30 years. No one came forward to boost my work and skills as much as I did. I am sure the same with you.

So, its fair. I am doing it on my blog. So, its all the more fair.

BTW, do you see any value a tester can gain out of this post ignoring the marketing part?

If you can't see, stop reading my blog.

Kamesh said...

I saw that you are in serious need of marketing yourself everytime.
Go On Maaaaaannnn...
Do it as you always do.

Pradeep Soundararajan said...

@Kamesh,

How strange. Talking about the company I started is bad, huh?

rao said...

Good One Pradeep.

The objective of any blog is sharing and transferring knowledge. May be marketing is part of that. No need to worry. Go ahead!!!!

Priyanka Azad said...

Wonderful post Pradeep! This should be a must read not only for a tester but for anyone joining a new company!
Thanks so much, for creating this blog :)

- Priyanka

Anonymous said...

Hi Pradeep! I like the way you bring out the need for good writing skills as tester. However, I am not very sure you showed us the very best answer to your own question. Actually, I think Sreenurajs last one was better. Why?

The planned readers of the email was the test team itself, not the management nor test management. For me this means sharing your thoughts from the testers perspective. Your example is really more of something to send to business people of management, but for the same reason. This because you talk about budgeting for testing etc.

Also, I have to add the cultural aspect to it. Always remember to whom you write, not only the role but also culture, experience and situation in project. Of course you have the humble approach, but in environments I work in, that was overdoing it.

What rules do you use when writing influential email? Examples are good, but do you keep a cheat sheet for it?

Thank you for sharing, and I would really look forward to an update on this.
/Sigge

Pradeep Soundararajan said...

@Siggie,

Thanks for your comment. The context was to email to all stakeholders and that is the reason why you saw me address many different stakeholders beyond the test team.

What rules do you use when writing influential email? Examples are good, but do you keep a cheat sheet for it?


I have it, not in form of a document but in my mind. Looks like you would get me to put it out. Will update if I build one. Also, as I said I am planning a class on this, I need to do document things out.

Joe said...

Pradeep, I agree with Sigge. Your blog quite clearly states "Your objective is to send a mail to all test team members..." with no mention of any stakeholders outside of the test team, and so the approach should be different.

I would also take issue with the bolding and underlining of 'humble'. To me, it reads as being over-emphasised to the point of sarcasm, as if you mean the exact opposite of what the word really means.

You also state early on that if your English is bad, then some might not take your advice seriously. As such, I'd look at some of the grammar, especially the use of 'it's' and 'its'. When you want to say that something belongs to it, then use 'its'. When you want to say it is, then use 'it's'.

Hopefully that will be helpful.

Joe

Pradeep Soundararajan said...

@Joe,

Agreed. I thought I had written "All stakeholders in the team" but now recognize it's (its) the test team.

The good thing about these practice exercises is, you can afford to make mistakes that people can help you in correcting it, just as you did to my version of the mail.

Being more used to writing to more than just the test team, I might have got my nerves to write to all stakeholders :)

Unknown said...

Hi Pradeep,
This is a good post. I appreciate the thinking and the exercise.
I am after this post and your version to Sreenuraj, eager to know how he took this.
I have seen testers in my team learn by themselves on the writing they need to do, and i see them doing good.
As a mentor i know you would love to see the results in Sreenuraj soon but for a tester especially aggressive ones does this method work?
Also what would you have done if he had given you the email that you had expected on the first attempt?

--Nikhil Ravindra

Sreenuraj Varma M said...

@Nikhil for every aggressive person there will be one or another kind of test/exercise which will help them understand in which area they need to concentrate or improve. Selecting the right exercises for the right person is what matters. I am glad that I am in moolya.

Unknown said...

:)
Thanks

chennadan said...

kamalesh you are right man..these guys James bach, this guy pradeep- think they are the supreme authority in testing and the only purpose of these blogs are to market their identity..poor fellows...hey guys dont you feel shame...

Pradeep Soundararajan said...

@Chennadan,

We guys are able to survive and lead a great life because good testers like you don't care about the community or share your work to the world.

If you want to keep silent and just show your anger on my blog, we will continue to survive. Watch us do well or do so well that we are made to look small.

Anit said...

@Kamlesh and @Chennadan

The answer to your question about Pradeep's way of doing things is very simple.

I did not know you guys and did not learn anything helpful from you.

How about if you just simply put your Website or Blog's links with articles that can help others. (We would be more than happy to visit that even if its full of ads.)

And if you can't do that then stop posting your stupid comments.

-Anit

Anonymous said...

Some posts are really good but some miserable as this !

Wonder how do you have all the time in the world to write such :)