One small step for the tester: top 10 reports of Heisenbug 2019 Piter

Hello, Habr! We post a selection of excellent reports on testing and everything that surrounds it. The visitor ratings of Heisenbug 2019 Piter determined the best reports of this conference, from which you will learn, for example:

• Can one tester change the whole company;
• What happens with testing when a startup transfers to the status of a large corporation;
• How to integrate payment systems in order not to ruin the company;
• Why and how to check those who check;
• How to find holes in a project that hackers can take advantage of;
• What is common between testing and data analysis.

We also prepared a playlist with the best video recordings of reports. Go!

---

Move fast and don't break things

Speaker: Yuri Dymov

Location: 10

Report presentation







In the early stages, startups from the Valley follow the principles of move fast and break things (if nothing breaks, it means that you are not developing fast enough). But if the startup has grown, there are now hundreds of developers, and the cost of the error is millions, the company begins to pay attention to quality much more time.



For example, the global failure of Uber systems for two hours cost the company several tens of millions of dollars, after which the company completely rebuilt the development and testing process at all levels - the backend was copied to microservices, and mobile applications were rewritten from scratch. Yuri’s report is about how Uber is testing new mobile applications based on the Presidio architecture and how to automate testing on iOS.

---

Pandora: stress tests as code

Speaker: Alexey Lavrenyuk

Location: 9

Report presentation







At the past Heisenbug Alexey represented Yandex.Tank and Yandex.Volta projects, and now he returned with a report about Pandora - “a gun for Yandex.Tank”. This is an open source load generator written in Go - you can “shoot” from ready-made cannons or build your own scripting tools.



In his report, Alexey will tell you how Pandora works, how to write a script for it right before firing, configure it for a specific service, launch it, and after automating load tests, collect monitoring and receive beautiful reports.

---

Testing paid services: how to stop starting the plane to check the light on the dashboard

Speaker: Vladimir Solodov, Victor Koronevich

Location: 8

Report presentation







Double report on an important topic for many payment systems. Victor and Vladimir will talk about how to correctly integrate payment aggregators, what pitfalls you can easily come across and how to avoid them. In fact, the report can be regarded as an instruction with schemes, problems, solutions and conclusions on each issue.



They also use the App Store as an example to address the problem of unstable sandboxes and how to solve it in such a way that they do not have time to go broke during the tests.

---

Speeding up Apache JMeter

Speaker: Vyacheslav Smirnov

Location: 7

Report presentation







Apache JMeter has a problem that is not always solved - the speed of load scripts, which can seriously affect a project where a high load is needed.



The report of Vyacheslav, who experienced the pain of test optimization, is devoted to approaches to optimal scripting, which allow saving on load machines and taking a fresh look at code optimization. According to one of the listeners, the lecture is literally saturated with blood, then with liters of coffee drunk at night and can help bypass the mine field from the rake in stress testing.

---

Recon and gathering scopes before penetration testing

Speaker: Igor Lyrchikov

Location: 6

Report presentation







One of the features of this Heisenbug was a lot of security reports - two entered the top. The first helps to get an idea of ​​recon ("intelligence") - the first step that hackers or pentesters take to commit a hacker attack on a product or company.



Igor talks in detail about how to collect the maximum information about the infrastructure for identifying attack points that are vulnerable to hackers and conducting security tests, ways to automate these actions in any scripting language, and ready-made solutions. Watch the report and test your products!



For many, the story was remembered by the entry in the spirit of espionage thrillers: “customers hire us to try to hack their system in many ways, even penetrating the building under the guise of pool cleaners.”

---

Test testing

Speaker: Nikita Sobolev

Location: 5

Report presentation







The winged Latin phrase “Quis custodiet ipsos custodes?” Meaning “Who will guard the watchmen?” Is especially relevant in testing. And in this report - a practical conversation about checking those who test the tests! The problem is as old as the world: code is developed, cool tests are written for it, but all the same, everything falls into the prod. Nikita suggests using mutation testing.



In a report that has captivated many listeners, he explains the theoretical basis and puts everything in order: how and why to test tests, shows what tools are available, using Python as an example, honestly talks about the problems of their implementation.

---

Modern web testing and automation with puppeteer

Speaker: Andrey Lushnikov

Location: 4

Report presentation







Classic Heisenbug: a story about a popular tool for testers from who is responsible for this tool. Andrey takes the first line in the list of contributors of Puppeteer, and believes that this tool is the future of web tests and automation.



He explains the principles of the library, explains why it is so fast, demonstrates in battle and shows the latest prototype of Puppeteer for Firefox. A good report for those who want to learn more about one of the popular and useful APIs for test automation.

---

Effectively search for XSS vulnerabilities

Speaker: Ivan Rumak

Location: 3

Report presentation







The second security report in the top is about Cross-Site Scripting, which is still consistently included in the top 10 most dangerous attacks on web applications. Therefore, a story from an expert is both interesting and useful.



In his report, Ivan talks about the essence of the vulnerability and shares his search technique, with the help of which he found 54 XSS bugs in vulnerability search programs only in the last year, some of which were from Mail.ru, Yandex, and QIWI.



The report is equally suitable for both beginners and those who are in the topic: it is always useful to learn about potentially vulnerable parts of web applications and learn how to search for jambs in XSS using universal payload.

---

Changing your organization's testing culture

Speaker: Jim Holmes

Place: 2



Report presentation







Tools and techniques can be studied as much as you like, but if a large company has problems with the testing culture, nothing will help. What then to do? Can a regular tester who does not head the company affect the problem? Jim Holmes answers this global question in his keynote, the slogan of which can be "one small step for the tester and a huge leap for the whole company."



Jim talks about what kind of problems are typical for large companies in general, how to live with it and how to deal with simple examples of companies in which he worked for his long career. You will learn about practical approaches that will help change the testing culture in a company regardless of its size, learn to explain your ideas, understand how to influence your business goals and see how often and devastatingly wrong leaders can make mistakes.



And as a bonus to the report - you can read our great interview with Jim about the testing culture.

---

Quis custodiet ipsos custodes? What is common between testing and data analysis

Speaker: Ivan Yamshchikov

Location: 1







We already mentioned the phrase “Quis custodiet ipsos custodes?” In this top - and here it is right in the title. Once again, heisenbug is the top speaker whose main activity is not testing, but due to the striking material and a very unconventional approach, he leaves an excellent impression and serves as a good reminder to “colleagues in the shop” about the general goals and values ​​of the profession.



In the closing keynote, Ivan demonstrates how closely connected, but at the same time, the tasks of ensuring quality and data analysis are very different. For example, you will learn what is common between model retraining and strict quality control systems, why you need to remember critical rationalism for those who work with real data and how to correctly formulate hypotheses and requirements for data analysis tasks.



Perhaps for some this will be the first encounter with the world of machine learning, after which you will want to figure it out yourself.

---

If you don’t have dozens, give a link to a more complete playlist of the past Heisenbug. And there is something even better: the next Heisenbug 2019 Moscow will be held on December 5-6 . The program as a whole is ready - and for those who have not yet decided whether to "go", it's time to do it.