Josiah Renaudin: Welcome back to another TechWell interview. Today I am joined by Steven Winter, the president of Guerilla QA and a speaker at our Better Software Conference West. Steven, thank you very much for joining us today.
Steven Winter: Josiah, thank you so much for having me on.
Josiah Renaudin: Absolutely, and first, before we dig in to the meat of your keynote, could you just tell us a bit about your experience in the industry?
Steven Winter: Of course. I have been doing QA and breaking software for about twenty-one years now. Started off at Broderbund Software way back in the day when someone told me you could make $15 an hour testing video games for a living. It was sort of like, the testers crack to start in from video games. The last dozen years have been solely around startups, and the last eight years have been around mobile, specifically mobile fin-tech (financial technology).
Josiah Renaudin: See, I think we actually have a lot more in common than I thought. For my side job, I'm working for a studio that is developing a video game. That could be an entirely different interview for another day.
Steven Winter: A whole other interview.
Josiah Renaudin: So let's not talk about that, since we’ll end up talking about that for thirty minutes. To focus on your actual keynote, let's really start here: How much of what we've learned from mobile development and testing can be applied to the Internet of Things testing and development?
Steven Winter: That's a great question, and that's actually the foundation of why I chose to talk about this subject because many of the big pieces of the Internet of Things is a direct one-to-one from what we've learned from mobile. From firmware on the device to the network protocols and the APIs they use to communicate, to the security of those connections and all that massive data transferred to and from that device are all existing technologies used in mobile.
This is the big message. We already have the knowledge, and we're already prepared for what's coming with the Internet of Things. There's specifically the hyper-connected world. The challenging part is managing the scale. There is something close to twelve billion connected devices now, and by the time we're done with the conversation, there's going to be another five thousand connected devices. It just happens, it's happening that fast, so the challenge is managing the scale. Managing and maintaining the software on the devices, managing the increasing demands on APIs and the third-party APIs you have to deal with, and that big data management like I spoke to before.
Most important is the increased security threats that this hyper-connectivity is going to create.
Josiah Renaudin: Security, I feel, is something that...I write for one of our main sites, TechWell, very often, and security is something that comes up very often.
Steven Winter: Sure.
Josiah Renaudin: How are IoT devices putting a greater onus, a greater demand, on software quality and security?
Steven Winter: It's really interesting, I'll start with drawing some of the parallels from mobile first, given that's what I'm talking about in the keynote. Things like device fragmentation over the years, software updates, third party API integrations, the big data like I spoke about, all those things are...it's part of IoT. You have these devices with firmware, software, sensors, switches, and a IP address, so you're going to draw from the same type of issues.
The security side is exponentially more of a problem because in a hyper-connected world, there is hyper-connections, there's a mass amount of connections…it comes back to that scale thing. You have that many more access points, or entry points, for a bad guy to get in. Imagine one of the IoT devices is a Nest thermostat. Many people use a Nest thermostat, and no offense to the Googlers and Nesters out there, but the data that is being transferred, it knows if I'm home or not with auto-away, it knows where my location is. There's things about this data, sort of this passive data that's going back and forth, that if a bad person got in there, they know when I'm not home. They know when they can come to my home, because they know where my home is.
You look at like medical devices and the auto industry, medical and auto industry are arguably at the forefront of a lot of the connected IoT stuff, right? Because all these sensors. Look at the Tesla and how many lines of code are in the Tesla. Over the last, gosh, just over the last six months, we've seen exploits around being able to connect to and control a pacemaker. Being able to control the defibrillator that's built into most pacemakers. Being able to control, connect to and control a car, disabling the transmission, disabling the breaking system, obviously unlocking the car, and starting the engine. All of these things are very, very real. I'm not making this stuff up. This is real stuff. You can go look it up on the great Google.
As scary and as ominous as that is, it's a known quantity. We've dealt with these threats. We've been dealing with these threats from when PCs became a thing, and they connected from the fancy thing called “the Internet,” and then the mobilization of all that connectivity. We've been dealing with this over the past fifteen, twenty years. The challenge around IoT and security is you have scale, and you have that many more entry points to do bad things.
The cornerstone of having a solid IoT strategy is no different than having a solid mobile strategy or web strategy. You have to think of security first. You have to think of where the bad guys can come in and wreak havoc, and you have to assume that not only that they will get in, that you can't just be crunchy on the outside and soft in the middle. You have to assume someone is going to get inside and do something, and what are you going to do then? The IoT is just going to make that...again, and I'm now repeating myself, the entry points to get into that is where the challenges are going to lie.
Josiah Renaudin: Like you said, these are challenges, at least a lot of them, that we have dealt with before. We have dealt with security risks before. I feel like just now, we are starting to get to the point where people are more comfortable putting all of this personal information on their phone, using their phone as their credit card instead of an actual physical card. You mentioned the Nest thermostat…there may be a point where your refrigerator is fully connected to the Internet, your oven is fully connected to the internet. We're getting these household items more and more connected.
Are there going to be newer and newer, different security risks associated with having so many different devices, especially devices that have never been connected before, now on this network? And kind of to go off of that, how long do you think it will take for people to be comfortable with every little thing, maybe even their doorknob, having an Internet connection?
Steven Winter: The examples you gave are all realities now, right? There's fully connected refrigerators, ovens, and door security systems. I'm challenged to think that there are necessarily new threats, because we're still dealing with the same type of technology. We're just using it on a smaller scale, because the devices are “dumber,” there's less software on them, so to speak. Again, you have a heck of a lot more portals to get in. I can't say that there's necessarily new threats, and I'm sure that there's a million people that are going to scream at me at this, and please educate me. I've been doing a lot of research around this over the last year.
If you look online right now, there's a million articles on the security issues around IoT. All of those come back to the same issues that we're dealing with right now. What do we do with all the big data that we collect from all the stuff. Whether it's a refrigerator or your laptop, or it's your phone, all the data that's out there. Those are already threats that we're dealing with. Those are very real issues and controversial issues that we're dealing with right now. IoT just makes it a grander scale. There's just that much more data to do something with. Does a manufacturer keep all that data? How long do they keep that data? If you don't give up your data, do you actually get to use the device?
Will I be able to use my refrigerator if I opt out of sending data back and forth to mom? Again, I don't think that, I've yet to see that there's new unique type of threats other than...No, I don't think there's a bunch of new threats that are happening, there's just the exploit-ability to the existing threats that we already see and we're already dealing with is exponentially greater.
Josiah Renaudin: When we talk about new devices, new hardware, new anything, you usually think that it's out with the old, in with the new. You think of the DVD or the Blu-Ray, and there's no more VHS out there. You think of smartphones, and no one really wants a flip phone anymore. Why do you feel that mobile apps and devices will actually continue to increase in relevance as IoT explodes, and is it because regular items that are now connected to the Internet are going to have maybe an app associated with them that will make you need that mobile device as well as the IoT device?
Steven Winter: The easiest way to answer that is yes. Every company needs to be mobile-first. No matter what your industry is, you have to have some shard of mobile, because as we look at all the stats, and all the trends, mobile is the primary way to get to the Internet by and large. It's more than desktops. When you look at the sheer number, just look at the sheer volume, mobile is not getting smaller. Mobile and connectivity, especially when you think about the third-world countries that are coming online that...the primary way to communicate in many third-world countries is with SMS on a flip phone. That's sort of the entry point into the Internet.
Mobile is not getting smaller by any stretch of the imagination. When you draw a simple trajectory line on the adoption of mobile as it continues to grow and grow and grow, and overlay that with the number of connected devices that do stuff that help us and enable us, they intersect over and over and over. Their inflection points are many, and I can't see it getting any smaller. Certainly on my phone, I have plenty of apps that control the things around my house. I welcome an argument to say how the apps are controlling the things, because that's the primary portal to the Internet and where all the connectivity is going to be accessed. There's no reason to think that mobile apps are not going to still be the main access point to those devices, to control those devices, to get data from those devices, to make your life better through looking at that app, and you learn the new things, and you make better decisions, and your life is easier. It's going to be through the computer that you hold in your hand.
Josiah Renaudin: As we continue to see the number of mobile apps increase, the number of connected devices increase, and just the popularity of mobile continue to skyrocket, do you think we'll actually see more test automation that we've seen before? Do you think we'll have to have more automation to keep up with all the things that we'll have to properly test?
Steven Winter: That is a subject that is very near and dear. Here's my bold, brass statement, that if anybody reading this or listening to this does not have a solid automation strategy for their stuff, you are behind the times, and you will not be able to compete in today and tomorrow's market, period. Period. Continuous integration was last week. Continuous Delivery is now. Like agile's almost not even fast enough for getting stuff out there. Part of the challenge's that I see, and I'll talk about this in the keynote at length, we're going to get all this data back from these devices that we're going to make decisions with and do something else with. Then we're going to update the software on those devices, and maybe the devices are going to make different choices and do different things based on the data collected.
How do you manage that? How do you manage that level of rapid change within your own network, the ecosystem, how do you manage that? If you're not taking a test-centered approach when you develop from the ground up, quality first from the ground up, you're always going to be playing the catch up game, and if you're always playing the catch up game, you're never going to be up in front, and you're never going to be able to be...you're going to be continually reacting. I don't know about you, but I don't want to be reactionary in my life. I want to be making bold decisions and moving forward based on what I want to do, not reacting to something that's coming at me. I want to be good at reacting, but I want the advantage. Everywhere that I've been, every company that I've worked at, the struggle is always to get to a hyper auto, test automated world. You want self-diagnosing systems as much as you can build.
If you make the decisions up front you're going to be getting closer and closer to this beautiful self-diagnosing system. The sentient test robot will tell you, the app itself will tell you when there's an issue. You don't want to have to be chasing after it all the time. Absolutely, absolutely you have to have test automation up front, built in, part of the culture to support that kind of continuous deployment, continuous delivery, continuous quality based on the rapidly changing landscape that IoT is going to throw at us.
Josiah Renaudin: Absolutely. I feel like everyone I've talked to at this point has a different opinion about the percentage. You should have 60 percent automation, 40 percent manual, and all over the place. So I think it'll definitely be an interesting part of your keynote to have you say that, here's some of the questions coming out. Something that I do always like to ask people who have some sort of information or knowledge about IoT devices, is what's the most interesting and novel IoT device that you've seen thus far? Like you said, there are refrigerators, there are ovens, there are security systems, there are thermostats that we know about, but I think there's always those random things where I’m like, man, I never thought about that. Have you seen a certain device where you're like wow, that's really something unique?
Steven Winter: Yes, yes! As a matter of fact, my best, best buddy, he and his wife...yes, it's a bed, it's a mattress. It is a hyper-connected IoT mattress, and they just got it a couple months ago, and I checked it out and this thing has, let's see, USB connections on the side so you can charge your device. It has Bluetooth embedded speakers and a sub woofer in the box spring. It has dual-control vibration, heat, and angle of the bed. It's all via an app, well, actually technically speaking she has an app, his wife has an app, and he has an app so they can both independently control their sides of the bed which [is] arguably one of the best marriage tools.
Josiah Renaudin: Oh my god, that is amazing.
Steven Winter: I thought this was the most incredible thing in the world. I told them I am absolutely going to talk about their bed in my talk, because it's sort of the epitome of IoT. Where you spend arguably a third of your life is totally connected, and it knows when you're laying in it and when you're not. That one blew me away, that one [is] just pretty amazing.
Josiah Renaudin: Well, I don't want to give away all of your keynote or everything about the mattress that you'll actually be telling during the keynote. To kind of close here, more than anything, what central message do you want to leave?
Steven Winter: Right on, the $24 million question.
Josiah Renaudin: Absolutely.
Steven Winter: The big takeaway that I want people to really get is this: I want them to have a sense of empowerment around this massive industrial revolution that is happening. I want them to have a sense of empowerment and know that all of the issues that are coming up around the new phenomena of connected devices, hyper-connected devices is a known quantity. They're known technologies, there's known development methodologies to deal with this, and to not only deal with it but to thrive in this. Don't be scared off when you see the massive numbers of the billions of billions of devices that are connected and coming online every five minutes. Know that the big friction points are going to be around the things like we've talked about, security, data management, API, and comms and the software updates of those devices.
None of these are new technologies, it is the scale that you have to deal with and if you have a good, thoughtful, security focus around your mobile or your web applications, security and development methodologies you're going to be able to handle this just fine, and you need to handle this just fine, because it is here. It is happening, and we are hyper-connected.
Josiah Renaudin: Absolutely. Well, thank you very much, Steven. I appreciate you stopping and talking with us today and giving a preview of your full keynote, and I'm looking forward to hearing the entire version at the Better Software Conference.
Steven Winter: Right on, Josiah. I really appreciate you reaching out. This has been great.
Steven Winter loves building teams that break big things! The president of Guerilla QA, Steven has managed quality for America’s leading providers of financial technology services, with a key focus on mobile and the innovative power behind the Starbucks Card Mobile, the nation’s first successful mobile payments solution. With twenty years of experience in quality, Steven has tested through a wide array of technologies from web, firmware, hardware, cameras, phones, desktop, data—and everything in between. He has continually pushed the testing edge and delivered high performance, world-class QA operations at Broderbund, First Data, LeapFrog, PureDigital/Flip, mFoundry, FIS Mobile, and Trizic.