The Two Sides of Testing
The Two Sides of Testing
Is testing about checking against system requirements, or is it about exploring the software? In this article, Elisabeth Hendrickson explains a valuable truth often clouded by this debate—good testing takes advantage of both of these approaches.
Many years ago in a hallway conversation at a conference, a test manager and I were discussing our respective approaches to testing.
"If they can't tell me what the software is supposed to do, I can't test it," Francine, the test manager, scowled. "So, I tell them that I won't start testing until they produce a detailed requirements document."
My eyebrows shot up through my hairline. At the time, I was working for a Silicon Valley software vendor that made consumer applications. If I waited for a comprehensive specification before I started testing, I'd be waiting forever. And, I’d be fired for failing to contribute meaningfully to the project. I said something to that effect, and Francine just shook her head at me. She couldn't imagine not having detailed specifications. I couldn't imagine holding the project hostage until I got documentation.
Unable to see each other’s point of view, we wished each other a good day and headed off in separate directions.
The Eternal Raging Debate
That hallway conversation represented a familiar debate in the testing community: Does "good testing" involve systematically executing a comprehensive set of scripted tests designed from the requirements or specifications for the system? Or, should testing instead involve an investigative approach to exploring for risks? The answers to these questions have historically divided the testing community. The debate has sometimes become downright rancorous, with each side accusing the other of irresponsible practices that increase risk and decrease quality.
In the past, I was firmly on the side of using exploratory approaches. For most of my career, I worked for organizations that preferred lightweight documentation, so we didn't usually produce detailed test scripts. Even if those organizations had wanted binders full of step-by-step test cases, I agreed with James Bach that sticking to a testing script is like playing a game of Twenty Questions where you have to ask all the questions in advance.
However, my perspective on this debate has shifted in the past several years as I started working with agile teams that value testing in all forms. I have come to realize that the old discussion of whether "good testing" involves predefined, detailed test scripts or exploratory testing is like pitting salt against pepper, glue against staples, or belts against suspenders.
It is a false dilemma and a pointless debate.
Checking
Like most agile teams, the teams I work with use lightweight stories as placeholders for a conversation about the requirements. That conversation happens when the team is ready to start implementing the story. At that point, the team captures the details about expectations and acceptance criteria. Before we call the story "done" we need to check that the implemented story does what the product owner intended.
Reflecting on the conversation that Francine and I had all these years ago, I can still hear her words: “Until they tell me what the software is supposed to do, I can’t test it.”
If we reframe that statement a little, we get: “Until they tell me what the software is supposed to do, I can’t check that it does that.” That makes sense. We have to know what the product owner expects before we can implement it and before we can check it, so that’s why we have discussions about user stories to gain shared understanding about the expectations.
Some agile teams have adopted the practice of capturing the results of these discussions in concrete examples. For instance:
Given I am not logged in
When I visit the Edit Profile page
Then I should be redirected to the Login page
When I log in
Then I should be redirected to the Edit Profile page
(This example is expressed in the Given/When/Then style that has been popularized by the behavior-driven development (BDD) community and is associated with BDD tools such as Cucumber.)
You might notice that when we capture acceptance criteria in the form of concrete examples with expectations like this, they look a lot like scripted tests. We use them like scripted tests, too; we check that these expectations are met not just when we first release the feature but also in subsequent regression tests to verify that the system still meets these expectations. Because agile teams value fast feedback and need to run these tests so often, we automate these checks in order to keep the regression testing burden to a manageable level.
When a team takes this approach of capturing the acceptance criteria in the form of tests, it’s reframing Francine’s position even further: “Until we know how we’re going to check this feature, we don’t know enough to build it.” That’s a subtle but critical shift that puts tests at the front of the line instead of relegating them to the end of the cycle. The result of that shift is that tests are not just connected with requirements; they become an expression of the requirements. They're specifications—they specify the expected behavior of the system. When automated, they become executable specifications.
Exploring
No matter how careful we are when we implement a given story, just checking the story against expectations is not sufficient to ensure we’ve covered everything. There is always the risk that we didn’t anticipate some condition or interaction that could result in bad behavior.
Exploratory testing—particularly session-based exploratory testing as defined by James and Jon Bach—gives us a structured way to investigate the system, looking for risks and vulnerabilities. As skilled testers, we use test design techniques and analytical skills to run one small experiment after another, using the information we discovered from the last little experiment to guide the next. As we exercise the system, we vary configurations, permissions, and data. We perform different actions, perform the same actions but in a different order, and perform actions at unexpected times.
As we go, we watch carefully for signs that we’ve stumbled onto a condition that the system does not handle correctly. In-your-face, unhandled exceptions, like an error message reading "ORA-01400: cannot insert NULL," would be one such sign. However, we're also looking for little hints of potential problems, such as lagging response times. Each small surprise might point to a potential risk that warrants further investigation.
For example, on one project, I discovered in my explorations that a field on a form that should have been read-only was actually editable. That's a small sign of something amiss, but it pointed to a much bigger problem. The field represented the groups to which a user belonged. By changing the value in the field, and without having system administration rights, I discovered that I could make myself an administrator. Obviously, this is a problem.
If it had remained uncaught, we would have had a big security hole in our application.
Tested = Checked and Explored
Agile approaches emphasize producing completed features during every iteration or sprint, at least monthly. Before we can call a story “done,” it has to be tested.
Remember the conversation that Francine and I had and consider our different approaches to testing. Francine emphasized checking; I emphasized exploring. Our approaches are the two sides of the testing equation:
- Checking: Does the system do what it's supposed to do?
- Exploring: Are there any other risks or vulnerabilities that we haven't thought about yet?
In hindsight, I can see that both Francine and I were right. And, both of us were wrong. Each of us had identified an important aspect of testing, but neither of us saw the whole picture. In order to have enough information to declare a story “done,” we have to check it and explore it. Both sides of testing—checking and exploring—are critical to releasing high-quality software.
Additional Resources
- "Testing vs. Checking" by Michael Bolton
- "Session-based Test Management" by Jon Bach
- "Behavior Modification" by Dan North
Comments
#1 Submitted by Debbie Odell on Fri, 12/09/2011 - 13:55.
Documented Test vs. Exploratory Test
I liked your article. I've been working on IBM's z/OS operating system for the past 22 years as a tester and have learned quite a bit about organizing a test. Because of the size and complexity of testing operating systems code, we require detailed designs of the components that make up the system. So, we typically design our tests based off of the Functional Specification that development uses to develop their code. Having a detailed design ensures that the entire team (development and test) is on the same page with regards to assumptions, inputs, states of the system, serialization, interactions, outputs, etc. Having said that, we can not think up all the tests necessary to ensure functionality, recover-ability and serviceability at the beginning of the test. So, our teams typically will define a set of tests that we must do and then leave a percentage of tests that are undefined that will be defined as the project progresses. This technique becomes really useful when finding a defect in the code and you want to try a slightly different twist on the scenario that found the bug...you want to explore that area of the code for more weaknesses. So, a combination of detailed documented tests and exploratory tests works well for the areas that I have tested.
Sincerely,
Debbie Odell
#2 Submitted by Xiaomei Tai on Fri, 11/11/2011 - 03:12.
“ Checking: Does the
“ Checking: Does the system do what it's supposed to do?
Exploring: Are there any other risks or vulnerabilities that we haven't thought about yet?”
Checking, to me, may be done in a more formal way, compared to exploring. So I roughly divide testing into formal testing and informal testing.
And I think, generally, checking is done first so that we can verify the basic or normal examples of the software, and then exploring is done to explore some deeper hiden bugs. Based on this, I got a statement:"In general, formal testing is done before informal testing." Of course, sometimes, you can first explore before you even know anything about the product. That's the reason I put "In general" here.
I debate a lot with James Bach about this statement. James insists on that at all times informal testing occurs before any kind of formal testing.
After reading your artical, I know maybe I used wrong words in my statement. If I say "In general, checking is done before exploring", is it OK?
#3 Submitted by Elisabeth Hendrickson on Sun, 11/13/2011 - 05:18.
Checking and Exploring: what order?
Hi Xiaomei Tai,
If the team is doing test driven development (TDD) and acceptance test driven development (ATDD), then the team writes the checks before they even write the code. So checking naturally happens first. But that's rare.
If the team is not test-driving the code, I don't want to say that exploring should happen after checking. Too many teams have the extremely unfortunate belief that exploring is to be done only with "left over" time. Since most teams are under time pressure to finish sooner, there is rarely time left over. That means these teams do very little exploring.
However, I also don't think we should do all the exploring before checking. Both checking and exploring are essential.
So if the team is doing manual checking, my preference would be to do checking and exploring at the same time. That might mean check a little, explore a little, check a little more, explore a little more. Or it might mean that different people are working on the checking and exploring tasks in parallel.
Thanks!
Elisabeth
#4 Submitted by Paul Gerrard on Thu, 11/10/2011 - 08:43.
Using Stories Test Requirements and Software
Hi,
Really pleased you said this. All makes sense and it sits nicely with what we have been proposing for some time, but there's a broader view of how stories and examples can help.
In an Agile project, yes scenarios or acceptance criteria provide illustrations of features in use (as envisaged) and can and should be used as later tests (by testers in acceptance and/or by devs in BDD/TDD).
But in a Project that does have requirements, and the requirements inevitably need challenging and refinement, the stories can provide examples of the required features in use in exactly the same way. "Is THIS what you mean to happen?" So in effect, stories and scenarios provide a way of testing assertions and assumptions made in requirements as well as defining tests of the delivered software based on thos requirements.
So stories have value upstream, down stream and as examples in their own right. They are in effect a lingua franca for stakeholders, developers and testers. Ooooohh.
They are appropriate for Agile projects, structured projects - ALL projects.
An interesting spin off from this idea is the reaction of developers. A developer using stories as specs for their components and using a test-driven approach need not be 'agile' at all. They are simply working on requirements and examples that align and provide a richer definition of the software to be built.
I think stories could be the missing-link in the communication gap for all software projects.
#5 Submitted by krishna devathi on Tue, 06/07/2011 - 04:08.
transition from traditional to agile way of working
That was a nice article and thank you for writing this. In my day-to-day activities as a test lead, i deal with many projects and the team size ranges from 2 to 8 and all my clients follow agile style.
Even though it is more than 6 months that the teams are working in agile methodology, some still ask where is the documentation for this. The most important thing is that the testing is outsources to us and we rarely participate in the meetings with the developers ( This is because the testing is contracted by the actual contractors who are not the clients...i mean to say, we are at the end of a chain of contractors.) Most of the time, the team members discuss and bring assumptions to the table and they continue to test. Even most experienced testers find it difficult to judge whether our assumptions are right or wrong. stats say that 70% of the assumptions are right and 20% of the remaining assumptions always go wrong because they are dependent on the 10% assumptions(which are wrong). I read several books and articles about the way agile team should work, but there is lack of clarity in addressing when the teams are geographically separated with more than 12+ hours of time difference between the dev team and test team.
How to tackle this situation ? Many a times i judge that this is right or this is wrong and sometimes i too have to assume about functionalities and features of the product.
Agile teams should work in close contact with quick communication and collaboration tools in place, but how is this done in my team's case. we are strictly said not to ask any kind of documentation to any client and the feedback from our clients at the end of testing is that " even we can do that testing, what we are expecting is more in-depth testing". I see that this is more of a project manager's mistake in handling clients and negotiating about the work flow and requirements gathering.
Please let me know your opinion on this.
#6 Submitted by Brett Tramposh on Mon, 06/06/2011 - 15:54.
getting Agile to work
Thanks for the article Elisabeth, you have highlighted something I think we have all struggled to articulate at times.
Throughout my career I have focused on products that serve a customer or business need, which tend to be very sensitive to the market drivers and the window of opportunity. That has always led to a risk-based approach, combining the exploratory testing with requirement/behavior validations as you explained. We never released 'bug free' software, but we always released quality software that met our customers expectations.
I have discussed with other colleagues who work on medical equipment and aircraft equipment, and they have a very different world where the specifications drive the testing in a more waterfall/iterative approach that rely heavily on documented process and certifications. It makes sense to me that the approach we take to assuring the quality has to consider the product and the level of risk involved, and that no single approach can be applied across the board (yes, captain obvious...).
I have found a good middle ground in our agile development here at Webtrends, where we have embedded QA with the development team in delivering the stories through a mostly exploratory testing approach, defining the acceptance criteria and behavior and doing proofs at the conclusion of the iteration. We then have our offshore QA team writing more detailed test cases that are used to prove functionality and compatibility, and eventually as part of a regression suite. This method continues to improve and we find our velocity and our quality are maintained throughout the project lifecycle.
I personally enjoy the agile approach and exploratory testing strategies over the detailed requirements validation, but I do know that there are QA folks who are very good at delivering quality through other channels, so I can appreciate both 'schools'.
All the best,
Brett Tramposh
Post new comment