November 22, 2017
It’s a common expression to hear people say that we should “get involved in the broader testing community” but what does that actually mean? In today’s episode, Jessica Ingrassellino, Matthew Heusser and Michael Larsen get into the specifics of that topic with Melissa Tondi, president of Software Quality Association of Denver (SQuAD). As all of the above are veterans of either participating in or hosting community meetups, we talk about how to make sure that you are meeting the expectations of your members, ways to keep them engaged and to help grow those community ties.
Also, in Software Testing news, have you taken steps to protect yourself from the KRACK attacks? If not, you may want to take a look at your WPA2 devices and remedy that.
- Software Quality Association of Denver (SQuAD)
- Denver Mobile and Automation Quality Engineering Group (Meetup)
- Serious flaw in WPA2 protocol lets attackers intercept passwords and much more
- White Hat (Computer Security)
- BAST: Bay Area Software Testers (Meetup)
- GR Testers (Meetup)
- Python Education Summit (2017)
- Lean Coffee (Meeting Method)
- Association for Software Testing Grant Program
- Melissa Tondi (LinkedIn)
- ConTEST NYC November 29th-December 1st 2017
MICHAEL LARSEN: Hello, and welcome to The Testing Show. I’m Michael Larsen, your show producer, and today we would like to welcome Jessica Ingrassellino.
JESSICA INGRASSELLINO: Hi there.
MICHAEL LARSEN: MATTHEW HEUSSER?
MATTHEW HEUSSER: Good time zone.
MICHAEL LARSEN: We’d like to welcome our special guest, Melissa Tondi.
MELISSA TONDI: Hello.
MICHAEL LARSEN: With that, let’s go ahead and turn our time over to Matt. It’s your show, boss.
MATTHEW HEUSSER: Thanks, Michael. So, we wanted to have Melissa on today to talk about user groups and collaboration. I know Melissa through the SQA Denver Conference, but she’s been in the USA Testing Community for a while. I don’t know if it was social media or whether it was STPCon, but when you contacted me, it didn’t feel like I was talking to a stranger.
MELISSA TONDI: [LAUGHTER].
MATTHEW HEUSSER: We were talking about bringing me out to Denver, but the audience doesn’t know you very well. So, tell us a little bit about what you do in testing and how long you’ve been doing it.
MELISSA TONDI: Yeah. So, I’ve been in the industry for over 20 years—probably pushing 22 years/23 years now. Almost the high majority of my time has been spent in some manner of software testing, quality assurance; and, recently, over the last 7, 8, 10 years or so, the quality engineering sphere. So, in addition to working with companies that value quality in testing and helping to transform them into quality engineering organizations, I’m also pretty plugged into the community. Both running the incoming second-time president of the SQuAD Association in Denver as well as a founding member of our DMAQ Group which stands for Denver Mobile and Automation Quality that meets quarterly, and then also participating with the community writing and speaking at conferences, much like you Matt.
MATTHEW HEUSSER: So, tell us about some of your favorite conferences or conference experiences.
MELISSA TONDI: You know, I really, really like the STP Conference. That’s a twice-yearly, probably targeting on the East and West Coasts, every other six months or so. I think it’s a good size. I think the quality of the speakers and the themes of the conferences really kind of blend well with what I’ve been trying to do and the people that I tend to go to when I’m looking for assistance or mentoring. So, that’s always been a really good experience for me. I always like to support the local or regional conferences as well. I’ve had some great opportunities, either virtually or physically being able to go into some of our West Coast Meetup Groups—monthly meetup groups—as well as a couple on the East Coast as well. So, I’m always interested because the local community here kind of helped get me to where I am. I’m always looking to give back to the community and see wherever I can help. Kind of a nice blend of those national—some international—conferences as well as going into those local groups and helping out where I can.
MATTHEW HEUSSER: Yeah. Great. So, before we get to the main segment, we usually talk about news, and Michael pointed out this KRACK. WPA2 has been cracked, especially for Linux Devices, which means Android Devices, which means when you’re on someone’s Wi‑Fi, you can be spied on, even if the little thing says, “Secure wireless,” even if you’re running under https. Two questions, I guess, “Is it ever going to stop, and what do we do now?” I have my own thoughts. I’ll send the questions to Michael first, just to guide us on the segment.
MICHAEL LARSEN: The one thing that I wanted to mention with this: Windows gets an especially bad wrap. They’re the ones that are the primary target for viruses, which makes sense. They have the largest footprint. For many years, people who were running Macs or who were running Linux Boxes, have oftentimes said, “Oh, no. You know, in general, we’re oftentimes not the ones targeted.” The way that the crack attack actually works is that it really does target Linux and Android Platforms abundantly. Basically, if you’re going to https‑protected pages, automatically you would think that, “Oh, as long as I’ve got that, then it should be okay.” You really want to make sure that the certs that you’re using, because you can go to an https site and many times you’ll get an untrusted icon and you’ll say, “Ah, whatever. It’s no big deal. I’m on a VPN. What’s the problem?” Well, a VPN can be reset or the idea is that you can have a key that can be reset to all zeros, and you’re not even aware of it because it’s been intercepted. Then, the next time you try to get in or you go through the VPN, you’ve been automatically hijacked and you can be followed through your VPN connection. That’s disturbing.
MATTHEW HEUSSER: Yeah. So let me make sure that I get it right then, Michael. My understanding is that it allows you to crack. It says that there are examples over VPN, there are examples over Linux Devices, Android, Free BSD, even iOS and OSX, which is what worries me. It says, “It’s cracking WPA.” So, that means, a lot of people use https, which is the protocol, which runs on top of http with the certs. WPA should mean, “Everything and everywhere you go is encrypted.” So, first, it cracks that. Then, you’re saying if you’re in an invalid cert. If you go to https://www.amazon.com, if that’s a valid cert, you shouldn’t be vulnerable? Is that right?
MICHAEL LARSEN: That is it. So, KRACK works by targeting the four-way handshake. That, when you get a client to join a WPA2 protected Wi-Fi iNet, the idea that both the client and the access have the correct credentials. Crack tricks the vulnerable client into reinstalling and already-in-use key, and then that causes a reset for packets. Then, you get the problem to where regardless of the connection that you’ve made, basically you’re hijacking the connection. So, if you’re going in over a VPN or if you’re going in over something that’s vulnerable, you’re using a key that’s already been utilized, and that’s a possibility for it. Now, if you’re using something that, for example in our VPN we have a mobile ID key that has to be reset every 30 seconds. So, if you login and you logout and you log back in again, that key is never repeated. Is that going to protect you? I’m not 100-percent sure. I’m going through and I’m looking at my particular WPA Connection (which I have) and trying to verify that, “Am I covering everything that they suggest we do?” It does say, however, that, “Windows and iOS Devices are less vulnerable.” It’s not saying that they’re not susceptible to it, but they “are less vulnerable.” Android and Linux Devices seem to be the ones that are most in danger of this.
JESSICA INGRASSELLINO: I guess I’m just curious about the targets of the attacks being more focused on Android and Linux, being that Android is purely a mobile platform and the way that it kind of reflects how we are interacting with the Internet. From a broader testing perspective, we used to interact and the “good information” was in .NET servers and Windows Machines and this sort of thing, and some were on Linux Servers. But now, many people interact with secure information on their mobile phones. Bank accounts, they might use a password manager, but they have a master key stored on their phone. There are a lot of different ways that we are using to mobile interact, and I think that this is kind of one of the biggest vulnerabilities that I’ve heard exploited on mobile that takes data in such an insidious kind of a way. Because the platform for Android is Open, I do think that makes it a little bit more vulnerable, like Linux. The platforms that are Closed—iOS, Windows, BSD Unix—those are the ones that haven’t had as much of an issue. So, I guess it kind of is an interesting reflection of the way that we have changed how we’re using technology and what kind of information we’re willing to put over our phones. From a testing viewpoint, it might be a way to rethink, for any company that has a mobile application, “How are you customers interacting (like really interacting), and what do you need to do?” Because, for a lot of places that I’ve worked, the mobile application has always kind of been like the customer convenience, unless it’s a mobile app solely. You know, it’s been the secondary thing they build to make it convenient for customers. So, I think it represents a new and interesting paradigm in thinking about how a customer is approaching things and how testers and the security team need to approach things.
MELISSA TONDI: Yeah. I think this goes to show that security is one of those areas where the White Hat and ethical kind of hacking security that Deep Pen Testing certainly calls for certain skills and expertise, but I think this is just another one of those examples where as testers looking to continue to learn and explore areas to broaden our services, this is one of those great areas to start focusing on security. I’ve been an advocate of some sort of functional security testing for the last several years and reports like this get that fire lit so that it’s something that we put a lot more emphasis on. All the points that you’ve made have been spot on. Without trying to be Chicken Little with, “The sky is falling” here, I think we need to continue to be more aware and figure out how to be more proactive with our deeper functional testing that we’re able to do.
MATTHEW HEUSSER: Okay. Any other thoughts before we move one? Let’s talk about user groups. Melissa is heavily involved in SQuA Denver. Michael is co-creator of some abbreviation in San Francisco.
MICHAEL LARSEN: BAST (Bay Area Software Testers).
MATTHEW HEUSSER: Right. SQuA Denver is SQuAD, which is kind of cute. I helped organize GR Testers a couple of times. Jess has been in and out of the New York Testers Scene. So, between the four of us, we’ve done quite a bit over the years, I think. Melissa, in her intro, talked about the benefits of user groups, I think, a little bit. But we use this word, “community” a lot. That’s kind of a weird word. The “community.” What does that mean? What are the benefits of it, and why should we have one?
MELISSA TONDI: I kind of consider the community, both the virtual and the physical, any group of people that has a combined interest into something or some group of things. So when I say “community,” I think about all of the forums in which I go to either seek information or help or sometimes contribute to other people who are seeking information or help. When I say “community,” I think it’s all of the combined areas that I go to. But, when we’re talking “community” as it relates to our user groups, we’re really kind of going to more of the physical or least the real-time meeting of people with a combined thematic purpose. In our case, we have a monthly meeting 11 times a year, have been doing that. We’re actually celebrating our 20th year, started in September of 1997. So, I’m really looking for that group of community where 5 years/10 years ago the Board may have set the tone for the themes that we would be focusing on per month. We’ve kind of shifted our method and have really used more of the crowdsourcing community where the community is able to give us real-time feedback and they set the tone for the theme. So, I see that change and the shift. So, I treat the community as a living, breathing entity that people should look at the cues and the direction that they’re setting and adjust accordingly.
MICHAEL LARSEN: Yeah. This is something that I’ve been— I do have a bit of a selfish reason for this particular topic and us discussing this, in the sense that I do help lead, I don’t want to say, “I lead.” But I work with a couple of other people in the Bay Area Software Testers Group, and I’m hearing some of the stuff that we’ve been discussing and talking as, “How do we get more involvement? How do we get more interaction?” San Francisco is an area where, “Oh, there’s like 15-to-20 Meetups happening this week and there’s so many topics,” and in some cases, it’s a matter of paralysis by too much choice. I really have to think, “What is it that I really want to do, and how do I really want to go down with this?” Up until recently, I worked down in Palo Alto. I’ve got to leave Palo Alto early, and I’ve got to make my way up into San Francisco and find a place to go to visit a Meetup and then get home, which leads to really long days. So, it very oftentimes comes down to, “What really excites me, and what really gets me worked up about going to something?” I think that’s one of the bigger challenges. It’s, “How do you get something that a lot of people are going to be pumped about and saying, ‘Yeah. Yeah. I want to make sure that I go to this?’” And, be able to do that month after month. Or, in our case, we do it quarterly right now. But, what are your tips to be able to say, “Yeah. We want to make something that really excites people to want to come out and make it amazing?”
MELISSA TONDI: Yeah. You’ve made some really good points. I think Denver is slightly smaller than the Bay Area. I say that facetiously because, of course, we are quite a bit smaller. We’ve been around for 20 years, which according to some of our research, there’s only maybe one-or-two other organizations that have been consistently meeting, providing those services to the community, for as long. So, we have a little bit of a reputation and credibility that kind of helps us there. So, we have a good, consistent user base that comes out every single month—myself included. I was active in the group about 12 years/13 years ago. So, it had already been in place and people had been meeting consistently for 7 years/8years before I even joined the group. So, I think we have a little bit of an advantage because we have been around for so long. So, our reputation in the Denver, Front Range Community is strong. The challenges that we’ve been facing, and this is good timing because as the incoming Board has been meeting for the last couple of months after our Conference ended of course in September, we’ve started talking about those other topics of interest and disrupting even our own group. So, for us, I think, looking at the 1,200 or so members that we have, we consistently have anywhere from 40-to-70 people that come consistently every month and quite a few of them are new people. So we’re focusing on, “How do we get the word out for the people who already know about SQuAD and the people who have come consistently for years? What do we need to do now for the people who we know are in our community but either don’t know about SQuAD or aren’t interest in them?” So, we’re really trying to do some of our own market research on insuring that we are the right place for the community or that we at least have resources available for people if SQuAD is not quite meeting their criteria for what they want to be involved in.
MATTHEW HEUSSER: What was your favorite user-group experience you’ve had so far, Jess?
JESSICA INGRASSELLINO: That’s actually a really good question. Well, I guess my favorite user-group experience has actually happened surrounding some of the Python Education stuff that I’ve done. What I really have enjoyed doing is brainstorming with other educators. I mean, regular listeners to the Podcast know that I have a lot of experience and background in teaching, and I find it really fun to sit in these conversations and bring other educators together to discuss our challenges in the classroom. A lot of times, it’s kind of strange the way the world’s intertwined. It does wind up almost like a test to the classroom session where we’re talking about our constraints and our resources or lack thereof and how we’re going to address different problems. I’ve always found my Python Education User Group Sessions really informative because I get a lot of good feedback, and I can also test out ideas with other people who are either looking for solutions or who have faced a similar problem and are coming back to me with ideas that I hadn’t thought about because they have a whole different set of experiences.
MICHAEL LARSEN: How do you incentivize people to come out to participate in your Meetups? What’s a way that you can encourage people to show up? A giveaway or some kind of a thing? Like, drawing for some resource or getting somebody from out of town that’s really cool, that’s like a rare opportunity? Or, you know, maybe, just saying, “Hey. We’re asking everybody to pitch in $5.00 to help with the food and stuff. If you don’t show up, okay. But, you know, you paid $5.00 to be here and you’re not here, and maybe that’s a big deal. But, does that help?” My biggest curiosity is, “How do we encourage people who’ve already said, ‘Yeah,’ they’re interested. ‘Yeah,’ they want to come. ‘Yeah,’ they RSVP’d. And then, at the last minute, ‘Eh, can’t make it.’”
MELISSA TONDI: I think kind of going back to the fact that this has been a 20-year-old established group. We’ve been very fortunate that our RSVP’s are anywhere around plus or minus 10 percent. So, if we’ve got 50 people that have RSVP’d, we know—and of course depending on the month—that in our world January, February, and March are heavily‑attended months. So, we take advantage of the 70-plus people that are coming to those meetings. Then, as we get closer to the summer, we know that our RSVP count will taper down, and so we also shift our teams or speakers or formats during the summer months, and then we see them crawl up in the fall. We have the advantage of 20 years of data and, “What are our normal average attendees?” They have been pretty spot on. Just to give a little background, so we actually fund our group by putting on an every-other-year conference. So, all of the proceeds—first of all, we’re a nonprofit organization—from the conferences then fund our monthly group. So, we’re not in a situation where we are asking our members to chip in at that point. So, we’re really fortunate about that. So, when you go back into the question of, “How do you incentivize,” we knew that just having a speaker speak for 50-to-60 minutes on various topics was not enough, and so we changed things up earlier this year (back in February) and we actually combined the first 20-to-30 minutes of the meeting with Lean Coffee. So that we were always gathering those hot topics and targeting speakers that immediately answered some of those topics that were consistently being voted on and talked about during Lean Coffee. Then, we’d move into the last two-thirds of the meeting with more of the traditional speaker or the theme. So, we got people who were keen on having lots of collaboration.
We got the juices flowing during the Lean Coffee Sessions, and then we also met the needs of the people who really wanted to kind of absorb and be a sponge in the audience and hear from a speaker with as much audience participation as they wanted them to have. So, we do incentivize, I think, how most groups do with food. Our group starts at 4:00 p.m., and it ends right at 6:00 p.m. That’s right around the dinnertime, if you’re an early dinner eater. So, we make sure that we always had that food there; and, again, based off of our history of attendance in that month, we put that appropriate order in for the food and the drinks that we’re bringing into the meeting. Then, we’ve also had giveaways. We’ve partnered up with some of our companies and vendors in the community that have been past sponsors of the SQuAD Conferences or similar, and sometimes they’ll come in and they’ll sponsor a giveaway, whether it’s along the fund line of gaining systems or similar or straight-up gift cards or books that are tied to somebody local in the community. Lisa Crispin has been very active in our community at times, and you know, she’s generously offered books for giveaways as have other local authors. So, I think, for us, it really is, we’ve tapped into the Lean Coffee Format to gauge what our community is most interested in and we tailor and configure our monthly meetings to those people who have been vocal.
MATTHEW HEUSSER: Yeah. I think that’s great. I would say make a Meetup Page, go to the Association for Software Testing. Ask for a grant for the Meetup Page, ask for another grant to bring in an out-of-town speaker. Then, what you just added, I think, is even better. Find a way to poll the audience. Figure out, “What kind of speaker do you want to bring in?” Then, bring that person and advertise it heavily. At GR Testers, we frequently have it at a restaurant, and you have to order your own meal and pay for it yourself, which is like, “Yeah. If I was going out to eat, I would buy my own meal.” But, it’s a good meal—a place you might not normally go—and it’s a chance to connect with some people.
JESSICA INGRASSELLINO: Thinking about how ubiquitous the issue is, I think that a unique locations helps. I was thinking, actually, Matt, about when I first met you, it was at one of the groups in New York. It isn’t the NYC Testers Meetup. It’s a different group. The reason I went was to listen to you speak and to go meet you, because I was first starting in testing. So, I would definitely have to endorse the, find a really interesting speaker, somebody who has something to say that’s important to your membership, and use some budget to get them in. Then, doing something after where there’s some more free-flowing conversation. It’s worked for me. [LAUGHTER]. So, I think it’s a good suggestion.
MELISSA TONDI: Yeah. To kind of tag onto that, we have also done and been in the same facilities for SQuAD for 10-plus years now. It’s centrally located, and that was really important. Because we’ve got people coming from all over different areas of the Denver Metro Area and even up from Boulder. Having a consistent facility, having a fairly-consistent format from 4:00 to 4:30. It’s networking. Grab some good, grab some drinks. Hang out and meet up with people. Meet some new people. Just kind of that social 20-to-30 minutes. Then, starting at 4:30, we do our general announcements and then move into the Lean Coffee Session for the next 30 minutes or so. Then, we move directly into the speaker or whatever the main event is for that evening. That format has been very consistent for at least as long as I’ve been going—12 years/13 years now. I think our members appreciate that. So, within that structure, then to really allow the members to be creative in what they want to hear, gives them that appropriate setting and forum in which they can share their thoughts or share their ideas for future events. Then, for the Board to really make sure that we’re working cohesively in the background to get those, either speakers in or focus on topics in whatever forum, either panel discussions or bringing in other experts in that capacity to really hear from our members. So, I think one of the big game changers is making sure that Lean Coffee Session or at least a forum to hear that feedback real time from our members has been a game changer in the last year or so. Because, even if we have a lower attendance for a month, we know that we are at least bringing in a topic that our members have specifically said they want to hear.
MATTHEW HEUSSER: Yeah. I think that’s great. I’m not sure that you had told me that story completely before, Jess. I’m really tickled you went to that because you thought I had something worth hearing.
JESSICA INGRASSELLINO: I mean, I guess, to me, this story, strangely, I wasn’t planning on telling it, but I did get reminded of it. It brings up kind of some of the real value for people who might feel, you know, kind of like they’re leaning towards, “Oh, I’m not going to go.” Really concerned, because I was also throwing myself into learning Automation for the first time ever. You know, I had never done that before. Yeah, it was in 2013. I remember, after the Talk, talking to you about just career advice. Like, “What do I do?” You made me feel hopeful about moving forward. You were really very measured in your response, and you gave me some good resources. Overall, you came across as very knowledgeable. The Talk was, I think, about like, the value of automation and where a tipping point is for losing value and kind of places you don’t want to go versus places you do want to go and what that kind of looks like. I’m really glad I went, you know, when I was interested because I think that other people who are new in the field should know that’s something that’s available in communities and shouldn’t be afraid to kind of approach the person who is speaking and ask them questions and get information. It was probably one of the most valuable things I did for my entire testing career, was to push myself to attend and then not be nervous to go ask you questions that seemed stupid to me at the time.
MATTHEW HEUSSER: Oh, that’s great. Thank you, Jess. I was just in Denver for SQuA Denver, and I think the organized social event was a conference. They organized a social thing to do for the out-of-town speakers. The Board and volunteers got invited along. That doesn’t always happen in North America. It always happens in Europe, and it makes a difference. The more of those you can frontload your events with—so everybody knows each other, which is why I like Lean Coffee, because you end up knowing each other by the end of it—the better experience you get, I think.
MELISSA TONDI: Yeah. It’s funny that you say that, Matt. Because we started doing that after I had gone to a couple of European Conferences and recognized that they put a lot of emphasis on those social events after. In my opinion, speaking at anywhere from 8‑to‑12 conferences a year, I appreciate those, especially when I’m an out-of-town guest. Being able to at least have the opportunity to not have to go right back to my hotel room and start working and become a hermit for the next 8-to-10 hours. We took a little bit of a cue from some of the European Conferences or conferences that emphasize some those social interactions. That’s why we started doing that. So, I appreciate you mentioning that because that was an important part of our conferences and has been for the last several that we’ve had.
MATTHEW HEUSSER: It’s about that time. So, before we go we’ll do, final thoughts. Then, where people can go to learn more about you. Michael, your closing thoughts?
MICHAEL LARSEN: I was just thinking about this and kind of realized, each time you get a new person that shows up for your Meetup (and you can also go back and take a look), just look at your Meetup Membership, because they have basic questions. You know, “Why do you want to join this Meetup? What are you hoping to get out of this Meetup? What are the topics that you want to be part of?” You can also see what other Meetups they actively attend, and that can be a really good source. So, I was just thinking about that as a possible option is to say, “I should go back and take a look at those again and see what it is that people are really hoping to get out of the Meetup, and are we meeting their expectations?” The answer is, “We may not be,” and that’s my closing thought.
MATTHEW HEUSSER: Jess?
JESSICA INGRASSELLINO: Reflecting on the experience I shared today, I would say to people who are listening and who are a little bit more like me, maybe hesitant to go to Meetups or go to events, especially if you’re a remote worker, if you’re working at a distance. I mean, I’m remote. So, it’s actually effort for me to go to Meetups as opposed to being in town and it’s already there. Make the effort, even if you’re a little interested in the topic, even if you’re not 100‑percent sure, or especially if it’s something new, especially if it’s something out of your kind of comfort zone. Because, I feel like when I’ve pushed myself to do those things, I’ve always gained so much value. Make those extra connections because you really don’t know where that’s going to end up.
MATTHEW HEUSSER: Melissa?
MELISSA TONDI: All really good points. I would say there were some changes that I was hoping to see in the organization, and I joined the Board. I think for those people who want to have more of a say and to help actually bring the word out and to be an integral part of the structure and format of a user group, get involved as deeply as you want and as you can, and one of the best ways that I’ve found was to actually get on to the Board. Go through the election process and be elected as a member, and then eventually moved into the president role. So I’d say, in addition to consuming and bringing back the things from those user groups in the community, at some point in your career, you’ll also want to start giving back to the community. One of the major things that has helped me in my career is to join the Board and help from the ground level up.
MATTHEW HEUSSER: Okay. Thank you. Melissa, thanks for being on. Where can people go to learn more about you?
MELISSA TONDI: They can definitely follow me: @melissatondi. I’m somewhat active on LinkedIn. If people want to learn more about the SQuAD Group, we have a Meetup Group. It’s under SQUADCO, as in SQuAD Colorado. We also have a website there as well, that’ll kind of direct you to the Meetup Group.
MATTHEW HEUSSER: Great. Jess, are you doing anything new and exciting?
JESSICA INGRASSELLINO: I am giving a Workshop and a Talk at the Contest Conference in New York on November 29th through December 1st. So, I’m really excited. It’s my first Keynote. So, I’m also really nervous. But, I’m really excited.
MATTHEW HEUSSER: That’s great. Cool.
MICHAEL LARSEN: Awesome.
MATTHEW HEUSSER: You’ll have to tell us how that goes. All right. So, we should call it a day. Thanks, everybody, for being on the show.
MELISSA TONDI: Thank you. It was great.
MICHAEL LARSEN: All right. Thank you very much.
[END OF TRANSCRIPT]