This interview with Santhosh Tuppad is part of our series of “Testing Smarter with…” interviews. Our goal with these interviews is to highlight insights and experiences as told by many of the software testing field’s leading thinkers.
Santhosh Tuppad fell in love with computers when he was 12 and since then his love for computers has increased exponentially. He founded his first startup in 2010 and was part of growing the company to nearly 80 people.
In short, he is a passionate software tester, security researcher, entrepreneur and badass in following his heart come what may!
Hexawise: What drew you into a career in software testing?
Santhosh: I have loved computers since I was 12. My father enrolled me into a computer course and I got to experience Disk Operating System for the first time where I used computer using command-line terminal and also played Prince Of Persia game. And I was addicted to gaming during this phase.
After my gaming stint, I was introduced to the internet and picked up an addiction for IRC (Internet Relay Chat). Here, I met various hackers and used to communicate with them on various channels which were heavily moderated and were invite only. I had to demonstrate my interest in hacking to these folks to invite me to their channel. My first hack was to hack the dial-up network credentials and use them at my home when the internet shop used to close at night. We used to have Internet Packs at those times in India and I had to pay money to buy those: and I did not have money during my teenage years.
Without much ado, let’s skip to software testing part. After my graduation, I did not know what should I be doing (one thing I knew for sure was, anything that I do has to be with computers as I was passionate). I switched 5 jobs in 1 month and worked as IBM technical support guy, Creative Designer, XML Language Translator, PHP Developer and some other profession that I cannot remember as of now. I understood that, I cannot settle for anything which doesn’t synchronize with my heart. I was on the journey of finding which becomes part of me. And finally, I enrolled for the software testing course. And during the course days, I could connect my hacking skills (security testing) to software testing. This part of my life is what I call finding bliss.
And the story continued and I started growing in the industry as a tester, international speaker, participant in conferences across the globe, entrepreneur in software testing, keynote speaker, blogger, author and what not.
Hexawise: If you could write a letter and send it back in time to yourself when you were first getting into software testing, what advice would you include in it?
Oh my dear soul,
I see that you have found yourself in a country where everyone is pressurized to become something else than they want to be. You identified something crucial and beautiful about yourself, that is you follow your heart with patience and kindness and don’t settle for something that doesn’t make you come alive. Like I know, passion is a variable and it may get boring at times; but being bored is just a temporary phase and an emotion which doesn’t mean your passion is dead. So, be rational and decide for yourself while you are kind to others. Accept yourself and forgive everyone.
You are stepping into what you love and I know you are confident about your journey and you believe in it. That’s beautiful.
It may be easy to fall into routine and get into monotony of things in your career. Nevertheless, you know how to sail through things and get out of them to start fresh or continue in a different path. You can swiftly shift based on your visceral.
Grow by following your visceral feelings and have no regrets. Be good at connecting the dots and growing out of them. The beauty of software testing has not been known by the world so well as of today, so work on your skills and demonstrate them to the world and educate professionals and students about the greatness of software testing. It’s not about you or me or anyone, it’s about next generation testers who could help their next generation and their generation to enjoy the fruit of invention which includes software. Let software make the life beautiful and not buggy.
I know that you know about your journey, but I am just saying.
Your other self
Hexawise: Describe a testing experience you are especially proud of. What discovery did you make while testing and how did you share this information so improvements could be made to the software?
Santhosh: A few months ago, I was involved in testing a healthcare web application for security. It is very interesting how scanners may fail to find these kind of security vulnerabilities that I am about to share!
I could get the URL to administrator login through robots.txt file analysis. That’s the security bug for me because it shouldn’t be revealing the highly sensitive URLs.
In the first place, the administrator login URL should never be publicly accessible. And when I could access the webpage of admin login using /admin in the root of the URL, I did not even see any CAPTCHA to avoid brute-force attacks. This was a big fail. It was also funny for me because the user login had CAPTCHA, but /admin login did not have one. It just made me feel like, the company is more user-centered or user-focused and forgot to be business-focused or security-focused.
When I reported this, the developers rejected this and their response was, “What would be the motivation for the hackers to try brute-forcing our application? We don’t think so someone would try to access it without knowing what kind of information they can access once they compromise our web application.”
My bug report included an explanation of these security bugs, steps to reproduce, risk analysis and my approach to how the application can motivate the hackers to try brute-forcing admin login form to crack the credentials. I finally, convinced them with my approach and I found a way for hacker’s motivation to hack the application.
So, where was the motivation gained from? Well, it’s CSS (You heard it right, your Cascade Style Sheets which was publicly accessible). All I did was, go to the /admin page and then view-source to see if any *.css linked. I found out main.css file and opened it in my css editor.
This is what I found inside the main.css: (a snapshot)
And so on. The problem is that there was no obfuscation in terms of class names or ID names and they were pretty descriptive (well, being descriptive is a good thing when it comes to coding; but it’s context dependent. In this case, descriptive class names are not encouraged. One has to obfuscate them to something else).
I convinced the developers that you are revealing the possible features of the /admin panel and hacker now knows that, if he/she hacks into it, they can get access to patient reports, customer/patient database and so on.
Finally, the engineering team added,
- .htaccess to /admin page
- implemented Google reCAPTCHA and Google Authenticator
- obfuscated the CSS file and changed the class names in HTML
- also, added a IP range from which /admin page can be accessed.
In short, the application security was strengthened in a beautiful way!
Hexawise: What kinds of activities do you enjoy when you’re not at work?
Santhosh: I love meditation forms; talking deeper with a friend sitting in my balcony of my apartment; watching documentaries of various types; conversations about psychology, life and many other topics with my wife Gina Enache (She is the one and I found her in Romania, well, actually we met in Denmark at the Copenhagen Context conference). I also love smoking cigarettes and drinking alcohol whenever I feel like.
I feel that educating customers is the key and it takes more leaders to spread the greatness of exploratory testing style to the world through demonstration.
Views on Software Testing
Hexawise: What do you wish more developers, business analysts, and project managers understood about software testing?
Santhosh: I wish that developers, business analysts and project managers understood that it is not low-skilled job which anyone can do. And also wish more of them learned to collaborate across the teams in order achieve the common goal.
At the same time, I also feel that testers should upskill and demonstrate the value they provide in order to gain credibility from those on other teams. I also wish to see them spending time together instead of just seeing their role as limited. Last, but not least; manage conflicts and work as a team.
Hexawise: What challenges and advantages are there to managing an exploratory based, thinking software tester organization (as you designed Test Insane to be) compared to the still common “checking” style software testing organization.
- Not many customers understand how exploratory testing can be valuable. And it’s hard to educate them as well because most of them do not want to hear.
- Hiring is a bigger problem. In my experience, I have trained new testers or made some testers to unlearn their testing way and I have been successful, but it’s hard to scale in my view in the current world.
- Pricing is something that customers choose over the skills. It’s sad, but true. Most customers appear to be happy with “checking” style organization because their pricing is good for customers. Value based testing still needs to be understood by customers. However, I have been trying my best to talk about good testing (exploratory skilled testing/technical testing) to business owners at conferences I participate in or speak at.
- Most of the testers have half-baked knowledge about exploratory testing and yet they call themselves exploratory testing experts. This makes it hard for context-driven leaders to see a scaleable model for exploratory testing. Thanks to Ministry of Testing community which is really spreading a great message to the testing world. I appreciate Rosie Sherry, Richard Bradshaw and every CDT member who are working on scaling it up and spreading the right message to the world.
I feel that educating customers is the key and it takes more leaders to spread the greatness of exploratory testing style to the world through demonstration.
- Starting TestInsane (Exploratory Testing and Check Automation Services Company) has also enabled me to bring in a change and demonstrate to the world the worth of good testing and value-based testing that can be done through the exploratory testing style.
- Experienced testers who joined TestInsane unlearned the checking style and learned exploratory style testing and they are leaders who spread their knowledge and also are happy with their profession.
- Customers are happy when they see test coverage and have acknowledged that it helps them to make better informed decisions about shipping or not.
- Recurring business from customers who saw the value
- The sense of freedom with responsibilities that my team members have. And this is because they enjoy exploratory testing and they perform amazingly. Freedom has always been great, but it comes with challenges. And one of the challenge is constantly learning and adapting based on the context.
Hexawise: Please describe a view or opinion about software testing that you have that many or most smart experienced software testers probably disagree with? What led you to this belief?
Santhosh: I have been strong in my opinion/view about artificial intelligence not being able to solve testing problems. Most of them don’t agree with me for whatsoever reason.
I can demonstrate how human intelligence is beautiful no matter how much AI is built into a system. To me, AI is simple terms is: Maybe millions of instructions or code to deal with situations. Now, isn’t this similar to automation? AI can be faster because to me it’s advanced automation with better logical instructions to cover deeper. I call that as “Automation Coverage” or “Checks Coverage”. I love AI/Automation as a passionate computer engineer, but I testing and AI are oranges and apples to be compared. They have their own beauty and let’s apply these ideas for a better software world.
Well, my way of looking at the systems, thinking deeper, testing deeper to see where AI cannot fit or automation cannot fit, learning better about software systems led me to this belief. Also, questioning played a great role in helping me understand why I believe in the value of people doing exploratory testing.
Last, but not least; I am not a pessimist, but I like questioning to know better and deeper. I have my own biases, but through my experiences I have managed these biases to extract the beautiful information which in-turn helps me to be a better tester, communicator, speaker, coach and a trainer.
Disagreement is good. The only reason we humans exist is to make this world a better place to live in by having our own views and still working together to reach the goal together.
I recommend that organizations hire security specialists because you don’t want to just rely on checklist based testers unless they have mastered hacking and have practiced enough to create a mindset of hacker.
Hexawise: You have personally focused on security testing in your career, what advice would you give a software tester that wanted to increase their ability as a security tester?
Santhosh: There are 2 ways to learn security testing, one is called “Survival Mode” and another is “Badass mode”.
The Survival Mode (a.k.a Checklist executor)
For those who want to survive in the industry or else just try to add it as add on in their functional testing or any other testing type career, they can focus on the checklist or guidelines for testing software. For instance, if you want to acquire checklist knowledge or ideas, you can follow Open Web Application Security Project (OWASP) checklist and try finding security vulnerabilities. Having said that, the survival mode tester isn’t a specialist or a badass security ethical hacker who is equipped with passion, skills, thinking as a black-hat hacker in order to be a great white-hat hacker. I can also see see comparing a survival mode type of security tester to a script kiddie.
In short, follow the checklist or prepare your own checklist based on your own experience. Talk to a tester who belongs to the same domain in order to gain checklist ideas and then use them to execute on your software that you are testing for security.
Specialist Mode/Badass mode
- Practice thinking like a criminal
- Work on mindset first and then on skillset. *Mindset is also a skill which most of the security testing learners fail to understand. Mindset will take you far and deeper.
- Read blogs from black-hat hackers and white-hat hackers
- Subscribe to reddit hacking threads
- Start with checklists and then learn the concepts associated with those checklists. For example: If I read a checklist which speaks about having X-Frame-Options in HTTP headers, then I will start learning deeper about what it does instead of just blindly adding it to the checklist. This is what I call a “reverse engineering” way of learning.
- Participate in conferences and learn from the experts. Ask questions no matter how silly the external world may feel.
- Start with the concepts of basics. Unlearn what you have learned and for a moment, make yourself feel like I’m new to this and I know nothing about this. You shall learn better. As the Dalai Lama says, “If your tea cup is full of tea, any tea that’s added to it shall overflow.”
- Teach a team member about your learning about security testing. Interesting part about sharing is, you get to learn more and deeper. Unique brains can add value and sharing can help to achieve this.
- Try hacking someone’s account (Well, I don’t really recommend this; but this can be adrenaline rush to your hacker avatar. I don’t know, you are responsible for any consequences).
- Communicate with unethical hackers or someone who had an experience of being unethical. As we are trying to stop black-hat hackers from compromising or exploiting vulnerabilities in our software, it is great to speak with unethical hackers to know their strategy and then apply the knowledge to safeguard our application security. Learn from any source you want to to be a better security tester. I have done this and been there, and I have loved the experience. It’s is the same concept as “know your users.” The difference is that it becomes “know your enemies” (black-hat hackers), in this context.
- Bypass the physical infrastructure and you will get motivation and also understand various aspects of hacking. Again, I have done this with many Multi-National Companies through social engineering. Many security testers think that social engineering doesn’t help in application security, but I get new application security test ideas when I think and practice social engineering.
- Be good at manipulation if you want to be great at hacking. For instance: manipulating people and extracting sensitive data by just talking and asking questions that matter to extract sensitive data.
- Practice, practice and practice as much as you can. Learn deeper and gain access to the treasure of learning security testing.
My articles on various topics of security testing provide additional reading on security testing of software.
Hexawise: Do you believe security testing for software requires testers that specialize in security testing? Certainly some security testing can be incorporated by most software testers, but does the complexity and constantly evolving nature of software security mean that only specialists can provide sufficient security testing?
Santhosh: This is very context specific question. And I am glad that you mention “Certainly some security testing can be incorporated by most software testers” which is true. Most of the software testers can be “Survival Mode” security testers who follow the checklist or guidelines (The Script Kiddie I mean).
However, what the organization needs for better coverage and deeper security testing is a tester who can be an explorer and find security vulnerabilities like a black-hat hacker. I recommend organizations hire security specialists because you don’t want to just rely on checklist based testers unless they have mastered hacking and have practiced enough to create a mindset of hacker.
I believe strongly that we need better security testers who are not just certified by EC-Council (nowadays, anyone can get this certification), but are known for skills and can show it via demonstration. Even in today’s world, we need security specialists if we are serious about software security. Period.
Industry Observations / Industry Trends
Hexawise: India is a worldwide center for software testing. What risks do you see to that business going forward? What can testers (or testing companies) in India do to protect their market and gain customers going forward?
Santhosh: In my opinion, I don’t see the risk at all in India for these reasons:
- Overseas companies who outsource testing are happy with bad testing
- Customers think automation solves testing problems just because they are blind to good testing and they think – “good testing is automation” – which is incorrect. Like I say, automation is a myth. Automation is just a Ferrari (faster), it doesn’t solves testing problems by itself.
- India has more manpower in terms of engineers. Now, this can be a boon or bane for individuals who were pressurised by society or parents to study engineering. However, India has more engineers and that means more manpower.
- There is nothing that testers need to do until the customers understand the value of good testing which is value-based instead of running the N number of test cases and showcasing some decorated spreadsheets which speak about good/bad testing.
- Companies are moving towards automation and artificial intelligence thinking it will solve their problems of testing. A big no. I believe that ideas are driven by the beautiful brain. And people believing the myth of AI and automation is not a risk as long as customers are loving them. In short, customers pay for this and people love to make money without educating the customer.
- There can be a risk if and only if there is any other country which will gain the traction compared to India and maybe show what is good testing in a bigger proportion. And only then there may be a risk for Indian based companies.
Here are the risks for a tester anywhere around the globe if they fall into any categories mentioned below (not just India):
- Falling into the phase of monotony and routine where there is no new learning.
- Believing that, “If I stick to this company for long time, then I will have job security” (We do not know when things change in this rapidly changing and evolving industry).
- Not getting to the depth of a problem and also not practicing thinking skills like lateral thinking, critical thinking, cognitive thinking etcetera.
- Not spending money and time on credible conferences and workshops
- Not adapting to the new learning and also being rigid by saying I cannot adapt.
- Lack of passion. There is only survival with lack of passion. If a tester wants their work to be great and satisfying, passion is must. Or else they can only survive and not enjoy what they do. The solution to lack of passion problem could be, creating a passion for the profession by learning OR identifying a passion even if it’s any other profession (This is a context-based advice).
Hexawise: Have you seen a particularly effective process where the software testing team was integrated into the feedback from a deployed software application (getting feedback from users on problems, exploring issues the software noted as possible bugs…)? What was so effective about that instance?
Santhosh: The answer to this is available in this interview under “Staying Current / Learning” section.
The effective thing about that was, both developers and testers got access to the bugs that really matter. And once the fixes started rolling based on the feedback analyzer tool where feedback from users were being used in order to test better, there was improvement in terms of page views, time spent on page and also orders were checked out smoothly and quickly. The company started getting more orders (eCommerce platform) while they had great positive feedback and the when measured monthly feedback statistics, the negative feedback eventually reduced which spoke about “the effectiveness” of using the feedback from users and accommodating in the testing practice for better.
Hexawise: In your role leading a software testing organization that provides testing services to other organizations do you see any changes in what they expect today from 5 years ago? What has become more important to clients?
Santhosh: I have personally seen change in terms of not just executing number of test cases, but customers understanding the value of test coverage. It’s a long way before most of the organizations start believing in test coverage and not just the junk number of test cases which doesn’t speak anything about the quality. Some of the key changes I see today include:
- Expecting the test coverage report
- Better technical testing skills
- Expecting a tester to learn and adapt to new ways of testing
Hexawise: What do you believe will be an important trend in software testing in the next 5 years?
Santhosh: Skilled testing and better check automation is what I could see a trend in the next 5 years. I personally do not see skilled testers or automators in a large number across the globe (This is based on my experience and the testers I have met and spoken to across the globe at conferences/meetups). We have a long way to go and when I speak about skilled testing and better check automation, this is what I mean:
- Understanding the difference between automation/artificial intelligence and testing. This is easier said than done and one can experience the difference only through deeper learning on technical testing and automating software testing.
- Working closely with programmers/developers is one of the beauties of an effective team. And Agile to me just means human values and these values have to be incorporated in the team. I believe there has to be great training in the companies/teams about conflict management, communication, motivation, solving problems etcetera in order to power up the teams to perform better and deliver better products to the world thereby helping the business move forward.
- Testers being creative in coming up with the ideas for better testing and seeking the developers/programmers help to develop plugins/addons, microservices, better automation reporting platforms and what not. There is no limit to the creativity, but the feasibility must consider the context.
One may feel that this is not the trend because this is already happening, but my question is “Really?” I’m being skeptical here for a good reason. I focus on solving the existing problems to start seeing those trends.
Working closely with programmers/developers is one of the beauties of an effective team. And Agile to me just means human values and these values have to be incorporated in the team. I believe there has to be great training in the companies/teams about conflict management, communication, motivation, solving problems etcetera in order to power up the teams to perform better and deliver better products to the world thereby helping the business move forward.
Staying Current / Learning
Hexawise: What do you look for when hiring software testers? What suggestions do you have for those looking to advance in their in software testing career?
Santhosh: In my experience, I have hired testers based on their attitude only. And some times, I have hired them only for their skills. I have had my own lessons and I have some checklist or guidelines that I follow in order to good testers with mixed ingredients of attitude. Well, the attitude is a tricky part because unlike WYSIWYG (what you see is what you get) editors, humans are not really WYSIWYG. It’s the perception during the interview that one carries about attitude. And attitude during the interview maybe based on best interest of the candidate to get hired. Most of the times it’s manipulation of the attitude which will fade away in months or days or years. I repeat, hiring is really a tricky situation and one can learn only through experiences and eventually grow with good hiring methods.
What do I look for based on my learning experiences in hiring?
- Technical testing skills – My highest priority is for this. For example: If I am hiring for web application testing, I interview them concepts like web browser rendering engine, developer tools usage, tampering POST requests via Network tab, about HTTP headers and why are they important, depth knowledge about cookies, session management, their unique ideas to test web application and providing them with my own custom buggy web application that I have developed in order to analyse their skills hands-on and finally understand if a candidate can be a better fit for my team. (Note: This example is for a fresh candidate or someone who is 1 to 2 year experienced in web application testing). I would like to say that, I knew more about web browsers, sessions, cookies, tampering, hacking (thanks to my love for hacking when I was 16 and it’s been more than a decade being a security tester. Now, you know how passion is important if you want to do something great and well.
- Attitude – This has been tricky for me and I am still learning how to hire based on attitude. Based on my experiments, I love to have discussions with the candidate and have transparency and also in the journey, speak like friends because those are the times the candidate opens up and feels comfortable.
- Knowing the short-term plan of a candidate – Now, this is a checklist to see if I can have a good hire. Nevertheless, I need to see how a candidate performs in real environment once hired. In my experience, both these environments differ very well based on the context. It’s just like a web application or a software performance after being deployed to production/live environment.
“Santhosh, that’s a very good question that I hear for the first time and sadly we do not use it because there are thousands of feedback responses and we are confused on what to focus on. Only our customer support looks into it to address the issues and we don’t really use the feedback system to learn and better our testing”
developers also started to use the tool as they cared about the quality of their code. This was an amazing success of how cross-functional teams can work together and develop something to achieve a desired common goal.
Hexawise: What software testing-related books would you recommend should be on a tester’s bookshelf? What blogs would you recommend should be included in a software tester’s RSS feed reader?
Santhosh: The first book I shall recommend is “Lessons learned in software testing” by James Bach, Bret Pettichord and Cem Kaner.
Here is the list of books that I love in testing,
- Testing Computer Software by Cem Kaner
- The Black Swan – By Nasim Taleb
- General Systems Thinking by Jerry Weinberg
- AmIaBug.com – Online Book by Robert Sabourin
- Showing Up – Book by Olaf Lewitz and Christine Neidhardt
- The Psychology of Software Testing – By John Stevenson
- The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws – By Dafydd Stuttard and Marcus Pinto (for security testing aspirants)
- The design of everyday things – By Don Norman
- And many more books. (follow me on twitter if you need any specific book suggestion as I cannot flood this post with so many books)
Blogs that I follow and recommend for a tester:
- James Bach’s Blog
- DevelopSense by Michael Bolton
- Software Testing Blog (of course mine J)
- Testing Feeds, highly recommended
- I think this is a good list for now!
Hexawise: Have you incorporated a new testing idea into your testing practices in the last year? Will you continue using it? Why? / Why not?
The problem statement: When I was working at Tesco on a testing engagement, I happened to see that Tesco website had a feedback form with rating system, checkbox options and radio buttons which is used to collect feedback from its users. As part of my testing activity, I love to speak to cross-functional teams in an organization and extract the information that can help me test better. So, looking at the feedback forms I wanted to know how is this feedback processed by the test team in order to improvise their testing by learning from users feedback. I approached the Test Manager and asked him, “Hey! Are we looking into the feedback from users so that we can improve our testing practices?” to which his response was, “Santhosh, that’s a very good question I hear for the first time and sadly we do not use it because there are thousands of feedback responses and we are confused on what to focus on. Only our customer support looks into it to address the issues and we don’t really use the feedback system to learn and better our testing”. This was an interesting situation for me.
The Solution: In a week’s time, I along with my friend developed a feedback analysis system (a web based application) which could consume the feedback in a *.txt format and then reveal the feedback in organized and intelligent way. In short, I can call it as Artificial Intelligence. Basically, the application we developed sorted the information in a readable format and categorized the feedback based on “good” keywords and “bad” keywords. It was eventually made more intelligent by adding more features.
What changed? After that test teams started to use our feedback analyzer to look into the feedback that matter to them as the tool used to already do 80% of work and 20% of analysis that used to be done by test teams. The surprising factor was, developers also started to use the tool as they cared about the quality of their code. This was an amazing success of how cross-functional teams can work together and develop something to achieve a desired common goal.
Since then, I personally work on developing such tools along with my programmer friends in order to do better testing. This phase I call as, “Success by collaboration and being creative”.
Some screenshots of the tool we developed
Screenshot #1 of the features:
Screenshot #2 displaying the settings:
Screenshot #3 demonstrating how the application processes *.txt file (We also have a Export Data feature which helps user to download the spreadsheet which contains data in a very organized format. Using this, team members can use power of Excel to customize their data for their own reasons).
Santhosh Tuppad fell in love with computers when he was 12 and since then his love for computers has increased exponentially. After his graduation (Santhosh puts it this way, “Somehow, I graduated” J), he worked as software tester in one of the organization in India and he quit because he was bored with the work he was doing. After that, he started his first startup in 2010 and was part of growing the company to nearly 80 people. Alas! He got bored again in his first startup and also he was not happy. He made a choice to quit and started his second startup. He is going to start his next startup soon. He says, “Getting bored is a sign of something new to be started and it excites me”.
In short, he is a passionate software tester, security researcher (Started as unethical hacker and transformed to ethical hacker for good), entrepreneur and badass in following his heart / visceral come what may!