[TIP] Web Application Testing Code of Ethics?

Noah Gift noah.gift at gmail.com
Thu Nov 20 07:25:14 PST 2008

On Thu, Nov 20, 2008 at 9:52 AM, C. Titus Brown <ctb at msu.edu> wrote:

> On Thu, Nov 20, 2008 at 01:37:56AM -0500, Noah Gift wrote:
> -> The web is a weird world, because of the mixture of technologies, like
> PHP,
> -> javascript, ruby, python, perl, actionscript, etc, that are often quick
> and
> -> dirty functions in a couple of files.  I have a friend that has to
> deploy
> -> applications quickly for many of these languages, it isn't me I promise
> :),
> -> and he often finds that a developer tells him.  Oh, it works, don't
> worry,
> -> just update the production site...and do it NOW!
> -> About 50% of the time, things break, when he goes to deploy, and it
> turns
> -> out to be a hardcoded database password that is wrong, absolute paths,
> and
> -> more.  Other than telling this guy to get another job, which is probably
> a
> -> wise move, is there a commonly accepted minimum level of testing that a
> web
> -> developer should ethically subscribe to across all languages?
> ->
> -> If I was in his position, I would tell the developer(s) that routinely
> give
> -> him broken web apps that they were poor developers for not including at
> -> least some basic tests.  These could even be minimal, like a script that
> -> connects to the database and tests a couple of URL parameters for
> example.
> ->  Is there anything I could point him to that could help convince the CTO
> and
> -> developers at this company that testing is just ethical?
> Layering additional requirements on people (whether or not you tell them
> that they suck first)

generally doesn't work unless you're in a position
> of power, and even then they often find a way around your requirements.
> So I think it's unlikely to work well.

I agree, yet, this is a behavioral issue remains an issue for web

> Why don't you tell your friend to build some simple smoke tests --
> using Selenium or twill, for example -- that exercise the deployed
> site(s)?  Then he can figure out quickly and easily if things are
> broken.

That is pretty much what I told him a while ago, that he needs to use CYA
techniques like writing tests for the developers that don't write their own
tests, and also monitoring website status codes covertly in case a rogue
developer does an svn update using the root account which is publicly
available, and breaks everything.    One issue is that a lot of these sites
are flash, too, which do  "fancy stuff", but maybe make one call to a
database to pull something out.  See this is the kind of stuff I want you
and Grig to cover in a book, covert, black ops testing. There is already a
book on how to become a javascript ninja, how about how to be a testing
ninja that can test ANYTHING, even code he didn't write.

> Another strategy might be for him to set up a simple staging environment
> on his own and deploy things there first; that would let him break
> something other than the production site.  If he automates the
> deployment from staging -> production and also automates the test
> running, then he'll be just as fast when it all works but he won't
> deploy broken stuff.

This is a pretty useful technique as well, if you are in an environment that
lets someone have that much discipline.  I think people have the ability to
walk in and say, this site goes live in 5 minutes.  It also brings up an
important issue.  Python doesn't have a deployment tool, that is widely used
and easy to use, like Ruby does with Capistrano, or Puppet, that I am aware
of.  I was talking to Kevin Dangoor about this during his Paver talk at
PyWorks, http://www.blueskyonmars.com/projects/paver/.  I could make the
argument that web testing and deployment are closely related tasks, and
perhaps deployment even falls under the umbrella of testing.

> Both of these strategies duck the systemic problem (developers not
> testing) but make it easier for your "friend" to do a good job.

I still think there is a minimal level of testing, in any language, that
should come with a web app, and that it could be summarized in an elegant
way that wasn't too condescending.  Where is our generations Nancy Reagan,
"just say no" to untested web apps?

> --titus
> --
> C. Titus Brown, ctb at msu.edu

Noah Gift
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.idyll.org/pipermail/testing-in-python/attachments/20081120/593b8adf/attachment.html 

More information about the testing-in-python mailing list