360Logica.com

Introduction

Owing to the ever changing business dynamics more and more organizations are shifting to the web. This shift is not just customer centric but internal as well. In terms of customer, be it business to business or business to customer everything is being nearly transacted via web. Even from internal infrastructure perspective companies are shifting to cloud, taking SaaS model etc. to ease their operations and availability. In all this dynamics the security becomes an utmost factor to be considered. Looking at the delicacy of web security measures a firm is taking, independent testing firms came into the picture. This shift leaves firms vulnerable to unexpected security threats. It is also collective effort of the service providers, cloud service providers to ensure security and integrity of an enterprise is maintained.

Need of Independent Testing Firms

The product or service in its inception is developed keeping in view the expected results or criteria which it is intended to be put to use. The user is also expected to use the application in a particular fashion but the case is always not the same. Today with the advancement and availability of technology the end user is quite versatile and sometimes mischievous in a manner of speaking.

The breach in security of web-site or as a matter of fact any application/service can be intentional as well as non-intentional. As a provider of service/product we can pray for the user to use it in the desired manner but one has to be prepared for the unexpected use also. While taking security measures one has to think from intentional perspectives as well. A person who has written a code himself can be at loss in testing/verifying the code from the view point of finding “loop holes”. One has to think from intentional perspective or popularly ethical Hacker’s perspective.

The independent testing firms with expertise in niche skill domain can come in very handy in making a service or product robust. With the varied pool of talent and the right mix of approach the testing firms can provide the essential or fix the points where an application can be toyed with.

Software Testing in various development methodologies

Waterfall model has been in quite usage from some time. Normally the flow in the model is as follows:

• System feasibility -> Requirement analysis -> System design -> Coding and unit testing. In this phase, the actual coding is done for the various modules. Generally the coder himself reviews the code and individually test the functionality of each module.
• Integration and system testing. In this phase, integration of all the modules in the system is done and testing is done of the entire system, making sure that the modules meet the requirements.
• Deployment and maintenance. In this phase, the software is deployed in the production environment. One can rectify any errors that are identified in this phase, and tweak the functionality based on the updated requirements.

Agile Model

The key differences between agile and traditional methodologies are as follows:

• Software is developed in sprints or short continuous cycles. The result is in chunks, small releases, with each release adding up to previous functionality. Each release is thoroughly tested, which ensures that all issues are addressed in the next process.
• In the end system testing is done to ensure the complete security as per the requirement.

Manual vs Automated Testing

Manual testing though very useful for checking the nuts and bolts of the code written but may lack in scanning the entire module on a comprehensive note. Automated testing owing to its comprehensive nature is quite good in identifying the threats and when coupled with manual testing it can prove to be very beneficial.

A code may be tested by various techniques like SQL injection, code injection, remote code inclusion and cross-site scripting, an automated tool can come in handy to automate testing of these techniques but an experienced tester can prove more valuable who along with his “out of the box thinking” can test the application by subjecting it to unexpected attacks.

The best practices would facilitate tweaking the script of Automation tool (IBM Ad Scan, Peros, QA inspect etc) depending upon the technical requirement of the code to be tested and then taking the manual approach to rectify the end results. In this scenario the manual tester is preferred who has the expertise over the required domain.

Conclusion

With the advancement of more and more people shifting to web based applications, which definitely makes life and work easy one has to take care of threats which comes with the package.

Threats are not just for the consumer but for the enterprises as well. Common threats can be Web-based attacks, Social phishing, Malicious data loss etc. One has to take care of prevention mechanism rather than responsive mechanism.

You can also download the white paper here.

CLIENT / SERVER TESTING

This type of testing is usually done for 2 tier applications (usually developed for LAN). Here we will be having front-end and backend. The application launched on front-end will be having forms and reports which will be monitoring and manipulating data.

E.g: applications developed in VB, VC++, Core Java, C, C++, D2K, PowerBuilder etc.

The backend for these applications would be MS Access, SQL Server, Oracle, Sybase, Mysql, Quadbase

The tests performed on these types of applications would be

• User interface testing
• Manual support testing
• Functionality testing
• Compatibility testing & configuration testing
• Intersystem testing

WEB TESTING

This is done for 3 tier applications (developed for Internet / intranet / xtranet). Here we will be having Browser, web server and DB server. The applications accessible in browser would be developed in HTML, DHTML, XML, JavaScript etc. (We can monitor through these applications). Applications for the web server would be developed in Java, ASP, JSP, VBScript, JavaScript, Perl, Cold Fusion, PHP etc. (All the manipulations are done on the web server with the help of these programs developed).

The DBserver would be having oracle, sql server, sybase, mysql etc. (All data is stored in the database available on the DB server).

The tests performed on these types of applications would be

• User interface testing
• Functionality testing
• Security testing
• Browser compatibility testing
• Load / stress testing
• Interoperability testing/intersystem testing
• Storage and data volume testing

A web-application is a three-tier application

This has a browser (monitors data) [monitoring is done using html, dhtml, xml, javascript]-> webserver (manipulates data) [manipulations are done using programming languages or scripts like adv java, asp, jsp, vbscript, javascript, perl, coldfusion, php] -> database server (stores data) [data storage and retrieval is done using databases like oracle, sql server, sybase, mysql].

The types of tests, which can be applied on this type of applications, are:

1. User interface testing for validation & user friendliness
2. Functionality testing to validate behaviors, i/p, error handling, o/p, manipulations, services levels, order of functionality, links, content of web page & backend coverage’s
3. Security testing
4. Browser compatibility
5. Load / stress testing
6. Interoperability testing
7. Storage & data volume testing

A client-server application is a two tier application

This has forms & reporting at front-end (monitoring & manipulations are done) [using vb, vc++, core java, c, c++, d2k, power builder etc.,] -> database server at the backend [data storage & retrieval) [using ms access, sql server, oracle, sybase, mysql, quadbase etc.,]

The tests performed on these applications would be

1. User interface testing
2. Manual support testing
3. Functionality testing
4. Compatibility testing
5. Intersystem testing

Some more points to clear the difference between client server, web and desktop applications:

Desktop application:

1. Application runs in single memory (Front end and Back end in one place)
2. Single user only

Client/Server application:

1. Application runs in two or more machines
2. Application is a menu-driven
3. Connected mode (connection exists always until logout)
4. Limited number of users
5. Less number of network issues when compared to web app.

Web application:

1. Application runs in two or more machines
2. URL-driven
3. Disconnected mode (state less)
4. Unlimited number of users
5. Many issues like hardware compatibility, browser compatibility, version compatibility, security issues, performance issues etc.

The Client

Our customer for OS compatibilities is http://www.dualalign.com, they developed a products for High Impact Image Applications and all 3 softwares are Desktop applications.

For browser compatibility test requirements, Our customer is leader in Online market Place - www.elance.com .

The Requirements

• DualAlign required to ship their products on different OS Windows, Mac and Linux. 360logica supposed to perform compatibility testing across all different OS and produce compatibility issues.
• Elance is leader in onlinemarket place and asked us to perform regular testing on all available browsers and OS.

The Solution

• Identification of Matrix of all OS and resource scheduling.
• Defined tasks and QA deployed for dedicated OS testing for Dual align products, produce separate reports for each OS results.
• Browser testing for Elance, we identified all popular browser and their old and newer versions. We prepared matrix of those information's and used QA resources for one version of one browser. VM ware helped us to perform testing on different browser on different machines.

The Technology

• OS for Dual align tests : Windows 2000, 2003, NT, VISTA, XP, windows 7, and MAC
• Browsers: Internet explorer versions 6,7,8, Firefox versions 1.5, 2.0 and higher, Opera, Safari on windows and Mac both
• VM ware for virtual machines creation
• MAC OSX

Contribution

• Challenge was to set up different OS and browser environment
• Resource allocation for every combination of OS and browser
• This involved the development of various OS and browser combinations and generating the environments.
• Performing the functional and browser compatibility testing across these combinations of operating systems and browsers.
• Worked closely with customer to understand product
• Establish a bug reporting mechanism for efficient and quick bug fixing.

You can also download the case study here.

Test-driven development (TDD) is a software development process that relies on the repetition of a very short development cycle: first the developer writes a failing automated test case that defines a desired improvement or new function, then produces code to pass that test and finally refactors the new code to acceptable standards.

Test-driven development requires developers to create automated unit tests that define code requirements (immediately) before writing the code itself. The tests contain assertions that are either true or false. Passing the tests confirms correct behavior as developers evolve and refactor the code. Developers often use testing frameworks, such as xUnit, to create and automatically run sets of test cases.

Test-driven development cycle

• Add a test
• Run all tests and see if the new one fails
• Write some code
• Run the automated tests and see them succeed
• Refactor code
• Repeat

This video demonstrates how to test a Web Service using quicktest professional.

HP QuickTest Professional testing software provides functional and regression test automation for software applications and environments. HP QuickTest Professional supports keyword and scripting interfaces and features a graphical user interface. It uses the Visual Basic Scripting Edition (VBScript) scripting language to specify a test procedure, and to manipulate the objects and controls of the application under test.

The sub-genres of Performance Testing are as follows:

• Load
• Stress
• Endurance
• Spike
• Scalability

Load Testing

This is the simplest form of performance testing. A load test is usually conducted to understand the behavior of the application under a specific expected load. This load can be the expected concurrent number of users on the application performing a specific number of transaction within the set duration. This test will give out the response times of all the important business critical transactions. If the database, application server, etc are also monitored, then this simple test can itself point towards the bottleneck in the application software.

Stress Testing

This testing is normally used to break the application. Double the number of users are added to the application and the test is run again until the application breaks down. This kind of test is done to determine the application's robustness in times of extreme load and helps application administrators to determine if the application will perform sufficiently if the current load goes well above the expected load.

Endurance Testing (Soak Testing)

This test is usually done to determine if the application can sustain the continuous expected load. During endurance tests, memory utilization is monitored to detect potential leaks. Also important, but often overlooked is performance degradation. That is, to ensure that the throughput and/or response times after some long period of sustained activity are as good or better than at the beginning of the test.

Spike Testing

Spike testing, as the name suggests is done by spiking the number of users and understanding the behavior of the application whether it will go down or will it be able to handle dramatic changes in load.

Scalability Testing

Scalability testing is an extension of performance testing - it's part of the battery of non-functional tests, is the testing of a software application for measuring its capability to scale up or scale out in terms of any of its non-functional capability - be it the user load supported, the number of transactions, the data volume etc. The purpose of scalability testing is to identify major workloads and mitigate bottlenecks that can impede the scalability of the application.

Third Party Testing:

Third-party Testing is critical to the detection and elimination of defects, before users ever experience them. Having 360logica perform the testing provides an independent check and balance to ensure that your organization or outsourcer is delivering a product that will not surprise and frustrate its users at a later time.

Overview:

Many companies often do not have the resources or expertise required to conduct an entire set of tests before accepting custom software from a vendor. Even though a service level agreement may exist between the client and vendor, such agreements do little to reduce the cost and frustration of spending months working to correct bugs when development is not to acceptable levels. Often, vendors still may charge for rework by citing weak or ambiguous requirements that were provided by the client. In the end, the client spends considerably more than planned in time and money just to get the result they expected.

Third-party Testing services save clients money through early error detection and prevention. It's 360logica's QA approach to testing that drives significant results and substantial savings. And, before accepting software from the development vendor, clients clearly know the state of the application and can make informed decisions around resource leveling, contingency planning, deadlines and user expectations.

Benefits:

1. Identifies requirement issues (missing, ambiguous, unclear) in the early development stages of the application.
2. Provides a checks and balances system that benefits the client and software vendor.
3. Saves money and rework time by reducing the number of errors coded in the first place.
4. Verifies that the technical design conforms to the requirements and expectations of the user.
5. Provides the client with an objective view of the readiness of the software at any given time.
6. Reduces the client's workload by having an independent third party test the vendor built application, minimizing the chances a client will sign off and accept problematic software.
7. Reduces the number of defects released into production.