In 2011, Google’s Alberto Savoia proclaimed that “Testing is dead.” Many tech trends have changed since that notable opening keynote at the Google Test Automation Conference 8 years ago, including the adoption of DevOps culture, and there’s one thing we can say for sure: testing is not dead. In many ways, it has actually evolved — the classical tester’s role has just become spread out between engineers while quality assurance has remained an essential part of the software development culture.
Best quality practices used by the VGS engineering team
VGS is a security company, and as such, we take every aspect of our product very seriously during all stages of development.
“Security first” and “test and verify” are integral parts of our company values. It’s part of our culture to always double check and ensure that we are doing the things right (verifying) and doing the right things (validating).
To achieve this, we use a mix of automated and manual techniques: we automate as much as possible but use manual verifications for exploratory testing sessions that require some creativity and the human brain. Additionally, we regularly conduct knowledge sharing sessions between team members.
Shift-left and shift-right testing approach
These terms relate to the testing activities that appear during different stages of the SDLC timeline. As a result, testing is not a software development phase anymore, it’s a parallel ongoing activity.
Shift-left testing means that testing starts as soon as possible during development. In fact, it starts even earlier with spec review. To reduce bias, features are verified during development, not only by the developer who made the changes, but also by their team members or the feature owner.
Our feature development process also includes a sign-off from a security engineer.
Shift-right testing means testing in production and includes a 24/7 monitoring and alert system, feature flags, staged rollouts, and enhanced rollback system for our services. We also have 24/7 engineering on-call support to be able to quickly cover any incidents, should they arise.
Automate as much as possible
In order to be both efficient and effective, we are trying to automate any repetitive work and reduce the human factor as much as possible. Automated tests on all levels of the test pyramid are a vital part of our development culture and CI/CD pipeline, but it’s only a part of the big picture. Our CI/CD pipeline also includes a set of dependency and security checks and static code analysis, as well as automated service backup and rollback mechanisms.
Manual testing is still needed
Starting with a peer review of each pull request, we also verify features manually. It’s a common practice to do the acceptance testing of the feature during development by the feature team members and product team.
Our features are related, so during the development of one feature, we use (and test) other features as well, making regression coverage wider.
As a part of staged rollouts, we issue releases to a limited set of users and constantly gather feedback after the exploratory testing sessions so that we can fix any issues and inconsistencies quickly and with minimal impact.
Use external security testing
In addition to having our own security engineers and using the best security development techniques, we conduct external penetration testing and run a bug bounty program. We do this in order to reduce potential bias of our staff while making sure we use as many sources of quality control as possible. External testing also means we utilize diverse opinions and a broad set of recommendations to enhance improvement even further.
Final thoughts
Testing is not dead — it’s evolving. Quality is an important part of any product, even in a fast-paced startup. Modern automation tools allow us to stop making the choice between speed and quality and our culture of constant learning and responsible approach allows developers to be the testers at the same time. Testing is not a question of job title, it’s a matter of approach and responsibility.
