Skip to main content

Cynefin beginnings

Cynefin was on my radar ever since I joined The House. It seemed an interesting idea worthy of further pursuit, therefore I decided to visit a training on this topic in London this April.

Cynefin - my amazing drawing

My first thought was  "What I'm doing here?!" - the other attendees were a mix of scrum masters, project managers and similar sort, which was actually to be expected. Cynefin is a decision-making framework which seems to be applicable mainly in management, but my firm belief is that testing can benefit from it equally.
My goal was, however, to find out more about Cynefin and how to apply it to my work as a software tester. I expect it will take some time to my thoughts on this fully settle and I get the whole picture from this training. My colleagues got already some very good insights from cynefin, my goal is to follow this path. The purpose of this blog is to summarize my thoughts on this so I can revisit later in my life and maybe see how much my understanding changed.

Finding out in which domain you are is not easy

We were told many stories and examples of real situations which belonged to particular domains of Cynefin, but when I ask myself the question: 'With the information at hand, would you have certainty you can correctly identify the domain in which you are?', I cannot often answer positively.

Knowing the Cynefin model and some tools from here will however certainly help.

Categorize all the things

I can suddenly fit many aspects of my life into cynefin. On this place you probably expect me mentioning software testing as part of the complex domain. This would be too predictable.
My example is martial arts
Simple - drilling, practicing techniques (or katas, forms)
Complicated -  theory, getting guided by the teacher/coach/trainer, attending a seminar
Complex - sparring, positional sparring, every aspect which outcome is not clear and you learn by playing/doing rather than repeating
Chaotic - I imagine here a potential brawl on the street - a very chaotic situation where acting is highly superior to any probing or analysis

Sometimes this can help to find out which approach will help you get better fast, there is even a guy who basically advocates for a BJJ as complex domain (even he does not use these terms)

Using actions from different domains can be detrimental

Very roughly said:
  • If you apply techniques from a 'higher' domain to a 'lower' one (for example complicated practices into a simple domain), you will be ineffective - basically an overkill
  • If you, however, think and act as in a lower domain as you really are (acting as in complicated when you are really in complex domain), you are writing a recipe for disaster
  • Being off by two or more domains (simple <-> complex, simple <-> chaotic) - big trouble incoming
Acting wrong in any situation is overall a bad idea. My point here is to be cautios about your confidence in any approach. At least before you have confidence about the nature of the system you are dealing with.

Bonus - my notes from the workshop.


Popular posts from this blog

Testing impact on security

... or the impact when testing is lacking?

Security breaches, hacks, exploits, major ransomware attacks - their frequency
seem to increase recently. These can result in financial, credibility and data
loss, and increasingly the endangerment of human lives.

I don't want to propose that testing will always prevent these situations.
There were probably testers present (and I'm sure often also security testers) when
such systems were created. I think that there was simply a general lack of
risk-awareness on these projects.

There are many tools and techniques from  a pure technical point of view to harden the software in security context. Some of them have automated scans which crawl through your website and might discover the low hanging fruits of security weaknesses (ZAP, Burpsuite...), without much technical knowledge from the person operating it. The more important aspect is however the mindset with which you approach the product. The tester is often the first person to discov…

Kali Linux 101

Linux was always a bit too 'geeky' thing for me. My recent time on bench provided me however with time and motivation to go into this "terra incognita".
The intention was originally to learn some foundations of security testing. After a while I discovered that Kali Linux could provide also benefits for the everyday testing routine. Following is a simple set of tools that will support and enhance your testing.
whatweb Whatweb is a web scanner which provides information about the technologies used on the website, mail addresses found and many more
Example (type into terminal in Kali Linux): whatweb 0-v

whois  Provides domain and legal information about the target website (where is it registered, owner, address, etc.)
Example: whois

cewl Outputs all the words contained in the target website. You never know when such feature comes handy. You can output also into a file of course. Example: cewl…