Process Resources | Infinum

Keep Your Project in Shape with Test Automation

Mija Vandek — Thu, 12 Feb 2026 14:53:23 +0000

We can all agree that physical exercise is a necessary part of life – at least if we want to stay healthy. The benefits are obvious: you feel stronger, more confident, and the quality of your life increases. In the world of digital products, test automation is a personal fitness trainer.

Of course, just like you can exercise on your own with varying degrees of success, you can test software manually. And yes, if you’re disciplined about it, you’ll catch bugs and ship decent products.

But training without proper guidance often leads to injuries, plateaus, and inefficient progress. You might build strength in some areas while creating dangerous imbalances in others.

So you hire a personal trainer who transforms your fitness journey. They keep you on track, improve your form, and help you get results safely. They work while you sleep, planning tomorrow’s session.

Test automation is the personal trainer of digital products

Test automation maintains balance across your codebase, catches form errors (bugs) before they compound, and scales testing efforts as your application grows in complexity.

Let’s explore the reasons why your project needs this discipline now, not later.

1. Avoid injuries, stay stable

When you work out with bad form, you risk injuries that can put you out of the gym for weeks, if not months.

Similarly, when you skip testing or test manually under time pressure, you risk introducing bugs into production and requiring late-night hotfixes for your team. Automated tests work like a trainer watching your form, catching problems early, and keeping your app healthy and stable.

For example, your team merges a new feature right before a release. Nobody has time to manually re-check the whole flow and all possible aspects that this feature could influence, and it breaks in production. Users can’t buy anything, the team scrambles to fix it, and release night turns into an all-nighter. With automation, the regression tests would have caught bugs while the team is on lunch, allowing the team to focus on a more detailed application check.

2. Save time, maximize efficiency

A trainer can give you a structured plan so you don’t waste time wandering between machines, wondering what to do next.

Automation does the same for your testing process. It runs tests faster and more reliably than any manual tester could, freeing up your team to focus on exploratory and more creative testing. That means more time to work on new features rather than repeating the same old checks. The goal is to test better from the start, which will help address more bugs.

Your QA team used to spend two full days manually running a regression suite before every release. Once the tests were automated, the entire regression suite could run in 30 minutes, giving QA more time to uncover edge cases instead of performing repetitive work.

3. Customized plans, tailored for you

Not every person at the gym has the same goals. Some want to build muscle, others want to lose weight, or just stay in shape.

Your automated test suite can be just as flexible. You can run smoke tests for quick health checks, regression suites for deep validation, or API tests when you need fast feedback without the UI overhead. Just like a trainer customizes workouts to fit your goals, you can shape automation to match your project’s priorities.

In other words, your team can run a fast smoke test suite for every pull request to catch critical failures quickly. Overnight, a full regression suite runs to catch deeper issues. This way, developers get quick feedback during the day and full confidence before a release, without slowing development velocity.

4. Consistency, no skipped reps

Let’s face it, we all slack off sometimes at the gym. Maybe you skip leg day or cut your session short.

Automated tests don’t do that. They run the same way every time, never forgetting a step or cutting corners, so nothing important gets missed.

Just imagine this: during a tight deadline, a manual tester accidentally skips testing a rarely used payment method. After the release, users started reporting that this payment method doesn’t work at all. Automated tests would have run that scenario; no memory lapses, no skipped steps, and the issue would have been caught before release.

5. No excuses, constant availability

Even the best trainer can’t be available 24/7. But automation is.

Your tests can run at night, after every commit, or whenever you need them. No vacation, no sick days. Just reliable feedback on demand. This gives your team confidence to move fast without worrying about breaking something while everyone’s asleep. It’s also perfect for collecting more data over time—like tracking performance trends or running large test suites without slowing your team down.

Your team merges a large feature late in the evening. The CI/CD pipeline kicks off the test suite automatically, and by the time everyone logs in the next morning, there’s a full report waiting with detailed logs and screenshots. If something breaks, the team knows exactly where to look.

6. Motivation & confidence growth

Seeing progress at the gym keeps you motivated to keep going.

The same happens with a passing test suite. It builds confidence for developers and stakeholders. When you know you’re not breaking anything, it feels good to move forward. Integrations with tools like Slack make the process even more transparent, keeping everyone aware of the status at all times.

Your Slack channel lights up with green checkmarks every time a test run passes. Developers celebrate, stakeholders gain trust in the process, and the whole team feels encouraged to keep pushing forward because they know there’s a safety net if something breaks.

The finish line

Hiring a trainer might seem costly at first, but the long-term health benefits are worth it. You avoid injuries, progress faster, and stay consistent. Test automation works the same way. It takes time and resources to set up, but the payoff is huge: faster releases, fewer bugs, and happier users.

So don’t skip your project’s “leg day”! Invest in automation early, keep your app in top shape, and enjoy the long-term benefits of a healthy, reliable product.

The post Keep Your Project in Shape with Test Automation appeared first on Infinum.

5-Step Figma Accessibility Review

Iva Omazić — Thu, 29 Jan 2026 11:06:27 +0000

With the European Accessibility Act in place, accessibility is no longer just a “good idea”. It’s now mandated by the law, compelling many teams to revisit older or still-in-progress products to make them accessible.

While engineers and testers do their part in an accessibility review, we recommend that designers dive into their Figma files.

This guide, written by designers for designers, covers conducting accessibility reviews in Figma from start to finish for projects that already exist and need improvements.

Whereas for new projects, the best move is to build accessibility in from the very beginning, so it’s not something you have to fix later.

Okay, has everyone opened their Figma yet?

Step 1: Pre-audit setup

Before you dive into the review, make sure you’re properly set up. That means knowing what you are looking for and which tools will help you along the way.

Get familiar with accessibility guidelines

There’s no way around it – you need to get comfortable with WCAG (Web Content Accessibility Guidelines). These are the internationally recognized standards that most regulations use to determine if a product is accessible. If you’re not sure whether this affects your product, learn what the European Accessibility Act means for your business.

WCAG is organized into four core principles: Perceivable, Operable, Understandable, and Robust. Each principle includes a set of success criteria that a product must meet to be considered accessible.

These criteria are grouped into three conformance levels:

A & AA → sufficient for most digital products to be considered accessible. Meeting these levels covers the majority of accessibility needs and makes the product usable for most people with disabilities.

AAA → the highest level of accessibility. It is not legally required and is rarely expected in full, but some AAA criteria can be valuable to consider if you’re designing for older users or audiences with specific accessibility needs.

They are structured this way to cover the entire user experience, making sure people can perceive content, operate the interface, understand the information, and rely on robust code that works across technologies.

The WCAG documentation is long and sometimes intimidating, but we have resources to make it easier to understand. We created an Accessibility Handbook and a Figma Accessibility Overview community file with visual examples of what passes and what doesn’t.

These are enough to get you started. As you progress, you’ll feel the need to check the official WCAG page for a deeper understanding of specific topics, but by then it will already feel more familiar and less overwhelming.

Know which criteria you will audit

Not every criterion can be reviewed in Figma. In existing projects, screen reader order and accessibility labels will be tested in the working product, so your development and QA teams will handle them. Depending on your product, some criteria may not apply.

For example, if you don’t use animations or have video captions, you can cross out the criteria that apply to them. Narrowing down the list right from the start makes your process quicker.

Gather tools and prepare your Figma file

Dedicated file. Create a separate accessibility review file and a solutions proposal file for redesigns you’ll need later.

Highlight the issues. Use simple lines or highlights to point out problematic elements on the screen.

Label issues directly. Use notes or annotations to explain which criterion failed and why. Color-coding by WCAG principles helps you quickly identify issue categories and how many there are.

Use plugins. We have a long list of Figma plugins and community files that you will find helpful, but a contrast checker is essential. Figma’s built-in picker works for some cases, but not always if you’re using styles/variables. So, I recommend starting the Contrast and Color Blind plugin.

Step 2: Run the audit

How you run the audit depends on your project scope and the setup of your Figma file.

At Infinum, we usually go flow by flow, starting with the most critical user journeys. Making a full product accessible takes time, so it helps to start small, often with a simpler flow to build momentum and avoid overwhelm. From there, check each screen against your criteria list, annotate issues, and move forward.

The first few screens will feel like the hardest, but once you get into the rhythm, you’ll start recognizing repeating issues. After a few flows, you will know most of the criteria by heart.

For smaller projects, you can take a different approach by reviewing one principle or criterion at a time, across all screens. For example, check all screens for contrast first, then go through them again to check the correct form labels.

Step 3: Document findings

The advantage of running reviews in Figma is that the file itself doubles as documentation. For some teams, this will be enough, especially if your clients are comfortable with Figma.

In some cases, however, using multiple formats can make collaboration smoother.

Here is a breakdown of the ones we use most often:

Figma review file – This is where all the annotated screens live. For tracking issues and a high-level overview, you can use our Accessibility Checklist. You can also add a dedicated findings page that summarizes the most common mistakes and action points. Once you begin working on fixes, set up a separate solutions proposals page or file where you keep before/after examples to review with the team.

Document or presentation – Useful when handing findings off to stakeholders. This format adds context: why accessibility matters, which criteria failed, the most critical issues, and before/after examples that show the impact of fixes.

Tasks (e.g., Productive, Jira, Miro) – Turning discovered issues into tasks makes them actionable and trackable. Usually handled by a project manager, this approach keeps everyone aligned from design through development to QA. It will also come in handy when tracking fixes later in the process.

Don’t let your digital solution frustrate customers

We can support your accessibility efforts by auditing your existing digital product or building a new, inclusive solution from scratch.

Step 4: Align with the team

Once the review is finished, the next step is to align with developers and project managers.

A live handoff session is the best way to do this. Here, designers walk developers through the main findings, identifying which fixes will be design-driven and which will require code changes. It’s also a good opportunity to get developer input, since they may notice issues you missed.

Together with PMs, the team then prioritizes the fixes, agreeing on scope and order. This ensures everyone is aligned on what to tackle first and how to move forward.

Step 5: Track fixes

Tracking fixes can be done in several ways, depending on your project setup and team size.

Once you’ve prioritized what to fix and in which order, start by creating solutions in your solutions proposals file. Review them with developers, align on the changes, then apply them to your actual flows and design system.

If tasks were created earlier, use them to track progress. If not, open your own tasks or create a to-do list; sometimes even something as simple as adding checkmarks next to the screens in your review file works, giving you a quick overview of what’s already been fixed and what’s left.

Consistency beats perfection

Accessibility reviews can feel daunting, especially if you’re not fully familiar with the rules or the process. But with the right setup, clear guidelines, and good collaboration with your team, they become manageable.

Reviews won’t always run smoothly. Some fixes will be straightforward, while others will require deeper research and team support. That’s normal. Over time, you’ll also figure out how to adapt the review process to best fit your team and your workflow.

What matters is being consistent with accessibility and making steady progress with every project. Hopefully, this guide will help you feel more confident as you take on your next review.

The post 5-Step Figma Accessibility Review appeared first on Infinum.

Cyber Resilience Act: How to Prepare Your Digital Products for EU Compliance

Neven Matas — Wed, 28 Jan 2026 13:11:44 +0000

If your company builds or sells software and connected devices in the EU, the new Cyber Resilience Act is something you need to pay close attention to. CRA introduces enforceable secure-by-design requirements across the entire product lifecycle. Here’s what product leaders and engineering teams should know to get ahead of compliance.

Remember the Raptor Train?

A botnet of more than 200,000 compromised connected devices hijacked through unpatched vulnerabilities and insecure defaults, not because those companies lacked internal security policies, but because the products themselves were never designed or maintained with long-term security in mind.

This kind of large-scale product risk is exactly what the EU’s Cyber Resilience Act (CRA) is meant to address, especially given the fact some estimates claim there are nearly 21 billion connected devices in the world today.

So, let’s dig into how the CRA addresses the security of the connected devices.

What is Cyber Resilience Act?

CRA is one of the most significant shifts in digital product regulation in years that sets mandatory cybersecurity requirements for digital products sold in the European market.

While NIS2 and DORA regulate how organizations operate, CRA regulates what certain organizations build.

It applies to nearly any “product with digital elements” (PDE) – a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately.

For product leaders, engineering teams, and security owners shipping digital products to the EU market, CRA will change how products are planned, developed, released, and maintained.

CRA is part of a broader EU push to raise digital resilience, reaching deep into how products are built. It requires teams to think long-term, architect for security, and maintain products responsibly.

In other words, cybersecurity is no longer a “launch and forget” problem. It’s a product discipline.

What CRA actually requires

At its core, CRA turns cybersecurity into a product safety requirement. To sell in the EU, a product must meet baseline security expectations throughout its lifecycle.

That includes:

Secure-by-design and secure-by-default

You must perform risk assessments early, design with security controls, strong configuration, authentication, and encryption in mind, test for vulnerabilities, and avoid shipping known exploitable vulnerabilities.

Transparent components

The supply chain is widely recognized as a significant cybersecurity risk today. Any included libraries, open-source packages, third-party modules, or firmware components must be documented and traceable through a Software Bill of Materials (SBOM). Managing these third-party components systematically, beyond just documentation, is what a third-party cyber risk management framework is built for.

Vulnerability management and long-term updatessecure-by-default

Manufacturers must document and patch newly discovered vulnerabilities and maintain security updates – typically for five years or for the expected lifespan of the product, all the while keeping up transparent communication towards their customers.

Clear reporting obligations

Actively exploited vulnerabilities and severe incidents must be reported quickly (24h early warning, 72h detailed report).

Conformity assessment and CE marking

Before you place a product on the EU market, you’ll need an internal or third-party assessment and to affix CE marking demonstrating compliance. Non-compliance can lead to fines up to €15M or 2.5% of global turnover and prohibiting the sales of products that do not meet mandatory requirements.

Want to strengthen the security of systems already in production?

Our team combines decades of deep development and security expertise to integrate security across every stage of your software lifecycle.

Who is impacted?

CRA applies to the entire digital-product ecosystem:

IoT and hardware device makers
Software vendors
Distributors and importers
Any company bundling or integrating products with digital elements into larger systems

This makes CRA relevant for startups, scale-ups, enterprise vendors, and sometimes even agencies that build software on behalf of clients. However, not all products face the same burden.

CRA classifies products by risk level, so higher-risk products (e.g., identity systems, password managers, browsers, network equipment, industrial devices) require independent conformity assessments, while lower-risk products can rely on self-assessment.

Additionally, not every digital product falls under the scope of the CRA, it mostly focuses on consumer products.

Standalone websites and cloud services are exempt when they are not used to enable or operate a product with digital elements, as is non-commercial open-source software. Products that are already regulated under dedicated EU sector frameworks are also excluded. Organisations in the UK defence sector face parallel obligations under Cyber Security Model v4, which mandates cybersecurity controls for all MOD suppliers independently of CRA.

For more details on the above, the recently released CRA implementing act contains technical descriptions related to important and critical products.

Key dates

June 2026: Member states designate Conformity Assessment Bodies.
September 2026: Vulnerability reporting obligations become mandatory.
December 2027: Full CRA compliance required for all products.

The biggest CRA challenges ahead

Based on the current cybersecurity trends and how most companies ship software today, CRA will expose several weaknesses:

Lack of structured security in the software development lifecycle (SDLC)

Many organizations don’t perform threat modeling or security architecture reviews, and now they must.

Poor dependency visibility

Most teams don’t track all libraries, components, and vulnerabilities. Without an SBOM, CRA compliance becomes nearly impossible.

Unclear maintenance and update plans

If you ship a connected device without a realistic long-term patching strategy and SLA, CRA will flag it as unsafe.

Missing incident-response playbooks

The tight 24/72-hour reporting timelines require formal workflows, roles, documentation, and monitoring.

How we help companies become CRA-ready

At Infinum, we work with organizations to build digital products that are secure by design – and now, compliant by design. Our cybersecurity offering supports CRA readiness across the product lifecycle, from threat modeling and secure architecture all the way to continuous monitoring and long-term maintenance planning.

CRA compliance isn’t just about meeting legal obligations; it’s about earning and maintaining customer trust in an increasingly competitive market by building safer, more reliable products.

Most teams don’t know where they stand today, so reach out for a CRA gap analysis or product security review to close the gaps before regulation becomes a blocker.

The post Cyber Resilience Act: How to Prepare Your Digital Products for EU Compliance appeared first on Infinum.

Securing Your Software Supply Chain: A Step-by-Step Framework

Neven Matas — Fri, 17 Oct 2025 10:56:15 +0000

Sometimes the most dangerous piece of software is the one you didn’t even write. With supply chain attacks on the rise, software supply chain security is now critical to protecting not just your code, but everything your code depends on.

When we talk about a “supply chain,” most people picture the journey of a physical product: from raw materials through manufacturing to assembling, distribution, and sale. Obviously, no company does it all alone; they rely on a network of partners to make it happen.

Software works the same way.

Modern applications aren’t built from scratch, they’re assembled. Behind every app is a complex ecosystem of developer tools, CI/CD systems, cloud services, and open-source code. As The Linux Foundation reports, 70 to 90% of most applications today are made up of third-party components.

That means every time you run or build software, you’re depending on hundreds of interconnected moving parts. And if just one of those links is compromised, the whole system is at risk.

We saw that risk explode into reality recently.

Cycode states that a phishing campaign led to the hijacking of core NPM packages like chalk, debug, and strip-ansi, libraries downloaded over 2 billion times per week. SC Media reports that days later, another attack infected more than 200 NPM packages, including those linked to CrowdStrike, using a self-replicating worm that exfiltrated data, created rogue GitHub workflows, and attempted to spread downstream.

These weren’t targeted attacks. They were ecosystem-level compromises with the potential to impact millions, which is why Software Supply Chain Security matters now more than ever.

NEVEN MATAS, CYBERSECURITY TEAM DIRECTOR, INFINUM

It’s no longer just about writing secure code, it’s about securing everything you rely on to build, deploy, and maintain it.

In this article, we’ll introduce supply chain security and cover best practices for reducing risk – from defining requirements all the way to development, deployment, and maintenance.

The topics we’ll cover include:

What is Software Supply Chain Security (SSCS)?

What are the most common threats in the software supply chain?

What are the most common types of supply chain attacks?

How to integrate security at every stage of the SDLC?

How to adopt secure software development lifecycle (SSDLC) practices?

Which industry standards and frameworks to explore for SSDLC?

How to build a response plan and keep your security policies sharp?

How to manage human risk in the supply chain security

What is Software Supply Chain Security (SSCS)?

Software Supply Chain Security (SSCS) is the practice of securing all the components, tools, people, and processes involved in the development, deployment, and maintenance of software, from third-party libraries and CI/CD pipelines to developer environments and cloud infrastructure.

If you’re only securing your app but ignoring the tools and dependencies you use to build it, you’re not secure. Modern software isn’t built from scratch. It’s assembled. And even a single vulnerable dependency can compromise your entire product.

That’s why SSCS is a critical part of secure software development. It ensures every link in the chain is trusted, verified, and resilient. It’s also why regulations like NIS2 or CRA put so much emphasis on it.

What are the most common threats in the software supply chain?

Software supply chain security goes far beyond writing secure code. It’s about making sure malicious actors can’t sneak in through the tools, environments, and people your app depends on.

Here are some of the most common entry points attackers exploit:

Open-source dependencies that could contain malicious code
Package managers and artifact repositories that could distribute malicious packages
Source code repositories (GitHub, GitLab…) that may be targeted for unauthorized access
Build tools and environments that can be tampered with to insert malicious artifacts
CI/CD systems that are attractive targets for attackers to introduce compromised code into production
Cloud infrastructure and third-party services that could be exploited to gain access
Developer machines and IDEs that, if infected, could be a direct path towards compromising code
Your own team, because human error is always the biggest risk

Most common types of supply chain attacks

Once inside, here’s what those attacks can look like in the real world:

Vulnerable components – outdated or unpatched dependencies (remember Log4j?)
Malicious packages – rogue npm/PyPI uploads hiding backdoors or malware. The axios npm supply chain attack in March 2026 is a textbook example — a compromised maintainer account was used to publish two poisoned versions of a library with 100 million weekly downloads
Build pipeline tampering – injecting malicious code during build (e.g. SolarWinds)
Fake maintainers – attackers hijacking open-source projects to slip in malicious commits
Secrets leakage – exposed API tokens or credentials in public repos
Weak repo security – no MFA, poor audit trails, accounts vulnerable to takeover
Overprivileged scripts – CI/CD or deploy scripts with excessive permissions
Dependency confusion – lookalike packages from public registries winning the name race
Compromised dev environments – malware on a single laptop can be all it takes
Hijacked CI/CD runners – shared runners or agents used to execute malicious code
Poisoned artifacts or registries – malicious Docker images or tampered packages
Pre-installed backdoors – third-party SDKs or libraries phoning home
Social engineering – phishing maintainers or tricking devs into handing over keys

And that’s not even an exhaustive list.

Many of these attacks exploit gaps in the development process itself.

Even if your code is secure and your infrastructure hardened, vulnerabilities can slip in when there’s limited visibility, inconsistent practices, or missing security checks — which is why integrating security throughout the Software Development Lifecycle (SDLC), often referred to as the Secure Software Development Lifecycle (SSDLC), is so valuable.

Integrating security at every stage of the SDLC

The SSDLC encourages embedding security practices at every stage of development. This approach, often referred to as “shifting left”, helps identify and remediate threats early, before they reach production.

It doesn’t eliminate supply chain risks entirely, but it reduces the risk of vulnerabilities slipping through unnoticed and the likelihood that compromised dependencies, misconfigured pipelines, or weak controls turn into full-blown breaches.

‘Shift left’ means integrating security earlier in the development process, so threats are identified and fixed long before they reach production.

Here’s what that can look like:

Defining security requirements during planning
Performing threat modeling during design
Using automated tools to scan for vulnerabilities during development and testing
Securing your CI/CD workflows and access controls during build and deployment
Maintaining clear incident response plans during operations

How to adopt secure software development lifecycle (SSDLC) practices

Let’s break it down through some high-level SSDLC phases and their security-minded steps:

1. Planning

Planning is arguably the most critical step for supply chain security, as it helps prevent hidden vulnerabilities through thorough due diligence.

Perform a risk analysis to identify assets, assess threats, and decide how to handle each risk (avoid, transfer, mitigate, or accept)
Define security and compliance requirements based on the risk analysis
Assess third-party risk through vendor reviews and security questionnaires. If third-party risk assessment is a significant concern for your organization, our dedicated guide to third-party cyber risk management covers the full TPRM framework in depth.
Ensure SLAs and contracts include clear, enforceable security terms that work in your favor
Identify relevant standards and compliance obligations (e.g., ISO 27001, SOC 2) for vendors and third-party software

2. Design

Design is your chance to build supply chain defenses into the architecture.

Conduct threat modeling to identify potential attack vectors
Select secure architecture patterns and apply least privilege, zero trust, and secure defaults principles from the start
Define clear trust boundaries between internal components and third-party integrations
Plan for secure communication channels, including encryption in transit and at rest

3. Development

Development is where insecure code or unvetted dependencies can silently enter your supply chain.

Enforce secure coding standards (e.g., OWASP)
Enforce pull requests (PRs) reviews to ensure code quality and security before merging
Use properly configured SCA tools (Software Composition Analysis) in the CI pipeline to identify and manage security risks in third-party libraries and open-source dependencies
Scan for secrets and credentials in code
Restrict sensitive projects to private repositories and limiting access to authorized developer teams only

4. Testing

Testing is where you validate not just your code, but the behavior of any external components or APIs. It helps expose risks before they become real threats

Use SAST (Static Application Security Testing) tools in the CI pipeline to detect vulnerabilities and insecure coding patterns before it reaches production
Use DAST (Dynamic Application Security Testing) tools to identify security vulnerabilities in a running application by simulating real-world attacks
Perform regular penetration tests to simulate real-world attacks and identify vulnerabilities an attacker could actually exploit – not just what a scanner detects.

Our certified pen testers simulate real-world attacks to uncover vulnerabilities before someone else does. Get clear, actionable insights into your software’s security posture.

5. Build & deploy

Build and deployment pipelines are a prime target for supply chain attacks. Securing CI/CD is a non-negotiable for trust and integrity.

Enforce strong authentication and role-based access controls (RBAC) for build systems
Centralize and automate secret management (e.g., HashiCorp Vault)
Harden all environments—including staging and production—as well as the CI/CD infrastructure (e.g., by using isolation, comprehensive logging, and ephemeral runners)
Sign build artifacts and verify their integrity before deployment to ensure that the software has not been tampered with

6. Distribution

Distribution is when your software becomes part of someone else’s supply chain. It helps build trust and transparency with clients and downstream users.

Maintain and distribute SBOMs (Software Bill of Materials) to track all software components
Scan packages pre- and post-publish for malware or vulnerabilities

7. Maintenance

Maintenance ensures your supply chain remains secure over time. Nothing is more dangerous than running software that becomes forgotten.

Continuously monitor for new CVEs (Common Vulnerabilities and Exposures) and third-party advisories
Regularly audit and harden configurations (cloud, infra, access policies)
Automate patching and dependency updates
Replace insecure or deprecated components
Maintain and rehearse incident response plans for supply chain attacks (including backup and disaster recovery procedures) to ensure supply chain resilience
Periodically reassess vendor and third-party risks to capture changes in their security posture

Security isn’t a checkbox at the end of your sprint, it’s a continuous mindset that spans every phase of development. Adopting SSDLC practices means baking security into your process, not bolting it on after the fact.

You don’t need to get it perfect from day one. Just start building with intention, iterate often, and treat security as a shared responsibility across your stack.

Which industry standards and frameworks to explore for SSDLC?

Luckily for you, you don’t have to start from scratch.

There are frameworks built by security pros to help you get it right. Use OWASP SAMM, NIST SSDF, or Microsoft’s SDL as a baseline to evaluate your current practices and make steady, structured improvements.

How to build a response plan and keep your security policies sharp

The worst time to figure out your incident response plan is while the incident is happening.

Investing time into developing a clear, actionable incident response plan is non-negotiable.

You need to know how you’ll detect an incident, who’s responsible for what, how to contain it, and how to communicate both internally and externally. The worst time to figure it out is while it’s happening.

And that’s just the beginning.

As software evolves, so do the threats. If your security policies are stuck in last year’s playbook, you’re not protected. Review and update your practices regularly, from dependency management and access control to patching and third-party risk.

Stay informed, stay adaptable, and stay ahead before someone else forces you to.

How to manage human risk in the supply chain security

Technology alone isn’t enough. Security depends on people, and people are often the easiest way in.

Phishing and social engineering remain some of the most effective tactics in supply chain attacks. Recent incidents like the hijacking of chalk and debug began with a fake MFA email sent to a trusted maintainer. No zero-days. No malware. Just a well-crafted message and a moment of inattention.

That’s why security culture matters as much as security tooling.

Start with the basics:

Code reviews with security checklists – don’t rely on automation alone
Pair programming – share knowledge, spot issues early
Regular security training – not just once a year, but as an ongoing habit
Simulated phishing campaigns – train your team to recognize real threats
Fostering a security-first culture – where reporting issues is expected, not punished
Cross-functional collaboration – involve product, legal, and ops in risk decisions

Reduce risk where it’s most human. Our social engineering services test your team’s readiness with real-world phishing

Isn’t this all a bit too much?

Yes, it can feel like a lot. But you don’t need to boil the ocean, just start where it matters most. Use a model like OWASP SAMM to assess where you stand, identify your biggest risks, and go for a few quick wins.

Here are a few that pack a punch:

Set up an SCA tool in under an hour (e.g, Dependabot).
Add 2FA on your GitHub org today – no excuses
Add a “security” section to your pull request template.
Run a penetration test
Draft a basic incident response doc for your team.

Security maturity comes from small, consistent moves in the right direction

Remember: you can outsource code, but you can’t outsource accountability. What matters most is building a culture where no one makes security the other person’s job.

Proceed to shift security left, raise awareness, automate what you can, patch early, and document everything. If you need some extra support, feel free to reach out to our certified experts.

The post Securing Your Software Supply Chain: A Step-by-Step Framework appeared first on Infinum.

The Cost of Cyberattack in 2025

Neven Matas — Wed, 17 Sep 2025 12:54:15 +0000

Picture this: every second, somewhere in the world, a system is being probed, a login page is under siege, or someone’s inbox is getting a phishing email that looks just convincing enough.

Cybercrime in 2025 isn’t just a risk; it’s a trillion-dollar economy more profitable than the global drug trade, which operates 24/7.

Cyberattacks per day: From thousands to hundreds of millions

When discussing cyberattacks, the definition is crucial. Are we counting every spammy probe, or only the ones that hurt?

Total attempts: Microsoft clocks a jaw-dropping 600 million attack attempts every day across its customer base. That’s phishing, brute force, malware, the whole buffet.
Significant breaches: Roughly 2,300 meaningful cyberattacks happen daily, including major intrusions, breaches, or confirmed compromises. That’s about 850,000 big incidents per year.

And if you zoom out to victims, the Identity Theft Resource Center reports that 1.7 billion people were affected by cyber incidents in 2024. Do the math: that’s 4.6 million individuals per day, or 54 people affected every second. By the time you’ve finished reading this sentence, a handful more people just got pwned.

The price of a breach: $4.4M on average

Getting hacked isn’t just embarrassing; it’s expensive.

In 2024, the average global breach cost was $4.88M, the highest on record.
In 2025, there’s actually good-ish news: the number dipped slightly to $4.4M.

That 9% drop is attributed to improved detection and the rise of AI-powered defenses. But don’t break out the champagne yet: multimillion-dollar hits are still the norm.

Healthcare continues to top the charts, with breach costs hovering around $10M per incident. That marks a grim 14-year streak of leading the “most expensive” list. Finance, tech, and energy aren’t far behind.

New cybersecurity challenges keep popping up—but you don’t have to face them alone. Explore our cybersecurity services to protect your business.

The cybercrime economy: $10.5 trillion in 2025

Here’s where it gets truly staggering: the total global cost of cybercrime is projected to hit $10.5 trillion annually by the end of 2025.

To put that in perspective:

That’s about $26 billion a day.
Or $302,000 every second that’s bleeding out of the global economy.
If cybercrime were a country, it would be the third-largest economy in the world, right behind the U.S. and China.

This $10.5 trillion includes everything from ransomware payouts and fraud to downtime, recovery, and stolen IP. For context, cybercrime “only” cost $3 trillion back in 2015, which means damages have ballooned by 250% in a decade.

The bottom line

Cybercrime in 2025 isn’t just a line item in IT’s budget. It’s a planetary-scale economic drain bigger than natural disasters.

Here’s the uncomfortable question for decision-makers: When was the last time you pressure-tested your product, your defenses, or your people?

If the answer is unsettling, structured governance, risk, and compliance services are often where organisations start, defining what needs protecting, who owns what, and what happens when something goes wrong.

The good news? Smarter defenses are starting to bend some curves, as seen in the dip in average breach costs. The bad news? The scale of attacks means vigilance isn’t optional.

So here’s the uncomfortable question for decision-makers: When was the last time you pressure-tested your product, your defenses, or your people?

Not just running an AI scanner, but letting a real human try to break what you’ve built.

Not just training staff to ignore the “Nigerian prince,” but seeing if they’d catch the difference between microsoft.com and microso4t.com.

Because in 2025, resilience isn’t about whether you’ll be targeted. It’s about when and how ready you’ll be when it happens. The most direct way to measure that readiness is a red team exercise — a controlled simulation of a real attack that tests whether your detection and response would actually hold up.

One often-overlooked exposure is vendor risk, a single compromised third party can trigger the very breaches described above. Our guide to third-party cyber risk management explains how to get ahead of it.

Reach out to our cybersecurity team to protect your business and avoid becoming part of the grim statistics.

The post The Cost of Cyberattack in 2025 appeared first on Infinum.

Classic vs Modern Project Management – What’s Right for You?

Kristijan Trbojević — Thu, 17 Apr 2025 11:23:35 +0000

Choosing between classic vs modern project management isn’t about which method is better – it’s about deciding what works for your project, your team, and your goals. Learn about the specifics of each approach to find your perfect fit.

Software development projects are definitely not snowflakes, but each one of them is just as unique. That’s why when it comes to project management, there is no one-size-fits-all solution – you have to choose the approach that works for you and your project.

Should you play it safe with a traditional approach or embrace the flexible, iterative world of Agile methods? Or maybe the sweet spot lies somewhere in between? In this article, we explore the difference between classic vs modern project management and illustrate what a hybrid approach entails, so you can identify the right strategy for moving forward.

Classic vs modern project management – a tale of two vacations

A project lifecycle is a journey, so let’s explain the difference between classic vs modern project management on the example of an actual journey – planning a vacation.

With the classic or traditional approach, every detail is mapped out in advance: your destination, itinerary, accommodation, and budget. If something unexpected occurs, like a two-day storm, you might have to rearrange some activities, but you’ll still strive to respect your constraints and stick to the original plan. This mirrors traditional project management: structured, predictable, and disciplined.

Now imagine a vacation without fixed plans – you might switch locations or choose relaxing on the beach over a planned party because you realize you need the rest. You adjust priorities based on new developments or budget fluctuations. This flexible, exploratory style is what Agile project management is all about.

There’s also a third option: starting with a clear plan but leaving room to pivot along the way. The hybrid approach lets you embrace change and balance discipline with adaptability.

Classic project management – predictability and control

The classic or traditional project management methodology, often called “waterfall,” is highly structured. It involves detailed upfront planning, fixed scope, and tight control over budget and timelines. This approach thrives in projects with predictable outcomes and strict deadlines.

Let’s say you’re launching a high-stakes project that will result in a public release. The whole marketing campaign is planned out, the deadlines are unmovable, and there are budget constraints that cannot be exceeded. That’s the time to play it safe because even the smallest risk can steer the project off course. Traditional project management would be the perfect fit for this type of project because you want to maximize predictability and keep everything under control.

Beware of scope creep

Traditional project management sets a firm boundary between planned features and those out of scope. Therefore, it is particularly vulnerable to scope creep – changes or additions to the original project scope during development.

Though generally undesirable, if handled transparently, scope creep can sometimes lead to new opportunities. Instead of being the “bad cop” who just blocks the addition of new features, a project manager can clearly communicate the impact of changes and propose solutions that can potentially result in a new project.

When to choose classic project management?

Fixed timeline and/or budget
Clearly defined, predictable outcome
Need for tight control over execution

Modern project management – flexibility and innovation

Modern project management is tightly linked with the Agile methodology – a framework that takes an incremental approach to building software. The idea is to break down the process into smaller steps (commonly known as sprints) and adapt the strategy as you go.

Agile is not just a framework, but a mindset. It revolves around embracing uncertainty, iteration, and constant feedback.

Agile methodologies like Scrum, SAFe, and Lean each offer unique benefits:

Scrum emphasizes the iterative approach and frequent client feedback.
SAFe (Scaled Agile Framework) is designed for large-scale, multi-team environments.
Lean prioritizes efficiency, eliminating waste to deliver maximum value.

Each of these frameworks offers a slightly different context and can be chosen based on project needs and organizational complexity. But above all, Agile is a mindset. It revolves around embracing uncertainty, iteration, and constant feedback.

Projects that benefit from an Agile methodology typically involve vague requirements or innovative solutions. For example, a client wants to build a greentech app for educating people on how to reduce their carbon footprint. They know their end goal, but are unsure how to get there and what the final product should look like. This project would thrive under an Agile approach – smaller incremental steps and continuous feedback enable teams to adapt strategies and optimize outcomes dynamically.

The benefits of going Agile

One of the biggest strengths of the Agile approach is its rapid feedback loop, where client feedback is gathered after every release or milestone, continually shaping the project. Additionally, regular sprint retrospectives (for example, after every 2-week cycle) ensure Agile teams keep improving their way of working.

When the client and the development team regularly align around current progress and the next steps, both sides get to see how the approach is delivering the desired results. This results in higher satisfaction overall, and working with a motivated and passionate team and a happy client means more for a project than any framework.

When Agile falls short

Agile project management is not a good fit for projects with strict requirements, deadlines, and no wiggle room for experimentation. You can try it out, but be aware that you’ll need to change direction if things start falling through the cracks. With these types of projects, the budget and timeline won’t accommodate a stack of wrong moves, so be careful when choosing your tactic.

When to choose Agile?

Undefined project requirements
Clear goals, but no set deliverables
New, innovative products
Complex projects
Roadmap hinges on feedback

The hybrid approach – the best of both worlds

A hybrid approach blends the predictability of traditional project management with the flexibility of modern Agile methods. Just as you might adjust your vacation plans midway to accommodate changing circumstances, hybrid project management allows for structured upfront planning alongside adaptive flexibility.

Real-world example: Launching a smart device

Let’s consider a scenario involving a smart device launch. The device needs a companion app that must be available for download immediately upon launch. Here, we can have two active development streams that combine traditional and Agile project management.

1. Traditional project management: Hardware launch

Launching a physical device demands an absolute adherence to deadlines. The device is expected to arrive in stores on the exact date, and the customers expect to find the app in their mobile app store. Since we know the timeline and the essential set of app features required for launch, this is an ideal scenario for traditional project management.

2. Agile project management: Added value

The modern approach allows for a dose of innovation. The mobile app should go above and beyond the core hardware features and provide added value. Here, deadlines, budget, and scope remain important, but flexibility and creativity are equally crucial. Agile methods allow iterative design, continuous improvement, and timely responses to user feedback.

In this case, a hybrid approach lets the project team pivot intelligently, maintaining a structured foundation while embracing creativity and innovation.

Why hybrid often works best

Hybrid project management recognizes there’s no “one-size-fits-all” solution. You can choose what kind of approach you need, when you need it. If you think the project would not only tolerate but thrive on a change in direction mid-course – go for it. There’s no need to be attached to any one principle just for the sake of it.

Project management essentials – no matter your style

Whether your project calls for a traditional, modern, or a hybrid approach, successful project management hinges on the same core principles:

Building trust through proactive stakeholder management

Regardless of methodology, the first step in any project should be building trust with the client. As project managers, we need to show we are here for them, and the beginning of collaboration is the period when you can exert the most influence.

Clients appreciate proactive communication and decision-making support, and we can offer it by providing clear metrics, data-driven solutions, and strategic proposals. Lay out several solutions for solving their problem, and present your preferred one. That way, you arm them with information so they can make the right choice.

Leadership and team dynamics

Great project managers aren’t just managers – they’re leaders. Your main goal as a project manager is to create an environment where everyone can give their best. It’s somewhat similar to being a sports team captain – you lead by example. Sometimes, you need to be a role model, and sometimes, the going gets tough, and you need to get going.

When you show you are there for your project team, you can expect the same response when you need it the most. Such a supportive environment benefits the entire project, and positions you to deliver remarkable results.

Continuous relationship management

Working to optimize relationships with both internal and external stakeholders is a never-ending process. It goes well with any project management approach you choose. Ongoing trust, clear communication, and respect underpin every successful project management style.

Adapt & deliver

In project management, there’s no magic formula that will guarantee success. Whether you go classic, modern, or hybrid, the key is adapting your approach to match the unique demands of your project, your team, and your client.

Let the framework guide you, but never forget to prioritize trust, proactive communication, and leadership. That way, you’ll be able to confidently navigate any challenges on the way and deliver quality projects that don’t just meet expectations, but exceed them.

The post Classic vs Modern Project Management – What’s Right for You? appeared first on Infinum.

Turbocharge Your QA Investment and Ship Better Products Faster

Andrea Nucak — Thu, 20 Feb 2025 12:09:10 +0000

Quality assurance in software testing isn’t just a budget line – it’s what separates sluggish releases that frustrate users from polished products that wow from day one. We share proven strategies for getting the most out of your QA investment so you can deliver higher-quality products in record time.

If you’re itching to get a shiny new feature – or an entire app – into the market, you’re not alone. Launch day can be a thrill. But if there’s a sneaky bug lurking in your code, rushing the release can quickly backfire, and you’ll have plenty of time to comb through a flood of user complaints after the fact.

Tempting as it may be, quality assurance (QA) is not the place to cut corners. Trimming QA to save time and reduce upfront costs can lead to serious ripple effects – dissatisfied users, extra development work, and even a hit to your brand’s reputation – all of which will wind up costing far more in the long run.

On the bright side, when QA is woven into the product development process from the get-go rather than tacked on at the end, you set off a virtuous cycle: faster releases, fewer production issues, and happier customers.

The trick lies in adopting QA methodologies that truly pay off. In the next sections, I’ll share some proven practices to help you maximize your QA investment, save on development costs, and keep your users coming back for more.

Hire testers with domain expertise

One of the best ways to maximize your QA investment is to involve testers who truly understand the industry or niche they’re working in. Having at least one QA specialist with deep domain knowledge means your product is tested from a genuine user’s perspective, resulting in fewer bugs, faster releases, and lower development costs in the long run.

Let’s say you’re building an app for music production. A tester with actual music training or experience is far more likely to spot critical issues and provide meaningful feedback than someone who can’t tell a chord from a tempo. That firsthand knowledge uncovers corner cases early and leads to more detailed bug reports.

Of course, not all testers start with direct domain knowledge – sometimes, it’s gained through multiple similar projects. For instance, an experienced IoT tester will be quicker to distinguish whether an error comes from the firmware, hardware, or app. This can be especially useful in early project phases when both firmware and software are being developed in parallel.

Domain knowledge brings substantial benefits to testing:

Proactive issue spotting

When testers speak your product’s language, they are better equipped to flag any design or architectural flaws as well as edge cases not covered by the requirements. Catching these issues early prevents expensive post-launch fixes.

Better risk assessment

Testers with domain experience know exactly which areas of the software require more rigorous testing and can focus their efforts where it counts – resulting in the delivery of higher-quality software.

Detailed, actionable bug reports

Anyone can file a bug, but a domain expert will provide clear reproduction steps that pinpoint exactly where something went wrong, giving your developers a head start on fixes.

At Infinum, we’ve seen firsthand how domain expertise can boost a QA investment. Our team of 40+ testers covers a broad range of fields – from IoT and telecom to automotive and music production. Matching each project with the right specialists doesn’t just save time and money; it ensures you launch a product that resonates with users right out of the gate.

Ensure compatibility by testing on real devices

Bugs are a fact of life in software development, but many can be caught early on if you test your product in diverse, real-world environments. Thorough testing on a large number of devices helps you sidestep negative reviews, avoid app deletions, and preserve trust in your brand – issues that are far more expensive to fix once your product has already launched.

Running your app on flagship, mid-range, and budget phones exposes potential performance bottlenecks. It’s about making sure your product delivers a smooth experience for as many users as possible.

When you check how your software behaves across different browsers, screen sizes, and operating systems, you expose quirks tied to hardware limitations or version-specific OS bugs. For instance, testing on every major Android and iOS version uncovers OS-related glitches, while running your app on flagship, mid-range, and budget phones highlights potential performance bottlenecks. It’s all about making sure your product delivers a smooth experience for as many users as possible.

Although emulators and simulators can be helpful, nothing can replace testing on physical devices – especially for apps that rely on Wi-Fi or Bluetooth connectivity (like many IoT solutions). Some features simply don’t work on certain devices because of hardware constraints, and it’s far better to catch that behind closed doors than to hear it from frustrated users. This is particularly true in the Android ecosystem, where each device manufacturer adds its own custom spin to the operating system.

Our own QA team tackles this with a test lab of 250+ devices, ranging from smartphones and tablets to laptops and smartwatches, covering older models and current flagships – from the first Google Pixel to the latest iPhone and everything in between. This broad coverage means we can replicate real-world conditions and pinpoint hardware-specific issues before they ever reach production, ensuring your product launches in the best shape possible.

Combine manual and automated testing

When working on large, complex projects, the best results are achieved by combining manual and automated testing. Experienced testers will automate repetitive tasks such as regression testing so they can free up time to manually check critical features in-depth or perform exploratory testing for negative scenarios.

Automated tests are especially useful for frequent regression checks, as they’re faster to run and less prone to human error. This approach can significantly speed up release cycles. According to our experience, it can cut build-to-production time by nearly half, depending on the project’s complexity and toolset. Although setting up automated tests requires an initial investment, the long-term gains in efficiency and product quality far outweigh the costs.

Manual + automated testing combo in action

Here’s a real-life example from our QA team. We worked on an IoT mobile app where, before automation, my colleague and I spent about three weeks handling manual regression tests on both Android and iOS before each release. After we introduced automated regression tests, that timeframe dropped to around four or five days. Not only did this speed up our releases, but it also spared us from running the same tests over and over again.

Suddenly, we had room to focus on exploratory, usability, and compatibility testing – the areas where manual testing truly excels. By combining both manual and automated approaches, we covered more ground and fully leveraged the strengths of each method.

Get more out of your QA investment with careful test planning

Strategic test planning is a powerful way to get more mileage out of your QA investment. Seasoned testers map out their approach before diving into actual test executions. This way, they can prevent bottlenecks, spot risks before they become problems, and make better use of both manual and automated testing.

Identifying dependencies early

A well–organized QA professional will think about dependencies (and ways of managing them!) before testing even starts. Maybe it’s coordinating with developers on when a feature build will be ready or requesting access to a specific test role on the backend. Perhaps we’ll need a specific test environment to check a particular feature. Whatever the case may be, anticipating what comes next in testing makes for a faster, smoother development process.

Adopting a risk-based approach

Risk-based testing focuses on identifying high-risk areas – the ones that are most likely to break and would have the most impact if they did. For example, if features A, B, and C are on the docket, and you know B is both highly critical and historically prone to bugs, that’s the feature to prioritize. This way, a tester can catch and report any major issues sooner, giving the development team more time to address them and potentially speeding up the release cycle.

Grouping similar tests for efficiency

Repeatedly running the same test steps is a surefire way to slow down the process. By grouping similar test cases, a tester can execute them in batches or even in parallel, reducing overall testing time and costs. A well-organized test plan means less redundant work and more accurate result

Balancing manual and automated testing

Not every test scenario should (or can) be automated. Certain checks require a human touch, while others may not justify the cost of automation because they cover a low-risk, rarely used functionality. A skilled tester will know how to balance the two and choose the automation route for tests that cover critical functionalities, have to be run frequently, or significantly reduce time and effort compared to manual testing.

Make your QA investment count

Quality assurance is about far more than catching bugs – it’s about ensuring your product meets the highest standards for your end users.

To make sure you get the most out of your QA investment, bring on domain experts who understand your product inside and out, test on real devices to spot hardware and OS-specific quirks, plan your approach carefully to avoid bottlenecks and redundancies, and strike the right balance between manual and automated testing.

By checking these boxes, you’ll shore up your product’s foundation, deliver consistent quality to your users, and ultimately save time and money down the line. It’s the QA equivalent of building a stronger, more reliable core – an investment that pays off with every release.

If you’d like to explore how comprehensive quality assurance could benefit your project, we’re here to talk.

The post Turbocharge Your QA Investment and Ship Better Products Faster appeared first on Infinum.

Bugs & Beyond – The Importance of QA in Software Development

Sara Nejašmić — Thu, 13 Feb 2025 14:18:42 +0000

Often downplayed, sometimes completely overlooked, the importance of QA in software development is anything but trivial. From delivering a flawless user experience to defending your brand’s reputation, skilled testers are the backbone of any successful project.

Imagine launching a highly anticipated app only to find it riddled with bugs and glitches. Users quickly become frustrated, your brand’s reputation takes a hit, and what should have been a success story turns into a costly disaster. This is where the unsung heroes of the tech world come in: software quality assurance.

In this article, we explore the importance of QA in software development – why having a dedicated tester on your project is not just a nice-to-have but an absolute must. From enhancing user experience to saving time and money, we’ll show you the value QA experts bring to the table and why every development project owes a debt of gratitude to them.

Testers ensure software quality – and protect your reputation

The first and most obvious responsibility of software quality assurance is to ensure your digital product works as intended and meets both user expectations and business needs. By understanding your objectives, testers identify defects, mitigate risks, and – just as their job title implies – assure quality standards.

Today’s market is harsh and customer expectations are high. Launch a buggy product and users will quickly turn to the competition – there’s always plenty to choose from.

We all know how dependent on technology modern society is and how even a minor oversight can lead to major problems. A perfect example is the Crowdstrike incident, dubbed the largest IT outage in history, where a single update caused around 8.5 million Windows devices to crash worldwide. CrowdStrike’s post-incident review traced the problem to a bug in a tool called Content Validator, and suggested a simple cure for preventing future incidents – more extensive testing.

But you don’t need a Crowdstrike-size incident for serious damage to occur. Today’s market is harsh and customer expectations are high. Launch a buggy product and users will quickly turn to the competition – there’s always plenty to choose from.

Some organizations hesitate to invest in testing because they fear it will slow down development. In reality, comprehensive testing prevents last-minute delays and costly rework. It’s a short-term investment in long-term efficiency, guaranteeing your product meets quality standards without unpleasant surprises.

Software quality assurance protects your product from bugs and glitches, but what about cyberthreats? Penetration testing goes a step further, simulating real attacks to identify your system’s hidden weaknesses. Explore our pentesting services to stop malicious actors in their tracks.

Testers boost user retention and satisfaction by focusing on UX

Preventing crashes and technical glitches is crucial, but the role of software quality assurance extends beyond that. A tester ensures that software performs as expected both functionally and non-functionally.

Testing can also asses the user-friendliness of your app. A good software tester looks beyond pure functionality to see how real users interact with a digital product, ensuring it’s intuitive and aligns with their needs and expectations.

This user-centric mindset can also include accessibility testing. Making your product accessible to all users is both ethically responsible and a smart business move. In the EU, for instance, accessibility is becoming a legal requirement. At Infinum, we follow international WCAG standards to perform specialized accessibility testing, guaranteeing products reach the broadest possible audience.

Ultimately, software quality assurance is not just about finding and fixing bugs; it’s about optimizing the user experience. High customer satisfaction leads to higher adoption rates, increased loyalty, and improved user engagement – and this in turn leads to product success, brand reputation, and business growth.

Testers save you money by getting involved early

Some clients hesitate to involve a tester from the beginning of a project, wary of additional upfront costs. However, bringing QA professionals on board early can significantly reduce expenses down the line.

Many people aren’t aware that testing can start before a single line of code is written. Once designers create the first UI wireframes, testers can step in to help refine user stories and spot potential pitfalls. Designers and product owners might not catch every edge case; software quality assurance helps fill those gaps. This proactive approach often means more rounded features, less rework later, and more satisfied users overall.

By identifying potential issues before they reach the codebase, teams can adapt requirements in a timely manner – preventing problematic elements from ever making it into development.

QA throughout the software development lifecycle

It’s not just about getting involved early – it’s about being involved all the time. For best results, testers need to align with every stage of the software development lifecycle.

By involving QA throughout the SDLC, you create a culture of continuous testing. At the requirements phase, QA collaborates with the development team to refine acceptance criteria and set clear quality standards. During design and development, testers use both automated testing tools and manual checks to validate usability, performance, and software quality – ensuring critical issues don’t slip through. This holistic approach minimizes last-minute surprises and helps you deliver a high-quality software product that aligns with business goals.

Testers care for your product post-launch

It’s a lesser-known fact that software quality assurance isn’t just about the pre-release phase. Testers also monitor user reviews and feedback after launch to identify potential improvements or bug fixes. In collaboration with product owners, they will translate user feedback into new feature requests or enhancements.

This process of continuous improvement ensures you’re always listening to your users. By incorporating their needs and pain points, you stay ahead of the curve – and keep your product relevant and high-quality over its entire lifespan.

Testers help you meet compliance standards

Software quality assurance is a very versatile field. Beyond eliminating bugs and delivering a polished user experience, they can also help you meet critical quality standards mandated by regulatory bodies and industry guidelines. Whether it’s about security, data privacy, or accessibility – quality assurance can tailor its testing strategy to ensure your product’s compliance.

Ensuring compliance goes hand in hand with customer satisfaction. People want to know their personal data is handled responsibly, and a secure, high-quality software product goes a long way in fostering customer trust.

This is especially valuable in highly regulated industries like finance and healthcare. If you’re developing healthcare systems that must satisfy HIPAA requirements or financial solutions subject to PCI-DSS regulations, a robust quality assurance process helps you navigate the compliance obligations without compromising product performance.

And it’s not just about compliance for compliance’s sake. Staying compliant goes hand in hand with customer satisfaction. People want to know their personal data is handled responsibly, and a secure, high-quality software product goes a long way in fostering customer trust. In regulated industries, trust translates directly into business longevity, since you are building user confidence, strengthening your market position, and averting the steep penalties that lurk behind neglected or improperly addressed requirements.

Testers boost the quality of the entire project

A skilled software tester not only has an arsenal of testing tools and techniques but also possesses a fundamental understanding of software development. Leveraging their skills and experience, they can determine the right balance between automated and manual testing to achieve optimal efficiency. Automated tests are a great asset for verifying certain requirements quickly, but some scenarios still benefit from a human touch – an experienced tester knows when to apply each method.

Good testers are also meticulous when it comes to documentation, which is essential for aligning the whole project team on requirements and project goals.

And finally, QA professionals often spot opportunities for improving efficiency on the entire project. Whether it’s correcting tasks in Jira or flagging time-tracking inconsistencies – QA will QA, and ultimately, this benefits the entire project.

A well-defined quality assurance process not only keeps teams accountable but also provides tangible metrics for measuring success – like defect density, time to resolution, or user-reported issues. By tracking these quality standards over time, testers can pinpoint what needs improving, keeping the entire software development process on a trajectory toward excellence.

The importance of QA in software development is undeniable

The takeaway here is clear: the importance of QA in software development cannot be overstated. In fact, involving a software tester as early as possible can be a game-changer. Failing to do so puts you at risk of:

Customer dissatisfaction due to bugs and usability issues
Revenue losses (e.g., lost sales, operational disruption)
Brand damage from negative reviews
Higher development costs due to late-stage rework

In a competitive market, cutting corners on QA can have severe repercussions. A dedicated software tester shouldn’t be a luxury but an essential investment in your product’s success, your users’ satisfaction, and your company’s reputation.

If you’re ready to prioritize quality from the start or need help enhancing an existing product, drop us a line.

The post Bugs & Beyond – The Importance of QA in Software Development appeared first on Infinum.

Workshopify Your Meetings — Rebecca Courtney on Delivered

Sindy Vuković — Fri, 20 Dec 2024 19:58:03 +0000

Facilitation coach and collaboration designer Rebecca Courtney appears in our event series Delivered to discuss how to improve business meetings using workshop principles.

Meetings are a cornerstone of corporate life and simultaneously one of its most despised rituals. Hating on aimless, soul-sucking gatherings has practically become a cultural touchpoint, fuel for memes, jokes, and office banter. People often complain about having too many meetings, which takes away their time and focus for individual work, and this meetingophobia is particularly common in the tech world.

As it happens, the collective frustration with meetings is backed by cold, hard data. A Harvard Business Review survey of 150+ senior managers across a range of industries revealed that 71% of them feel meetings are unproductive and inefficient. We got similar results in our recent LinkedIn survey, with 45% of people claiming that meetings feel like a waste of time.

Appearing as a guest on our show Delivered, Rebecca Courtney talks about why meetings fail, how workshops are different, and practical ways to “workshopify” meetings to make them more engaging and productive. Rebecca is a facilitator and collaboration designer at the product strategy studio AJ&Smart, and for the past 10+ years, she’s been leading workshops for some of the most well-known companies, such as Lego, Slack, and Netflix.

The meeting that should’ve been a workshop

Workshops are meetings in the sense that you get people together, either in a room with coffee and donuts or on Zoom, but that’s where the similarity ends. For those unsure about the difference, a workshop is a highly structured session where a facilitator guides a group through exercises to ensure they’re aligned on a clear solution. As Rebecca puts it:

“In a meeting, you talk about what you should do, and in a workshop, you do the actual work. Workshops gather everybody in a room, all the people that need to be part of the decision-making process.”

Meetings often feel unproductive and like a waste of time because they lack structure, guidance, and clearly defined next steps. Most of the time, they just end up with another meeting being scheduled. Without a guide to moderate the conversation, they can spiral into chaotic, circular discussions that result in little more than a collective sigh of despair.

But here’s the thing: not every meeting can and should be turned into a workshop. Routine meetings like daily check-ins or status updates don’t require full workshop treatment, though even these could benefit from facilitation skills to keep discussions focused and efficient. For more strategic meetings and complex decisions, workshops are definitely the way to go.

Before we get into why workshops really work, what their benefits are, and how to workshop-ify meetings, it’s worth examining the root cause of why meetings fail — poor communication.

Why we are so bad at communication

Sophisticated communication is one of humanity’s defining traits, yet we’re universally bad at it. Imagine the disappointment of our Homo sapiens ancestors – those who gifted us the power of modern speech – if they saw us turning it into a game of broken telephone in today’s meeting rooms.

“People often spend their time jumping from meeting to meeting, talking about what they should be doing rather than doing what they were hired to do. I love seeing the joy on people’s faces when, in workshops, they get to do what they’re good at.

REBECCA COURTNEY, FACILITATION COACH, AJ&SMART

Rebecca Courtney points out two key reasons for this struggle. First of all, poor communication stems from the complexity of communication itself. In a group of just eight people, there are 28 potential lines of communication, increasing the risk of misunderstandings and confusion.

The second issue is a lack of facilitation skills, especially among leaders. This includes active listening, asking powerful questions, giving clear instructions, managing the energy of the room, and understanding group dynamics. However, these skills aren’t part of formal education or workplace training. Instead, people are often expected to lead meetings simply because they hold managerial roles, regardless of whether they’re equipped for the task.

This is where a skilled workshop facilitator can make all the difference. Facilitators take on the burden of managing communication issues and group dynamics, allowing team members to focus on the work they were hired to do. By laying the groundwork for clear and effective collaboration, facilitators help teams move forward with purpose and alignment.

“People often spend their time jumping from meeting to meeting, talking about what they should be doing rather than doing what they were hired to do. What I love seeing in workshops is the joy on people’s faces when they actually get to do what they’re good at, says Rebecca.”

Benefits of workshops

Far from the sticky notes cliché, workshops bring people together to align on ideas, solve real problems, and leave the room with solutions — not just more questions. As Rebecca explains, workshops offer three major benefits that can revolutionize team collaboration and decision-making.

1. Alignment

Misalignment can happen even in the smallest teams. As people focus on their own tasks or projects, they can easily become siloed, and before long, communication breakdowns lead to confusion about goals and responsibilities. Workshops help eliminate this by bringing the right people into the same room and aligning everyone around shared goals and priorities.

2. A sense of ownership

Research shows that people are more likely to support ideas when they feel a sense of ownership over them. In traditional meetings, decisions are often imposed from above, leaving team members without the enthusiasm required to successfully implement them. Rebecca summarizes this simply: “People support what they help create.”

This idea is backed by a cognitive bias known as the IKEA effect, where consumers place a disproportionately high value on things they create. In workshops, however, the collaborative environment allows ideas to be shaped collectively, helping people feel more invested in the outcomes.

3. Saving time and money

As Rebecca puts it, you can achieve more in a three-hour workshop than in six months of meetings about the same challenge. By dedicating focused time and energy and bringing the right people together, teams get the momentum needed to solve problems quickly and move projects forward.

A great example of how workshops can help save money is product validation. Take the Design Sprint workshop, for instance. Rather than investing resources into developing a product without knowing its chances for market acceptance, Design Sprint offers a structured approach to rapidly prototype and test ideas with real users in just a few days.

If you have an idea for a digital product and want to ensure it’s ready to be launched into the world, download our free digital product validation resource. Inside, you’ll find 24 questions to determine if your product idea is valuable, usable, and feasible.

Workshop-ify your meetings

If you’re a leader or someone who’s working at a company and just want to try some workshopping techniques to make the group discussion more productive, why not volunteer to be a facilitator at the next meeting? Here are four proven workshop principles that you can apply:

Visualize the discussion

Use simple tools like sticky notes or a whiteboard to capture key points during the conversation. Writing down ideas and placing them where everyone can see them relieves participants from the mental load of remembering everything, allowing them to stay present and engaged.

Sequence the discussion

Guide the discussion to ensure everyone has a chance to contribute. Address participants individually, asking for their thoughts and input in turns. This prevents dominant voices from taking over and encourages balanced input.

Work together alone

Borrow this method from the book Sprint. Start by asking team members to brainstorm solutions individually, each idea on its own sticky note, before sharing with the group. This approach democratizes participation, giving introverted team members a chance to contribute while avoiding groupthink.

End with a decision

Always close the meeting with clear outcomes. Summarize the key decisions, assign responsibilities, and set deadlines. This ensures everyone knows their role and the next steps before leaving the room.

For more insights on effective collaboration, watch or listen to the full conversation with Rebecca. And if you’re looking to build a digital product, validate a prototype, or refine a product idea, our product strategists can facilitate a digital strategy workshop for you.

The post Workshopify Your Meetings — Rebecca Courtney on Delivered appeared first on Infinum.

Skip the RFP – Why Not Take Agencies for a Test Drive Instead?

Joseph Eric Rosenthal — Thu, 12 Dec 2024 10:22:06 +0000

The RFP is such a standard part of the agency selection process that it’s practically become like wallpaper. But what if there was no need to RFP at all? What if you just took an agency for a test drive?

My son just turned 16, and we’re staring down that teenage rite of passage: buying his first car. It’s been an interesting process, to say the least. In some ways, the experience is exactly like it was when I was his age. There’s the fast-talking, hand-shaking salesperson who accosts you as soon as you enter the dealership and follows up incessantly. On the other hand, a lot has changed. Today, there are aggregation websites, pricing tools, reams of historical service and safety data, and services like Carvana and Autotrader Private Seller Exchange.

Interestingly, the experience got me thinking about how clients buy services from agencies like Infinum. And even more interestingly, it raised an intriguing, perhaps even radical question: could we do away with one of the cornerstones of the agency-client relationship – the Request for Proposal (RFP)?

A time-intensive and costly process all around

I work in business development, and a large part of my job involves responding to RFPs. When clients recognize they have a need like a website rebuild, new mobile app, or custom software tool, they send RFPs to dozens of agencies, commencing a lengthy vetting process that can last for weeks or even months.

In their search for an agency, prospective clients sift through stacks of decks, PDFs, case studies, Google drives, and more. In a weeks-long process, they winnow the list to a handful of contenders and then conduct interviews that last from one to four hours each.

On the agency side, all of the aforementioned details are absorbed, and teams are put together to evaluate the prospective client’s question and begin crafting a response. After these documents are turned in, if the agency is fortunate enough to make the first cut, they commence a series of meetings and interviews. It’s not always clear how many agencies are in the mix, but we’ve had as many as 50.

For those doing the requesting, the workload is no less daunting. Prospective clients sift through stacks of presentation decks, PDFs, case study links, Google drives full of (hopefully) relevant assets, and more. Over a few weeks, they winnow the list to perhaps a half-dozen contenders, then set up and administer a series of interviews that can last from one to four hours each, working their way to a single agency.

Get ready for some sticker shock

If you do some rough napkin math, say the 50 agencies each put in 40 hours of effort. That’s 2,000 collective hours input into the process. On the client side, for rough math, assume it’s 25 hours of reading and 50 hours of interviewing and administrative work to get through all these submissions. If there are five senior-level participants, that’s 375 person hours.

Using more napkin math (sorry, we’re using a lot of napkins here, but bear with me), let’s say, this client time is worth an average of $250 per hour. That 375 hours translates to an equivalent value of about $93,000.

The crazy thing is, after all the time and money spent, clients have no idea what it’s like to actually work with the agency. They only know how good their sales process is.

At the end of it all, the client and finalist agency sign a contract and begin their project, which can be worth from a few hundred thousand to a few million dollars. And the crazy thing is, after all this time and money spent, clients have no idea what it’s like to actually work with the agency. They only know how good their sales process is.

And while sometimes these relationships blossom into long-term partnerships, oftentimes the match doesn’t meet the initial expectations, and the partnership ends up tailing off, or worse, results in a failed project.

Back to my son’s car

Imagine for a moment that the car buying process was set up like the agency RFP process. First, my son and I would send out a lengthy request document. In response, we’d get 50 decks about different cars outlining their fuel efficiency, speed, road feel, safety, etc. We’d hear from different car owners by way of testimonials. We’d read and listen to all the materials and then narrow the field.

For our next step, we’d interview the carmakers themselves. “Tell me about the new Malibu.” “Explain why the Tesla Model S is a great choice.” Shockingly, what we would never get to do is actually drive the cars. We’d rely on the words, images, and testimonials trotted out in response to our queries. And then we’d take a massive leap of faith, swipe a card or obtain financing, take the keys, turn the ignition, and hope the car drove just as we were told it would.

Crazy, right? But that’s what folks do all the time when hiring an agency.

Wait, what about spec work?

I know what you’re thinking. What about so-called “spec work,” speculative work agencies perform for no guaranteed fee in the hopes of securing an agreement with a client? Fair question. But, first of all, most negotiations are concluded without spec work. If the stars align and spec work is done (cue pigs flying), there are numerous issues to contend with.

Spec work is done for free and under the burden of numerous process shortcuts dictated by the time and zero-budget constraints of the circumstance. What’s worse, spec work is uninformed by thorough data and research. It’s little more than a guess at what will be right. Keeping with the metaphor, the agency would make you a beautiful motorcycle while you really wanted an SUV. Even worse, the motorcycle might be created by a designer in a totally different division. Let’s table this inherently flawed idea.

Enter the Agency Test Drive

What if we re-framed this process to be more like a car purchasing experience? Rather than sending out an RFP into the wild and waiting for 50 comprehensive written replies, clients would first ask a handful of knowledgeable friends and industry experts they know for recommendations. This will result in five to 10 options tops, and they can quickly trim them down to three based on research, follow-up questions, and instinctive impressions.

Instead of putting $93,000 of time into the labor-intensive vetting process, what if clients split the amount between three agencies to do some real work? This is the closest approximation to being in a specific car and doing some actual driving.

With this approach, they’ve already saved a lot of time and energy. But here’s where things get interesting: The Agency Test Drive. Instead of putting that aforementioned $93,000 of time into the labor-intensive vetting process, what if clients spent the amount a bit more effectively and split it between the three agencies ($31K per agency) to do some real work? This is the closest approximation to being in a specific car and doing some actual driving.

What this assignment will be is up to the client, but we’d suggest choosing something related to one of the thornier aspects of the future project. There’s no need to aim for completion, just a small and discrete enough task for the client to get a real understanding of the people, process, and capabilities of the agency they’re potentially engaging in a long-term project.

Assuming an agency rate of $215/hour, that’s about 145 hours of effort – or approximately three weeks of a small team’s time. That’s enough time to get an honest feel for what to expect from an agency. How does the agency kick off projects? What are their people like? How do they collaborate? How do they communicate? Do they propose new ideas and novel ways forward? How do they react to challenges? This is the agency-selection version of my son punching the accelerator, jamming on the brakes, or testing the blind spots while changing lanes in a demo car.

As an additional bonus, you can also learn a little bit about the agency’s legal, accounting, and payment processes. It won’t be the same as a large negotiation, but it’s another touchpoint. And the more touchpoints you can have, the better.

Shift your selection process into a higher gear

At the end of the day, nothing can replace the experience of being in the trenches with an agency over months or years. But this kind of process can be much more effective – not to mention faster – than the typical agency RFP process. As a result, you can have far more confidence in the relationship’s success, and what could be more important as clients and agencies engage in this complex dance?

As for my son, we’ll leave the buyer guides and webpages behind, and we’ll be test-driving a small handful of models this weekend. The grin on his face when we pull back into the lot will signal when we’ve gotten it right.

The post Skip the RFP – Why Not Take Agencies for a Test Drive Instead? appeared first on Infinum.