Software Test Designers - Configuration Management

TESTING

SOFTWARE QA

RESOURCES

Notes taken from Boris Beizer books:

Determine the hardware configuration(s) of the system and include a sufficient level of configuration testing to assure that the system works under all permutations of physical/logical/functional assignments. Base schedule and planning under the assumption that effort will be proportional to NlogN, where N is the number of hardware devices that can participate in the assignments

For multi-computer systems, or other systems that exhibit multiple levels of performance based on hardware availability: create an accurate model of the system's availability states (devices up/down) and let configuration testing be guided by a probabilistic coverage of all states and transitions sufficient to assure .99999 coverage or the availability goal, whichever is higher. As a rule of thumb, each additional "9" in the availability requirement compounds testing costs by 20%. That is, 0.9999 costs 20% more to test than 0.999, but 0.999999 costs 75% more to test.

For simpler systems, identify all configuration states and all permissible manually and automatically initiated transitions between such states. Design enough tests to assure that all states and all transitions have been covered.

For every device type, where there are N devices of that type, design a sufficient number of tests to test all up/down transitions from every state of that device, under the assumption of only one failure or restoral at a time.

Identify every failure detection method to which the system must respond and initiate a restart and recovery and/or switchover. Design reliable means for exercising or simulating all such methods.

Define the required degree of accountability and fidelity required for the system and implement appropriate tests. Create or modify the transaction generation, log recording, and analyzer tools need to confirm transaction fidelity and accountability.

Define security objectives in as concrete and quantitative manner as possible. Obtain buyer and management guidance concerning the level of security and security testing that they are willing to pay for. Be sure to point out that security testing is more open-minded that normal testing and much, much more expensive.

Participate with a security department or cognizant agency in all aspects of physical and personnel security that might impact system security. There is no point in spending millions on software security testing if inadequate physical and personnel security can totally circumvent your efforts by an inside job.

Implement auditing procedures aimed at exposing the more obvious forms of Trojan horses, more as a deterrent than anything else.

Crank up tolerance testing if the system is to be secure

Make stress testing a mandatory prerequisite to security testing

Design and implement resource monitors and test tools to confirm proper garbage disposal.

Go back through the entire acceptance test plan and augment it for security testing concerns, in addition to the few extra tests that will be added for explicit testing of security-related areas.