Lydia Casillas from Sky I.T. Group joins us for our third episode to discuss the challenges of testing mobile apps and the mobile web to ensure security, usability, and powerful “enterprise mobility.” We also review beers from Stone, Freemont, and Alltech Lexington Brewing & Distilling Co.! Tap In!
Noel: Hello, everyone. Welcome to the Skytap DevHops Podcast. This is the show where ideas about enterprise software development, DevOps, Agile, and more flow freely.
I am your moderator and host, Noel Wurst, the editor-in-chief of the Skytap blog our in-house journalist, and the person behind most of our social media presence online.
Before we get started, I should point out that the ideas expressed on this show are those of myself and our guests, and are not necessarily those of Skytap or our guest employers either.
Today, we are joined by Lydia Casillas. Lydia is from Sky I.T. Group, which is a partner of Skytap, and we’re very excited to speak with her today. Lydia, would you like to give everybody a little introduction about yourself and Sky I.T.?
Lydia: Sure. Hello, everyone. My name is Lydia Casillas and I have been with Sky I.T. Group for a little over 15 years. I focus on our application delivery management business unit at Sky. I’m also heavily involved in the Dev/Test and DevOps areas, specializing in testing, mobility, and then everything that it takes to bring your application into production. Happy to be here.
Noel: Thanks for joining us! Also with us again is Jason English. He is our galactic head of product marketing here at Skytap. Jason, do you want to give a little of your own background as well?
Jason: Sure, yeah. I’ve been with Skytap for just over a year now. I came from a background where I ran the DevOps agenda at CA and previous to that was VP of marketing at a company called ITKO, which was acquired by CA. There, we did service virtualization, which was a new idea at the time. I’ve definitely been involved in the application development lifecycle in all my previous roles and excited to be here at Skytap and part of seeing this come together in the cloud.
Noel: Very cool. Something else that we do on this show when time and interest allows is to, since we call this the DevHops podcast, is to incorporate a beer review into the show as well where we each choose a random beer that’s either a favorite of ours or maybe a new one that we’re looking to try for the first time. We’ll be quietly drinking those during the conversation today and then at the end, we’ll give a little small recap as to what we thought about it, and if should you pick one up yourself..
I’ll go first. I am drinking a Stone Session “Go To IPA”. It’s a bit lower alcohol content than a traditional IPA. On the last episode, I chose one that I believe was about 9 or 9.5% and I thought it best to go with something a little lighter this time. Lydia, what do you have today?
Lydia: I also picked something fairly new. Apparently, it’s only been out for a little over a month out of a brewery in Kentucky. It’s a Kentucky Bourbon Barrel Ale that I’m actually getting ready to open for the first time.
Jason: Yeah, I followed suit with you, Noel, and went a little bit lighter this time, especially since it’s still rather hot here in Seattle as well. I opted for the Fremont Summer Ale, which is a pale ale that’s about regular strength, and has a little bit of a citrusy character to it apparently.
Noel: Very cool. When we were discussing a topic for today, we decided instead of just covering a topic as broad as software testing, we’d talk about testing for mobile apps, specifically, enterprise mobility. What kinds of requirements are there for an app or for some piece of software to have what you would define as enterprise mobility?
Lydia: Mobility, like you said, has completely changed for both the enterprise and also consumer users to be able to do so much more and be more productive way faster. Everything is, “how quick can I get my hands on it or how fast can I respond to something instantaneously?” It’s changed the way we do business, how we buy things, and how we consume information. Funny enough, this younger generation is just getting faster and faster, and always trying to juggle more as well.
From an enterprise level, business users need to be able to not only get the information quick, but be able to deliver it anywhere, from anywhere. We’re not only talking about a device, or the application that accesses this information either. But also, the time that it takes to go over the network, to access the information I’m trying to get my hands on, and just making sure that nothing is slowing me down.
The reason I bring up the consumer in this is because most of the time, we’re all trying to multi-task. I’m using my device to do my job, my work-related items, and at the same time, I’m trying to order a gift for a baby shower I have to have this weekend or a pizza to feed my kids later or transferring money, and all from the same device.
These mobile app purchases, transactions, business or personal, and the data behavior that’s going behind it are being looked at from both an enterprise and a consumer level and even monitored. A lot of these consumer-related organizations are looking at these behaviors on their mobile apps and what they need to develop and then, how to use that data to be more forward thinking and making marketing decisions and keeping up with competition.
These enterprise mobile apps are getting very complicated. There’s a lot that goes into it. It’s not only just from an enterprise business standpoint. It’s also from a user and consumer standpoint as well. That’s my definition.
Jason: Yeah. I think obviously, the consumer expectations are what drive enterprises to explore moving to ways to mobilize their business. I think a lot of what’s going to shake out of this process is really reducing the set of what needs to be mobilized and making sure that we have a strong distinction between what use cases support mobility and what use cases don’t because obviously, you don’t just take your whole website and move it into a mobile app.
Sometimes, a mobile app isn’t even called for. I think over 60% of apps are used zero to one time, right? Then they’re either deleted from your phone or never used again. That shows us that there’s a lot of misguided attempts and forays into mobilizing business functions. The ones that will survive and do this successfully will really hone in on specific features that the customers need and they’ll do a smooth job of tying it to the actual enterprise system so that there is less latency and there’s an effective transaction taking place.
Noel: Right. Speaking of mobile apps, the Skytap mobile app that was recently launched does a relatively small percentage of what Skytap does on a desktop or laptop. And that’s because there are only certain aspects of Skytap that people are really looking to be able to do away from their desk. This also helps the app have a simple and easy to use UI.
Lydia, I read a piece of content on the Sky I.T. website, and there was a line that stood out to me that I really liked. It said that there is the need for mobile enterprise apps “to do something as difficult as reliably synchronizing data with backend legacy systems and providing a simple and useful UX.”
These enterprise apps are doing a lot of things, but they need to display results or the results of actions that users are taking a very simple way. I know how difficult that is to develop, but where does testing fall into how challenging that can be to deliver?
Lydia: It’s interesting because you can have that same conversation or pose that question to a lot of our customers, and a lot of people I think have the misconception that testing should just be right at the end, right before it goes into production. While we’re trying to deliver these apps, whether mobile or web apps, in a more continuous delivery model or more Agile-specific model where these release cycles are a lot smaller, a lot condensed, timing is more and more important. It becomes more and more important as we’re trying to create a lot more common releases.
Being able to hone in on what’s important to that mobile application, but then also, entrenching testing almost at the very beginning and throughout the development process is so important. It’s so key. I can’t stress it enough to even our customers in that testing has to be discussed, determined, planned at the very early stages.
Most mobile app release cycles are typically in some cases releasing new features, new enhancements weekly, and sometimes even daily. If testing is not involved at the very early stages and companies are sending out applications into production and with minimal testing, they’re going to get hit hard when they’re users can’t access their application and can’t do their job or a system is down for whatever reason or there’s a security breach.
Not only is it important to have it at the very front, but it’s not only just testing the functionality. You’re testing performance. You’re testing network. You’re testing the security, so many different levels of testing that have to be considered. The earlier that that can take place, the better it is for the mobile app and for the enterprise altogether.
Jason: Yeah, that’s definitely a great point. The earlier we can test, the earlier we can even find problems with the requirements themselves, right? A lot of that is the actual daily use of the app by live physical users or verification on actual devices and not just emulators.
A lot of this has to do with the user experience testing and acceptance itself, but then at a system level, we’re also required to think about where am I going to do this kind of testing. Other than having a bin full of devices sitting in some remote lab somewhere that have cameras trained on, how many are going to verify that this functionality is making it across at an accurate way to the devices and is actually displaying the right business logic?
There it starts getting a little bit stickier. I think a lot of companies aren’t very good at cordoning off the test environment from the actual enterprise apps themselves. There’s been a number of high profile cases where testing activities or test data affects actual mobile phone subscribers, right. I think Verizon had a really famous one on the East Coast where they basically sent out an emergency warning message to about 100,000 people and there were calls to 911 resulting from it. It was supposed to be a test of the system, but obviously, it wasn’t running in a separate test environment or a virtual environment. It was running in production.
The key to this is, you’re dealing with a live user-base and they’re less tolerant to these kind of faults than anybody because they take it very personally if you deliver problems onto their personal devices, more so than even a standard business user.
Lydia: Absolutely. It’s funny because I think I’m seeing more and more of our customers, and I cringe, I absolutely cringe hearing when a customer tells me, “Oh, yeah, we’re just going to take the app down or put a screen that basically says, “system not available from 12 midnight to 3:00 in the morning just to do our testing,” and all because they didn’t have an environment early enough or there wasn’t an environment available. Unfortunately, I’m seeing it happen a lot and it’s not the best practice.
Noel: Yeah, Jason, I was just going to ask you, going off of what Lydia just said, I remember seeing those screens. I feel like I’m seeing them less, but I would always kind of wonder why it had to be done during … why site maintenance had to be done during an hour that I needed to use it. Is some of that related to the fact that they would’ve done the testing earlier had they had the environments and the resources to do it when the site was still up.
Jason: They would’ve done so if they had actually architected that into their process to begin with, right? But once you get down the road and you have a couple functions that are working, you start tying that to more and more actual live systems. Then you run into this wall where you basically have a lot of dependencies that are underneath the app and a lot of potential for this kind of hazard to occur.
Obviously, the best practice we recommend is doing all of this, getting your test environment as close to production as possible, so that all the aspects of that are being handled and scaled, and I’m able to really verify the functionality, but building that into the process from the beginning. Otherwise, it’s going to be hard to do and retrofit that into your process if people are already using an app.
Noel: Lydia, like Jason mentioned earlier about the quickness that we’ll stop using or delete an app—it seems like in mobile, that this need for earlier testing and looking at quality throughout the entire SDLC is at least equally, if not more so, important in mobile because it’s just so easy to delete an app and find a replacement.
Lydia: It’s interesting because we all look at our smart phone every day and you may have on a daily basis anywhere between one to some cases five or more updates on some of your apps. Some people may get annoyed by that, how often or how common, but I actually look at it as a positive approach, especially coming from a consumer standpoint. If these are the apps that I’m regularly using, whether for business or for daily use, and I see that they’re being updated on a regular basis, typically, those are the apps that I’m going to have on my device and keep them there because I need those updates.
Those updates could be pertaining to development enhancements, new features, bug fixes, security, etc. Those ones that get updated, and you can pretty much track how often they are, those are the ones that I think people have a tendency to keep on their device a lot more, but what happens behind the scenes … It’s interesting.
I don’t know if you’ve ever had the opportunity to actually look at those updates and actually go into the detail of what is being updated for those particular mobile releases, some of them are very honest in saying, “We fixed a security breach for XYZ,” especially on some of the financial apps, but for the most part, you can usually tell.
The ones that don’t get those regular updates … I actually go through my device on a regular basis, at least monthly because you get to a point where you’re consuming a lot of the space on your device and I need to delete apps before I actually go and delete some of the pictures and videos that I’ve taken.
From an enhancement standpoint, from a processing standpoint, you have to look at it also from the consumer side or the user, business user side. Then from an enterprise perspective, these are the areas that you need to hone in and test against, not only for those new releases, not only for those new bug fixes, or security breaches, but if that application is not performing on a regular basis.
These are other things that need to be considered before those updates are brought into the picture. Performance and stability and accessibility of those mobile apps are all very important features when it comes to considering what your test plans are going to be around.
Jason: That’s a great point because yeah, when you’re basically committing to make and then maintain an app over time, you’re going to have to support it as a business if you want to maintain your reputation there. A lot of times, I think when businesses or enterprises say, “We have to have mobility,” they’re overlooking the idea that just using the mobile web itself could be the killer apps for that company. Sometimes if you could just have more responsive design of your web experience and make that work for the phone user, there’s no need for them to have an app at all.
That’s something that you have control over. You can update at will and it actually has the security and some of the aspects could be built into the web experience as opposed to being part of an app that’s accessing that person’s device.
It’s definitely something to consider. There’s a lot of functionality that you can handle just through a mobile web application that looks like an app for all practical purposes or at least conducts the functions upfront that the mobile user would want to see like I want to call that location or make a reservation. It doesn’t need the rest of the information. It just needs what that mobile user wants to do.
I would say definitely, the majority of what we consider to be enterprise mobile apps will actually be mobile websites of some form or another, especially now if you’re going to see that emerging as rather than having everybody have to have their own app.
Lydia: Yeah. It’s interesting, I just actually rolled over a business website just recently. I won’t name the name, but it’s funny how organizations now are developing their websites geared more towards mobile as their primary marketing display versus the other way around where they present from a website, web application, or like we just talked about, mobilizing that website. Now it’s almost I’m seeing more companies go the other direction and just mobilizing everything because that’s the way users are accessing the information these days.
Noel: For being able to deliver updates, whether it’s just minor bug fixes or security updates, or even new features that companies are excited to release to customers, what kinds of things are helping those updates come out both quickly and at a really high quality?
Jason: I think this is where it does tie to industrializing the software release lifecycle. The whole software build and delivery lifecycle, if you can industrialize it, that means that you would put the operations team that’s responsible for deploying and maintaining the applications on the same side as the development team that has an incentive to deliver the functionality as quickly as possible. If those teams are incented to get a quality product and to get it out on time, that puts them on the same side, right, as opposed to operations basically, holding up release due to security concerns or scalability or performance concerns.
They get on the side of trying to be part of the solution, to help deliver an infrastructure that works faster, make sure the capacity is there, and make sure that you have environments behind the scenes that are allowing these development and test teams to do that critical testing work and experimentation earlier in the lifecycle so that what gets thrown over the wall isn’t garbage.
It’s not just something that they finished on time in order to meet their goal. It really has a lot to do with how those teams are organized and rewarded for getting the job done and being on the same side.
Lydia: Yeah, I agree. As we were talking about this question, I’m over here thinking funny enough, my husband’s a network engineer and he’s always saying, “Well, you layer seven people…” There’s that big bridge that sits in between those two teams, not only in general, but for most organizations. They do have to work hand in hand. The development and testing teams, they have to have a solid process in place to be able to deliver apps faster. They can’t be held up by operations to supply them an application environment that in some cases could take weeks or months to supply. Nobody has time for that.
Being able to have that sync, that it’s one team, not two separate teams doing it to provide the end result or objective. They have to be able to develop, test, test performance, test scalability, test security, network, put their seal of approval on it, and push it into the ops team for a quick turnaround into production. It has to be a solid, handheld end-to-end approach that needs to be a team environment, and it would be great if there were some incentives to reward for all of those teams combined.
Noel: Awesome stuff. And lastly, what are some of the challenges that mobile testers face today as far as trying to make sure that security covers internal data, external data of users and customers, and just everything else that needs to be protected when thinking about mobile?
Lydia: Security is huge. I think it’s something that now more than ever needs to be discussed very early on. I think when we look at what we’re seeing in the news with hackers becoming more and more aggressive and creative on how to get into specific data or sensitive data, whether it’s mobility or via web or getting into someone’s network, I think part of the problem I see a lot is that in most organizations when you start talking about security, all they think is, “Oh, my network is secure. My whole environment, enterprise environment is secure,” but they’re looking at it from a networking or architectural standpoint, notfrom a security standpoint.
I think organizations are getting smarter and thinking about it more from an application level because that’s where the creativity is really coming in, from the mobile devices, from the websites. Hackers are able to get in just through a browser these days. I think years ago when we talked about testing, it was always like performance testing was always the last leg and if we have time and budget, we’ll do performance testing.
I’ve seen that shift going over the last couple of years where security is, “if we have time and we have budget, we’ll make sure that we test the security before it’s released in production.” Now it’s getting to a point where I’m pushing customers to really think about it in as early as the development stages.
Most developers are not trained or are not educated on how to develop secure code. I’m sorry. That’s just the truth of the matter. I think more developers are starting to learn, but security needs to happen at the development stages. Security needs to happen at the testing stage. Quality assurance engineers need to understand how to test security, what to look for before it goes into production. Then once the app is in production, I honestly feel that besides doing that last check, “are there any holes or vulnerabilities in this mobile app?” I think it needs to be a regular, recurring process in production whether it’s daily, weekly, or monthly.
As an example, we’ve got customers that have very sensitive financial data. All of our banking information is out there, credit card information. We’re seeing it in the news on a daily basis where people are getting their identities stolen. Again, hackers are creative and they’re out there finding new ways to get into these mobile apps as a new way for them to get into. It should be a new way for us to be spending a lot more time in these enterprise applications to be testing very early on.
Jason: There are so many potential vulnerabilities that it almost feels impossible to cover everything, and just to stay ahead of that curve. It’s even harder when you add this multiplication factor of enterprises having BYOD policies. You have people with a number of different platforms and they could be bringing these devices in, they’re using some applications, and some of them would be internal applications to the business that they might be using or something that talks to other external companies. What’s the behavior of those employees in terms of using that data or allowing somebody else to possibly see it, right?
It’s the behavior, and a lot of times, there’s nothing you can do to control that side if the users themselves aren’t being responsible. There’s a certain amount of education and monitoring and preventative measures that also have to take place for everybody who’s authorized to use something, at least to tell them how to protect their own data, much less the data of the company, and how to use the application responsibly. That’s where a lot of the breaches are really occurring.
They may have a really tight firewall, password policy, and stuff like that, and the data still gets out there because someone shared production data with a third party testing team for instance and didn’t properly cleanse it. Then you have another news story coming out, right. We definitely need to think about all the policies and how people treat that sensitive data as part of the whole security picture.
Noel: Absolutely. Well this was an an awesome chat, tons of stuff for a large number of numerous groups in the SDLC to think about. Before we say goodbye, we want to include the feelings on the beers that we were each drinking today. Lydia, would you like to go first on that?
Lydia: Sure! It’s interesting because I’m more of a wine drinker myself, but this beer, I actually have to say is refreshing. I started out with just sipping it initially and it was a little heavy for me … Not heavy I should say, but more stark for me than I normally would drink. I’m usually a light beer person myself and then, as we started talking about mobility and I’m getting all into the topic, I start tasting some of the other flavors, the vanilla, the oak in here, and I’m like, “Wow, this is really quenching my thirst.” Yeah, I was trying to taste the bourbon part of, the barrel taste, but I probably need to drink a couple more to really get it in …
Noel: Haha! Probably so, probably so.
Lydia: For the most part, it’s great beer and I will definitely buy it again.
Noel: Cool. Jason, how about you?
Jason: Yeah I did want to switch it up because it is a little bit early in the day here in Seattle, but this light Fremont Summer Ale does make me want to get on a bike and ride down to the Fremont Brewery, which is all downhill from here so I can get there in about probably 30 minutes and have a fresh one from the brewery. I think I might do that. Anyway, it’s a very good citrusy flavored beer and might need to have another myself.
Noel: Good idea, you should! This Stone Go To IPA has that lower alcohol content; it’s very floral, very hoppy, but not in a overpowering way at all. It’s one of those things that’s meant for a party where you’ve got to be able to compose yourself, or maybe you’re standing out in the sun all day. It also works for beers in the middle of the day when you still have a number of items on your list you need to do for work—like me, today.
Lydia, I wanted to invite you to plug anything that you’ve got coming up or that Sky I.T. does. I think we do a really good job on these shows of keeping the conversation pretty vendor-neutral so at the end, I always let people at least mention anything exciting or stuff to look out for on your website that people should know about.
Lydia: Absolutely. Thanks for that. Our website is http://www.skyitgroup.com/ and actually, we have an interesting “pizzacast” coming up with the focus around Skytap environments-as-a-service and bringing them into the dev/test conversation. I believe the dates for the pizzacast are scheduled for next week, and we’re hoping to have them on a more regular basis.
Noel: Very cool. That is about all for today’s edition of DevHops brought to you by Skytap. We were joined by Lydia Casillas today, who comes from Sky I.T. Group.
If you enjoyed the content on the podcast, please let us know on Twitter or subscribe to our blog or the podcast itself, which is currently hosted on SoundCloud. You can follow our blog at skytap.com/blog for more commentary on software development, testing, cloud, DevOps, mobility, information about our company and a whole lot more. Thank you so much for joining us again today everybody and we will be back with another episode soon.
Have a topic, speaker – or even a beer(!) you’d like to see featured on a future episode of the DevHops podcast? Let us know!