QA Fes 2016. Gerlof Hoekstra. E2E Testing the Ministry Of Justice Biometric Identification System

1. Testing the Ministry Of Justice Biometric Identification System Gerlof Hoekstra (NL)

2. | Gerlof Hoekstra| © Atos Chain testing, Acceptance testing, End-To-End Business Processes ▶ Multiple stakeholders / applications ▶ Complex ▶ Publicly visible ▶ Politically sensitive ▶ Previous attempt(s) failed Introduction and context Introducing myself… Gerlof Developer Designer Tester 2

3. | Gerlof Hoekstra| © Atos ▶ Context ▶ The Ministry Of Justice Intelligence Department ▶ The identification system ▶ The situation I faced when I joined the project ▶ What makes this chain test challenging ▶ Aspects: ▶ Team ▶ Test specification ▶ Formal / informal testing ▶ Test data ▶ From waterfall to iterative ▶ Findings ▶ Lessons learnt 3

4. | Gerlof Hoekstra| © Atos Introduction and context Ministry Of Justice Intelligence Department 4

5. | Gerlof Hoekstra| © Atos ▶ Police ▶ Prosecutors ▶ Judges ▶ Investigation services ▶ Prisons ▶ Lawyers ▶ Rehabilitation ▶ Customs offices ▶ Debt collection agency ▶ … ▶ … The judicial chain 5

6. | Gerlof Hoekstra| © Atos The Identification Console Installed in: - every Police Office - central immigration offices - prisons - Schiphol airport 6

7. | Gerlof Hoekstra| © Atos Hot topic ! 7

8. | Gerlof Hoekstra| © Atos The Identification Console Functionality overview 8

9. | Gerlof Hoekstra| © Atos The Identification System Technology ▶ Biometric middleware ▶ Photo-software ▶ NIST ▶ ebXML ▶ Jubes ▶ ESB ▶ External Police Broker ▶ NORA ▶ JAB ▶ Ministry of Justice security standards ▶ Photo standards ▶ Fingerprint standards ▶ GBA character set ▶ 7x24 ▶ 30.000 users 9

10. | Gerlof Hoekstra| © Atos The Identification System High level application architecture & test scope Crime Immigration Central message broker 10

11. | Gerlof Hoekstra| © Atos Initial situation When I joined the project ▶ Phase 1 ▶ Goal: connect to Havank (crime evidence traces) ▶ Earlier attempt failed ▶ New project leader ▶ Well documented business process ▶ Integrated test environment available ▶ Phase 2: ▶ Build & implement a completely new front-end ▶ Connect to foreigner/immigration chain ▶ Validate ID-documents ▶ Optimize business process (scan once) 11

12. | Gerlof Hoekstra| © Atos Challenges What makes this chain special? ▶ Complicated business process (many legal rules, privacy) ▶ Many registrations: de facto inconsistent ▶ Most “customers” not willing to co-operate (try to fraude) ▶ Chain-consistent test data (esp. fingerprints) ▶ Many different stakeholders, physical distance, living on their own islands ▶ Uncertainty / problems in the Police organization ▶ Heavy message transfer, complex message broker functionality 12

13. | Gerlof Hoekstra| © Atos Assembling a Test Team Testers vs subject matter experts, formal vs informal ▶ Subject matter matters! ▶ Process knowledge ▶ Know the organization ▶ Middleware & message transfer ▶ Involved in implementation ▶ Police officers ▶ Dactylocopists ▶ Application manager ▶ Justice chain expert ▶ Free thinkers ▶ Not afraid to experiment ▶ No dogmas ▶ Excellent observers ▶ Easy making contact 13

14. | Gerlof Hoekstra| © Atos Test specification: formal part Keep it 'simple' and compact; connect to the world of the stakeholders ▶ Process description(test basis) ▶ Classification tree (test overview) ▶ User scenarios (details) 14

15. | Gerlof Hoekstra| © Atos Test specification: informal part Make optimum usage of subject matter experts: test charters Theme based: ▶ Chain components not available ▶ Attribute validation ▶ Unstructured addresses ▶ (Partly) unknown birth dates ▶ Message transfer anomalies ▶ False ID-documents ▶ Bad quality fingerprints ▶ Residential address unknown ▶ Inconsistencies between registrations Role based: ▶ Test with customs employee ▶ Test met prison employee 15

16. | Gerlof Hoekstra| © Atos Formal vs informal Dealing with the quality 'watchdog' Dilemma:  versus  “How Dare You Apply Exploratory Testing” Solution: ▶ Have a small, but well thought-out predefined test set ▶ Identify exploratory test charters in advance ▶ Use simple check lists ▶ Have a good relation with QA management ▶ Explain why you are doing it like this ▶ Report what you have done 16

17. | Gerlof Hoekstra| © Atos Test data Accepting & dealing with restrictions ▶ Which fingerprints do I use? ▶ How to load these into a far far away foreign test database? ▶ How to clean up test data? ▶ How to get ID documents for test? ▶ Solution: puzzling, know what you want, preparation, know the right people! Direct database inserts Insert data with application Use available test data Cleanup possible? 17

18. | Gerlof Hoekstra| © Atos From waterfall to iterative Initial plan phase 2 ▶ Newly build front-end ▶ Monthly iterations ▶ Back-end system changes ▶ Every party has his own process & implementation schedule ▶ E2E test starts when all components are ready ▶ mitigate late integration bugs by: ▶ Gerlof reviews/monitors all supplier tests ▶ 1:1 interface tests (peer-to-peer) ▶ stub usage 18

19. | Gerlof Hoekstra| © Atos From waterfall to iterative Project in trouble! ▶ Front-end ▶ SCRUM in name only ▶ No business value delivered yet ▶ Back-end system changes ▶ DONE ! (?) ▶ Some even deployed in production ▶ Reviews, peer-to-peer testing, stubs: ▶ I did what I could .... ▶ No time, complex, error prone, ... 19

20. | Gerlof Hoekstra| © Atos From waterfall to iterative Re-organizing the project ▶ Front-end ▶ Monthly sprints, now with business focus ▶ My struggle to realize an early & iterative E2E test ▶ 'No time/resources for linking to integrated test environment' ▶ 'Trust the stubs' ▶ 'You disturb the developers' ▶ 'In the end, Iterative E2E testing takes more time' ▶ 'No need, it should work, we reviewed everything’ 20

21. | Gerlof Hoekstra| © Atos From waterfall to iterative Finally, from sprint 4 we were able to E2E test, AND HECK WE DID !!!!! 21

22. | Gerlof Hoekstra| © Atos Some interesting findings Typical integration problems ▶ Simple 'No Hits' leading to fatal errors at the front-end application ▶ Legacy systems not following agreed standards ▶ Un- or incorrectly documented interfaces 22

23. | Gerlof Hoekstra| © Atos Getting defects fixed Many independent parties, legacy systems ▶ Sometimes very hard & frustrating ▶ “Not our fault” ▶ “On our side, everything works fine!” ▶ “Yeah, that’s exactly how it is supposed to work” ▶ “Please call our service desk, they will help you” ▶ “Next release we will fix the problem (in 6 months)” ▶ Process ▶ Responsibility for defect fixing !! ▶ Diagnose (zie processchema) ▶ Solution alternatives ▶ Decision making ▶ Fixing & retesting ▶ Follow-up 23

24. | Gerlof Hoekstra| © Atos What did we learn Co-operation ▶ Getting into contact / building relations / acquire business chain knowledge is crucial ▶ (From time to time) working from 1 location adds tremendous value ▶ End users / monitoring / troubleshooting / architect 24

25. | Gerlof Hoekstra| © Atos What did we learn Early integration ▶ Perform E2E chain testing during the sprints ▶ Do not postpone difficult challenges; if something seems difficult, do it as early as possible! ▶ If you really want something, you can arrange it! ▶ Stubs can be useful, but “Nothing beats the real thing” 25

26. | Gerlof Hoekstra| © Atos What did we learn Test specification ▶ Some carefully specified test scenarios are useful, but do not completely rely on predefined test cases ▶ Make a mix between formal techniques and exploratory testing and let coincident happen. ▶ Do not underestimate the value of human observation (we revealed many bugs by observing a bit deeper than the test script) ▶ Don't trust application designs, even if reviewed 100 times; ▶ for E2E testing, a application design is no more than a supporting document ▶ Business process = test basis ? A collection of applications that all work as designed does NOT automatically mean a working chain ! 26

27. | Gerlof Hoekstra| © Atos What did we learn Others ▶ Effective reporting ▶ Frequent ▶ Visual ▶ In the stakeholders' language ▶ Forecast ▶ Directly linked to the implementation scenario ▶ Implement testability ▶ Log’s and traces ▶ Alternative input (esp. for fingerprints) ▶ Police officers are great testers! 27

28. | Gerlof Hoekstra| © Atos Result Status summer 2016 ▶ 2.5 years extensive use ▶ Much more asylum seekers than planned ▶ More locations than planned ▶ Users are happy – less work – quicker business process ▶ No messing with ink fingerprints anymore ▶ More crimes solved ▶ Improved maintainability ▶ No more dependency on 1 external supplier ▶ Various enhancements realized ▶ Finally, the maintenance contract is signed 28

29. Atos, the Atos logo, Atos Consulting, Atos Worldgrid, Worldline, BlueKiwi, Canopy the Open Cloud Company, Yunano, Zero Email, Zero Email Certified and The Zero Email Company are registered trademarks of Atos. January 2015. © 2015 Atos. Confidential information owned by Atos, to be used by the recipient only. This document, or any part of it, may not be reproduced, copied, circulated and/or distributed nor quoted without prior written approval from Atos. Thank You ! Contact: M+ 31 6 512 88 478 gerlof.hoekstra@atos.net

QA Fes 2016. Gerlof Hoekstra. E2E Testing the Ministry Of Justice Biometric Identification System

QAFest

QA Fes 2016. Gerlof Hoekstra. E2E Testing the Ministry Of Justice Biometric Identification System