When you’re working on a contract testing implementation, there are a lot of good resources out there to help you out with the hands-on part of your challenges. For example, if you’re working with Pact, there’s the documentation and a great community on Slack to help you figure out the answer to many of your questions. However, there’s much more to the implementation of contract testing than just getting the tools to do what you want them to do, and these other aspects are much less often discussed. I was recently asked by a fellow tester if I had a blog post or some other kind of resource tha ..read more

There’s a running gag in the professional world that you can recognize a consultant from the fact they always answer questions in the same way: “It depends.” (sometimes followed by “if you want a more useful answer, this is my hourly rate.”) Cheap jokes aside, there is an underlying truth to this running gag. There are very, very few absolutes in software testing and software development. You wouldn’t jump to that conclusion from going through my LinkedIn feed, though. And I sort of understand that. People like speaking and thinking in absolutes. It is the easiest way to find or formulate an ..read more

Over the last year or two, I’ve found myself talking about contract testing more and more often, in talks, workshops, as well as when I’m working with clients. One of the promises of contract testing is that it will help reduce your dependency on long, slow, expensive end-to-end tests. But how does that work in practice? And more generally speaking, how can teams stop relying so much on slow and expensive E2E testing in general? In this blog post, I want to have a look at an example E2E test for ParaBank, a fictional online bank, and break that test down step by step into smaller, more focused ..read more

In this blog post series, I am going to explore the vulnerabilities in the OWASP API Security Top 10. For each entry, I’ll show you how to perform experiments on APIs to test for the vulnerability, and I’ll discuss my observations. I’ll use different APIs as test subjects in these blog posts. All APIs used are demonstration APIs, i.e., they are not used in real-life, public applications. Any vulnerabilities we discover in these APIs are therefore harmless, if not put in there on purpose. Here are the entries: Broken Object Level Authorization Broken Authentication Broken Object Property Level ..read more

Yes, it is that time of the year again: the days are short, cold and (especially this year) particularly rainy, and it is time to look back on what 2023 brought me, professionally, as well as look ahead to what I would like to focus on in 2024. The most valuable lesson I have learned in 2023 is that I get the most joy out of working with others, be it individuals, teams or entire companies, and help them improve their automation efforts. I also learned that the key word here is ‘help’, as in: I don’t enjoy a role as ‘the tester’ or ‘the automation engineer’ in a team so much anymore. This is t ..read more

In this blog post series, I am going to explore the vulnerabilities in the OWASP API Security Top 10. For each entry, I’ll show you how to perform experiments on APIs to test for the vulnerability, and I’ll discuss my observations. I’ll use different APIs as test subjects in these blog posts. All APIs used are demonstration APIs, i.e., they are not used in real-life, public applications. Any vulnerabilities we discover in these APIs are therefore harmless, if not put in there on purpose. Here are the entries: Broken Object Level Authorization (this post) Broken Authentication Broken Object Pr ..read more

Ever since I started running training sessions some 6-7 years ago, I’ve been receiving requests from individuals for training, requests that I simply could not fulfill, mostly because I’m simply too lazy to organize paid public training courses. On the other hand, as you might know, I’m a big believer in live, in person training as opposed to self-paced consumption of training materials, and I’d love to give more people access to what I think is good quality training material. This is where my latest initiative comes in: free, live, online workshops. Go to the workshop registration page Why? T ..read more

One of the biggest perks of my job is being able to travel abroad to attend and contribute to conferences (or run corporate training sessions) every now and then. I mean, seeing foreign countries, meeting new people and getting paid to do so, what’s not to love? Earlier this week, I had the absolute privilege of attending and speaking at the 2023 Targeting Quality conference (TQ2023), organized by KWSQA, the Kitchener-Waterloo Software Quality Association. This is a regional conference held once a year in Cambridge, Ontario, Canada. Being a regional and ‘boutique’ conference (a direct quote fr ..read more

Last week, I had the pleasure of being a guest on the Test Automation Experience show with Nikolay Advolodkin. In this episode, we talked about RestAssured.Net, I released version 4.1.0 during the podcast, and we discussed some features that have been added to the library in the last couple of releases. If you want to watch the episode, you can find it on YouTube here. In this short blog post, I want to highlight the most important new feature of RestAssured.Net version 4.1.0, which is the ability to inject a custom System.Net.Http.HttpClient (docs) into your tests. Where is this useful? By de ..read more

So, a couple of months ago, just before summer, I started a new part-time project with a financial services provider here in the Netherlands. They were looking for someone to help two of their testers grow into automation engineers, and someone else within the company (who I worked with on a different project ages ago) referred them to me. Now, apart from the corporate training courses that I provide, I’ve done some 1-on-1 or 1-on-2 mentoring earlier in this year, but the time we would be able to spend together was much more limited, i.e., about an hour, sometimes 2, per week. This engagement ..read more