As “First impression is the last”, so GUI (Graphical User Interface) does matter and creates a lot of difference. Importance of decent and attractive GUI can be felt more significantly in smart devices environment where screen size is much small.
GUI testing can be toughest part especially while testing on smart device. You should pay full attention to the GUI while testing on smart devices and surely it is an important task that deserves significant time and resource allocation.
Practical Tips for Testing GUI on Smart Devices:
For me, while testing GUI, all the controls are accused.
I raise questions why they are there on the screen and I try to answer these questions. I argue in opposition and favor of the controls one by one and I do all this without discussing with someone else. It is the time when I’m wearing multiple hats, Controls are accused and I’m the Prosecutor , I’m the Defense Lawyer and I’m the Judge and during all this process a control must have valid and solid reasons in its favor to be there on screen and consume space. I suggest you to try it and it will help you to decide which controls to display on the screen.
There also come the situations where you are given an already built GUI to test. In such situations also
think about the missing controls, the controls that will add value to the screen and compare their importance with the current ones. If you think you need to make a change go ahead.
Once you have decided which controls will be shown on the screen, think thoroughly about size, style and location of the controls on the screen and more important how user will interact with them?
3 important factors to be considered while testing GUI on Smart Devices:
Size:
There are too many variations in screen sizes and available resolutions. In smart devices especially, controls sizes are not static, they have relation to the available screen size.
While testing, make sure that controls size looks esthetically good and control is completely visible on the screen without any scrolling. Test the GUI on different devices with different screen sizes and resolutions.
Emulators are good for this purpose but nothing matches the real device. So make sure that you test on at least two or three real devices. Also don’t forget to test on landscape and portrait orientations if the device supports it.
Style:
Definitely your application has a specific design. And style of the controls should match with that design. You might have seen many applications where some controls e.g. panels have round edges and text boxes in them have sharp edges. Although this type of issues don’t affect the usability or functionality but still a consistent look of the application helps to build a friendly relation between the application and the user.
Relatively more important thing in style is font on the different pages. Most of the times, we focus the text that is visible in normal situations and ignore the text that appears in specific situations. Success and Failure messages are an example of such type of text.
Another factor, important in style is relation between the font color and the situation in which text is displayed. For example Red color is used for Error messages, Green for success, Yellow for warnings and Blue (now a day occasionally) for hyperlinks.
Location:
Location and position are the two words that are used alternatively and it is interesting that they are further used to convey two different concepts that are explained below.
1. Sometimes it is the area on the screen where a control appears. For example Header is located on
Top of the page, Labels are
Left Aligned, and Text boxes are
Right Aligned etc. Here text in bold are relative positions of the controls
2. Sometimes it is the order of a control among the other controls. For example while getting personal info, First Name is
followed by the last name or format of controls to ask for a US address should be in
order ZIP, City, State.
For both these situations, make sure that everything is logical and shows a good aesthetic sense.
Forgot something even more important. There are situations where one or more controls appear on more than one screen, in this situation make sure that they appear on same location and in the same order on all the pages.
This is a guest post by Uzair Baloch. If you want to write one, please read the guidelines.
About Author: With an industry experience of 3+ years, Uzair Baloch is currently working as Sr. SQA Engineer for a Canadian organization in their offshore office.
Hope these tips will help you testing GUI on any smart devices. If you have more ideas please share with us in below comments.
Like this post? Please subscribe to Email Newsletter or RSS Feed to have future Software Testing Tips delivered to your email inbox or feed reader!
Quality assurance and software testing is the most crucial step in any software development process. It ensures requirement adherent, performance reliability and defect-free product delivery to the client.
As the demand for the role of tester is increasing, the more attention is being paid to the quality testing professional. Therefore, it is the high time to get certified and acquire the capabilities to fit in this demanding position. However, it is equally challenging to find the standard certifications which are being recognized all over the world.
This article is intended to enlighten the readers about the established certifications available in the market today. Let us see one by one
This is a part – I of testing certification series. In this article we’ll be discussing on following four important software testing certifications:
1) CSTE
2) CSTP
3) CTM
4) HP QTP Certification
1) CSTE
CSTE stands for “Certified Software Test Engineer”. CSTE is a benchmark certification program for all Testers and Mangers that emphasize on professional competency and best practices in
quality control in IT industry. Requirement or Eligibility criteria to take CSTE certification include and one of the following:
4 year degree from a recognized institution+2 year experience3 year degree from a recognized institution+3 year experience2 year degree from a recognized institution+4 year experience6 years of experience in IT industry
How to Apply:
The applicant should submit the request on Customer Portal with the payment of $350(PDF+initial exam) or $420(PDF+Book+CD+initial exam).
You can apply for this certification through Customer Portal at Software Testing Certifications. You can also share your concerns at: certify@softwarecertifications.org.
Exam Pattern:
The exam is divided into following parts:
Two sections for multiple choice questions which consist of 50 objective type questions.Two sections for 10 subjective type questions such as Short answers or essays.Exam duration is 4 hours 30 minutes and the passing marks are 75%. The examination retaking fees is $100.
Check out some more CSTE sample questions here.
2) CSTP
CSTP is the short form for “Certified Software Test Professional”. This was initiated by International Institute for Software Testing (IIST) in 1991 and so far this has been successful in enhancing the career of thousands of aspirants by providing the professional skill set for software application testing. This certification program could be taken by any new comer in the testing field as well as for the managers and leaders in testing field.
The requirements to take this exam include a minimum of 10 day of formal Training or education which includes the following topics:
Principles of Software TestingTest DesignManaging the Testing ProcessTest Executions and Defect TrackingRequirement Definitions, Refinement and VerificationTest AutomationStatic Testing
Along with it, the applicant must be experienced in the testing related role for at least One year. The formal approval from the candidate’s manager is also necessary for him/her to apply for this certification.
A minimum of 80% marks are required to claim this certification successfully. The cost of this certification exam is $120, which is non-refundable and upon clearing the certification, it will not expire before 3 years.
How to Apply:
For application form, visit: International Institute for Software Testing or
Call at (763)546-0072 or shoot your query to
info@iist.org.
3) CTM
CTM stands for “Certified Test Manager”. This certification aims to support test managers and Senior Testers to handle the test projects efficiently by enhancing their management capability. Test Management Body of Knowledge (TMBK) is the foundation of CTM certification.
This program is focused on the managers, Senior level Testers, anyone who has over 3 years of industry experience and folks who are already done with CSTP certification.
The formal education requirements to take this exam include following compulsory topics:
Test Process ManagementTest Project ManagementTest Process Measurement and ImprovementTest Organization ManagementRisk ManagementTest Automation Strategies and ArchitecturesSoftware Quality Assurance
Eligibility:
As mentioned above, a minimum of 3 years of experience is the eligibility requirement for appearing this test.
How to Apply:
Application forms are available at IIST office and should be submitted to IIST chairperson, along with non-refundable fee of $120. Upon granted, the CTM certification will not expire before 3 years. A minimum of 80% marks are required to get CTM certified.
Application form is directly accessible at IIST. You can forward any of your concerns to
info@iist.org or call at (763)546-0072.
4) HP QTP Certification
QTP certification by HP is meant for QuickTest professionals who wish to gain mastery in testing tools by HP called QuickTest. Since august 1st 2010, HP has come up with the HP QTP Certification v10.0. AIS is beginner level certification exam whereas ASE is advanced level certification level exam. There exams are particularly famous with the following names:
Exam HPO-M31 – HP Quality Center 10.0 SoftwareExam HPO-M39 – HP QuickTest Professional 10.0 Software
Preparation guide by HP is available at: HP QTP certification preparation, which covers the subject of examination precisely. Click to apply for HP QTP certification, and follow the simple instructions. The cost of HP QTP certification is $150.
In Part II of this article, we’ll discuss in detail on: ISEB & ISTQB, CMST, CASQ, CSQA and CMSQ certifications.
Till then, if you have queries on any of the testing certifications feel free to ask in below comment section.
Like this post? Please subscribe to Email Newsletter or RSS Feed to have future Software Testing Tips delivered to your email inbox or feed reader!
This is a part – II of testing certification series. If you missed last article on testing certification you can check it out here. In last article we discussed on four important software testing certifications namely –
CSTE, CSTP, CTM, and HP QTP Certification.
In this article we’ll be discussing on remaining five important software testing certifications:
1) ISEB & ISTQB
2) CMST
3) CASQ
4) CSQA
5) CMSQ
Here are the details on these certifications eligibility, exam patterns and how to apply guide.
ISEB (The Information systems Examinations Board) certification is the step taken forward by a chartered institute for IT called BCS (British Computer Society), to support the career of IT professionals in IT field. ISEM was formed in 1990 which is a division of BCS. This professional certification is available in foundation, practitioner and advanced level to cater the needs of each IT testing aspirant. While ISTQB stands for “International Software Testing Qualifications Board,” and it was formed in late 2002. Both are similar certifications, at the foundation level are same, in essence. The only distinguishing factor is that ISEB is UK specific whereas ISTQB is international certification.
BCS offers following internationally recognized qualification in following subjects:
IT Service ManagementSoftware TestingSustainable ITBusiness Analysis/ChangeSolution DevelopmentProject Management and SupportIT Governance, Information and SecurityIT Assets and Infrastructure
Following are the levels at which both of these certification are available to suit the needs of every professional:
Foundation Level – Certification at this level provides the broad coverage about a specific area. This is specifically designed to enhance the knowledge set and future scope of managers. Its cost is £130.
Intermediate Level – Intermediate level certification exam is focused in examining the subject in more detail which acts as the basis for the practitioner level certification. Its cost is £110.
Practitioner Level – This level exam lay emphasis on a specific skill within a subject area in a more detailed manner to provide the practical knowledge of IT skills. Its cost is £150.
Higher Level – Higher level certification is meant for managers and specialists, having deep knowledge of their subject of concern. Its cost is £540.
To apply for this certification exams at any level, click
Apply for ISTQB or ISTQB-BCS
CMST, short for Certified Manager of Software Testing, is meant to establish the competencies of testing professional in software industry at the international level. Having CMST certifies means acquiring qualification in terms of principles of testing field and capabilities to handle software testing scenarios. The prerequisite of taking this exam includes:
Having a bachelor’s degree and at least 4 years of relevant experience in software testing field, orHaving an associate degree and at least 6 years of relevant experience in software testing field, orMinimum of eight years of relevant experience in software testing field.
The potential candidates are required to demonstrate their capabilities in following subjects:
Test PlanningTest ReportingMeasurementManaging Test ExecutionOrganizational Development (both, teams and management)Communication (both, leadership and behavioral skills)Define, deploy and improve work processes
To apply for this certification test, go to CMST, which is the customer portal for candidates and complete all the formalities by following the easy steps to set up the test. The free for this exam is $450.
CASQ stands for Certified Associate in Software Quality, which is focused on quality assurance skills and principles at the fundamental level of understanding. CASQ provides the rapid career progression at a potentially affordable cost. His exam is intended for beginners in quality for all those which have one of the following requirements completed:
Having 3 year/4 year degree from a certified institution, orHaving 2 year degree and one year of relevant experience in IS (Information Services) field, orHaving three years of relevant experience in IS (Information Services) field.
Questions related to following skill set are expected in the exam:
COTS, Outsourcing, Contracting Quality etc.Quality Principles and ConceptsQuality LeadershipQuality AssuranceQuality Control PracticesQuality BaselinesQuality PlanningMetrics and MeasurementDefine, Build, Implement, Improving of Work Processes etc.Internal Control and Security
Similar to CMST, the application process is carried out at Customer portal on CASQ. However, this certification is affordable and any aspiring candidate can get certified at $100.
Certified Software Quality Analyst (CSQA) certification is an intermediate level exam which is considered as the standard in best practices and principles of software quality assurance in IT industry. CSQA certified candidates are recognized in several business and professional organizations which boost their career growth manifolds. This exam is specifically beneficial for the role of the quality advisor to management. However, it has following prerequisites, one of which needs to be met to be eligible for this exam:
Having 4 year degree and two years of relevant experience in IS (Information Services) field, orHaving 3 year degree and three years of relevant experience in IS (Information Services) field, orHaving 2 year degree and four years of relevant experience in IS (Information Services) field, orHaving six years of relevant experience in IS (Information Services) field.
Along with the above mentioned requirements, the applicant should be currently working or having at least 18 month of experience, specifically relevant to certification designation.
Log on to the customer portal at CSQA to schedule the exam at the charge of $350 as the test fee.
Certified Manager of Software Quality (CMSQ) certification is an international level assessment for the skills in software quality assurance leaders and managers. CMSQ certified professionals are either working at top IT organizations or soon will join them at managerial post in quality assurance unit. This is the advanced level certification in software quality field and this fact is equally justified by the requirements demanded prior taking this examination, which are one of the following:
Having a bachelor’s degree from an accredited institution along with four years of relevant experience in software quality assurance field, orHaving an associate degree along with six years of relevant experience in software quality assurance field, orHaving eight years of relevant experience in software quality assurance field.
Same as the other quality certifications, this one also follows the same process of application which is by logging into CMSQ, which is the customer portal and acts as the single point of applying. The cost of this exam is $450.
Please feel free to share your experience while taking any of these software testing and quality assurance certifications.
Like this post? Please subscribe to Email Newsletter or RSS Feed to have future Software Testing Tips delivered to your email inbox or feed reader!
Performance testing is the testing, which is performed, to ascertain how the components of a system are performing, given a particular situation. Resource usage, scalability and reliability of the product are also validated under this testing. This testing is the subset of performance engineering, which is focused on addressing performance issues in the design and architecture of software product.
Performance Testing Goal:
The primary goal of performance testing includes establishing the benchmark behaviour of the system. There are a number of industry-defined benchmarks, which should be met during performance testing.
Performance testing does not aim to find defects in the application, it address a little more critical task of testing the benchmark and standard set for the application. Accuracy and close monitoring of the performance and results of the test is the primary characteristic of performance testing.
Example:
For instance, you can test the application network performance on Connection Speed vs. Latency chart. Latency is the time difference between the data to reach from source to destination. Thus, a 70kb page would take not more than 15 seconds to load for a worst connection of 28.8kbps modem (latency=1000 milliseconds), while the page of same size would appear within 5 seconds, for the average connection of 256kbps DSL (latency=100 milliseconds). 1.5mbps T1 connection (latency=50 milliseconds) would have the performance benchmark set within 1 second to achieve this target.
For example, the time difference between the generation of request and acknowledgement of response should be in the range of x ms (milliseconds) and y ms, where x and y are standard digits. A successful performance testing should project most of the performance issues, which could be related to database, network, software, hardware etc…
Load testing is meant to test the system by constantly and steadily increasing the load on the system till the time it reaches the threshold limit. It is the simplest form of testing which employs the use of automation tools such as LoadRunner or any other good tools, which are available. Load testing is also famous by the names like
volume testing and
endurance testing.
The sole purpose of load testing is to assign the system the largest job it could possible handle to test the endurance and monitoring the results. An interesting fact is that sometimes the system is fed with empty task to determine the behaviour of system in zero-load situation.
Load Testing Goal:
The goals of load testing are to expose the defects in application related to buffer overflow, memory leaks and mismanagement of memory. Another target of load testing is to determine the upper limit of all the components of application like database, hardware and network etc… so that it could manage the anticipated load in future. The issues that would eventually come out as the result of load testing may include load balancing problems, bandwidth issues, capacity of the existing system etc…
Example:
For example, to check the email functionality of an application, it could be flooded with 1000 users at a time. Now, 1000 users can fire the email transactions (read, send, delete, forward, reply) in many different ways. If we take one transaction per user per hour, then it would be 1000 transactions per hour. By simulating 10 transactions/user, we could load test the email server by occupying it with 10000 transactions/hour.
Under stress testing, various activities to overload the existing resources with excess jobs are carried out in an attempt to break the system down.
Negative testing, which includes removal of the components from the system is also done as a part of stress testing. Also known as
fatigue testing, this testing should capture the stability of the application by testing it beyond its bandwidth capacity.
The purpose behind stress testing is to ascertain the failure of system and to monitor how the system recovers back gracefully. The challenge here is to set up a controlled environment before launching the test so that you could precisely capture the behaviour of system repeatedly, under the most unpredictable scenarios.
Stress Testing Goal:
The goal of the stress testing is to analyse post-crash reports to define the behaviour of application after failure. The biggest issue is to ensure that the system does not compromise with the security of sensitive data after the failure. In a successful stress testing, the system will come back to normality along with all its components, after even the most terrible break down.
Example:
As an example, a word processor like Writer1.1.0 by OpenOffice.org is utilized in development of letters, presentations, spread sheets etc… Purpose of our stress testing is to load it with the excess of characters.
To do this, we will repeatedly paste a line of data, till it reaches its threshold limit of handling large volume of text. As soon as the character size reaches 65,535 characters, it would simply refuse to accept more data. The result of stress testing on Writer 1.1.0 produces the result that, it does not crash under the stress and that it handle the situation gracefully, which make sure that application is working correctly even under rigorous stress conditions.
Further reading – Web Application Load, Stress and Performance Testing Using WAPT.
Have queries on Software Testing? All you need to do is post your questions in the comment section below.
Like this post? Please subscribe to Email Newsletter or RSS Feed to have future Software Testing Tips delivered to your email inbox or feed reader!
Posted In | Software Testing Books, Testing News
We’ve reached 10000 Facebook fans!! I’m so excited about reaching the 10,000 Facebook fans milestone and thankful to all of you because you are the ones that helped us to be here.
To celebrate this achievement
I’m giving away a software testing book and one best book of the year (see details below). This giveaway will be open for a week starting from today 20th Nov 2011.
Check out what we are giving away:
1) QuickTest Professional Unplugged: 2nd Edition
2) Steve Jobs: The Exclusive Biography
Simple one rule to be the lucky winners!
Just add SoftwareTestingHelp.com to your Google+ circle. Similar to Facebook fan page now Google has rolled out Google+ pages and I have created brand new Google+ page for SoftwareTestingHelp where you will quickly get latest software testing updates and resources to download.
Click below Google+ badge to add us in your circle!
(Click on the badge, sign on to gmail and click on ‘Add to circle’ button in top right)
Two lucky winners who will add us on Google+ circle will be chosen randomly. Then I’ll announce the winners on Monday, Nov 28th on our Facebook fan page, Google+ page as well as on this blog post. Prizes will be shipped to winner’s addresses.
Thank you once again for all of your support. Good luck!
Update:
Winners are declared on our Google+ page:
Software Testing Help on Google+
Thank you to all those who added us in their Google+ circle. If you have not added us in your Google+ circle yet, you should do it right away to get regular updates on testing articles, free ebooks and many more testing tips!!
Like this post? Please subscribe to Email Newsletter or RSS Feed to have future Software Testing Tips delivered to your email inbox or feed reader!
This is a guest post by Meenal Balajiwale.
“If QA (Quality Assurance) is done then why do we need to perform QC (Quality Control)?”, this thought may come to our mind some times and looks a valid point too. This means if we have followed all the pre-defined processes, policies and standards correctly and completely then why do we need to perform a round of QC?
In my opinion QC is required after QA is done. While in ‘QA’ we define the processes, policies, strategies, establish standards, developing checklists etc. to be used and followed through out the life cycle of a project. And while in QC we follow all those defined processes, standards and policies to make sure that the project has been developed with high quality and at least meets customer’s expectations.
QA does not assure quality, rather it creates and ensures the processes are being followed to assure quality. QC does not control quality, rather it measures quality. QC measurement results can be utilized to correct/modify QA processes which can be successfully implemented in new projects as well.
Quality control activities are focused on the deliverable itself. Quality assurance activities are focused on the processes used to create the deliverable. QA and QC are both powerful techniques which can be used to ensure that the deliverables meet high quality expectations of customers.
E.g.: we have to use an Issue tracking system to log the bugs during testing a web application. QA would include defining the standard for adding a bug and what all details should be there in a bug, like summary of the issue, where it is observed, steps to reproduce the bugs, screenshots etc. This is a process to create deliverable ‘bug–report’. When a bug is actually added in issue tracking system based on these standards then that bug report is our deliverable.
Now, suppose some time at later stage of project we realize that adding ‘probable root cause’ to the bug based on tester’s analysis would provide some more insight to the Dev team, then we will update our pre-defined process and finally it will be reflected in our bug reports as well. This is how QC gives inputs to QA to further improve the QA.
Following is an example of a real life scenario for QA / QC:
QA Example:
Suppose our team has to work on completely new technology for upcoming project. Our team members are new to the technology. So for that we need to create a plan for training the team members in the new technology. Based on our knowledge we need to collect pre-requisites like understanding documents, design of the product along with the documents etc. and share with the team, which would be helpful while working on the new technology and even would be useful for any new comer in the team. This is QA.
QC Example:
Once the training is done how we can make sure that the training was successfully done for all the team members? For this purpose we will have to collect statistics e.g. number of marks the trainees got in each subject and minimum number of marks expected after completing the training. Also we can make sure that everybody has taken training in full by verifying the attendance record of candidates. If the number of marks of candidates are up to the expectations of the trainer/evaluators then we can say that the training is successful otherwise we will have to improve our process in order to deliver high quality training.
Hope this explains the difference between QA and QC.
****************
About Author: Meenal is Team Lead specialized in overall QA process for performing functional, data testing, performance testing and security testing for various projects. She is also worked on Waterfall and Agile models.
I would like all of you to please join this discussion and add more valuable points to it. Thanks.
Like this post? Please subscribe to Email Newsletter or RSS Feed to have future Software Testing Tips delivered to your email inbox or feed reader!
Need of Security Testing?
Software industry has achieved a solid recognition in this age. In the recent decade, however, cyber-world seems to be even more dominating and driving force which is shaping up the new forms of almost every business. Web based ERP systems used today are the best evidence that IT has revolutionized our beloved global village.
These days, websites are not meant only for publicity or marketing but these have been evolved into the stronger tools to cater complete business needs. Web based Payroll systems, Shopping Malls, Banking, Stock Trade application are not only being used by organizations but are also being sold as products today.
This means that online applications have gained the trust of customers and users regarding their vital feature named as SECURITY. No doubt, the security factor is of primary value for desktop applications too. However, when we talk about web, importance of security increases exponentially. If an online system cannot protect the transaction data, no one will ever think of using it. Security is neither a word in search of its definition yet, nor is it a subtle concept. However, I would like to list some complements of security.
1) A Student Management System is insecure if ‘Admission’ branch can edit the data of ‘Exam’ branch
2) An ERP system is not secure if DEO (data entry operator) can generate ‘Reports’
3) An online Shopping Mall has no security if customer’s Credit Card Detail is not encrypted
4) A custom software possess inadequate security if an SQL query retrieves actual passwords of its users
Security Testing Definition:
Now, I present you a simplest definition of Security in my own words. “Security means that authorized access is granted to protected data and unauthorized access is restricted”. So, it has two major aspects; first is protection of data and second one is access to that data. Moreover, whether the application is desktop or web based, security revolves around the two aforementioned aspects. Let us have an overview of security aspects for both desktop and web based software applications.
Desktop and Web Security Testing:
A desktop application should be secure not only regarding its access but also with respect to organization and storage of its data. Similarly, a web application demands even more security with respect to its access, along with data protection. Web developer should make the application immune to SQL Injections, Brute Force Attacks and XSS (cross site scripting). Similarly, if the web application facilitates remote access points then these must be secure too. Moreover, keep in mind that Brute Force Attack is not only related to web applications, desktop software is also vulnerable to this.
I hope this foreword is enough and now let me come to the point. Kindly accept my apology if you so far thought that you are reading about the subject of this article. Though I have briefly explained software Security and its major concerns, but my topic is ‘Security Testing’. In order to know further details of security aspects, kindly refer to – Web application security testing article.
I will now explain how the features of security are implemented in software application and how should these be tested. My focus will be on Whats and Hows of security testing, not of security.
Whether it is a desktop application of website, access security is implemented by ‘Roles and Rights Management’. It is often done implicitly while covering functionality, e.g.in a Hospital Management System a receptionist is least concerned about the laboratory tests as his job is to just register the patients and schedule their appointments with doctors. So, all the menus, forms and screen related to lab tests will not be available to the Role of ‘Receptionist’. Hence, the proper implementation of roles and rights will guarantee the security of access.
How to Test: In order to test this, thorough testing of all roles and rights should be performed. Tester should create several user accounts with different as well multiple roles. Then he should use the application with the help of these accounts and should verify that every role has access to its own modules, screens, forms and menus only. If tester finds any conflict, he should log a security issue with complete confidence.
There are further three aspects of data security. First one is that a user can view or utilize only the data which he is supposed to use. This is also ensured by roles and rights e.g. a TSR (telesales representative) of a company can view the data of available stock, but cannot see how much raw material was purchased for production.
So, testing of this aspect is already explained above. The second aspect of data protection is related to how that data is stored in the DB. All the sensitive data must be encrypted to make it secure. Encryption should be strong especially for sensitive data like passwords of user accounts, credit card numbers or other business critical information. Third and last aspect is extension of this second aspect. Proper security measures must be adopted when flow of sensitive or business critical data occurs. Whether this data floats between different modules of same application, or is transmitted to different applications it must be encrypted to make it safe.
How to Test Data Protection: The tester should query the database for ‘passwords’ of user account, billing information of clients, other business critical and sensitive data and should verify that all such data is saved in encrypted form in the DB. Similarly (s)he must verify that between different forms or screens, data is transmitted after proper encryption. Moreover, tester should ensure that the encrypted data is properly decrypted at the destination. Special attention should be paid on different ‘submit’ actions. The tester must verify that when the information is being transmitted between client and server, it is not displayed in the address bar of web browser in understandable format. If any of these verifications fail, the application definitely has security flaw.
Brute Force Attack is mostly done by some software tools. The concept is that using a valid user ID, software attempts to guess the associated password by trying to login again and again. A simple example of security against such attack is account suspension for a short period of time as all the mailing applications like ‘Yahoo’ and ‘Hotmail’ do. If, a specific number of consecutive attempts (mostly 3) fail to login successfully, then that account is blocked for some time (30 minutes to 24 hrs).
How to test Brute-Force Attack: The tester must verify that some mechanism of account suspension is available and is working accurately. (S)He must attempt to login with invalid user IDs and Passwords alternatively to make sure that software application blocks the accounts that continuously attempt login with invalid information. If the application is doing so, it is secure against brute-force attack. Otherwise, this security vulnerability must be reported by the tester.
The above three security aspects should be taken into account for both web and desktop applications while, the following points are related with web based applications only.
Conceptually speaking, the theme of both these hacking attempts is similar, so these are discussed together. In this approach, malicious script is used by the hackers in order to manipulate a website. There are several ways to immune against such attempts. For all input fields of the website, field lengths should be defined small enough to restrict input of any script e.g. Last Name should have field length 30 instead of 255. There may be some input fields where large data input is necessary, for such fields proper validation of input should be performed prior to saving that data in the application. Moreover, in such fields any html tags or script tag input must be prohibited. In order to provoke XSS attacks, the application should discard script redirects from unknown or untrusted applications.
How to test SQL Injection and XSS: Tester must ensure that maximum lengths of all input fields are defined and implemented. (S)He should also ensure that defined length of input fields does not accommodate any script input as well as tag input. Both these can be easily tested e.g. if 20 is the maximum length specified for ‘Name’ field; and input string “
thequickbrownfoxjumpsoverthelazydog” can verify both these constraints. It should also be verified by the tester that application does not support anonymous access methods. In case any of these vulnerabilities exists, the application is in danger.
Today, businesses depend and collaborate with each other, same holds good for applications especially websites. In such case, both the collaborators should define and publish some access points for each other. So far the scenario seems quite simple and straightforward but, for some web based product like stock trading, things are not so simple and easy. When there is large number of target audience, the access points should be open enough to facilitate all users, accommodating enough to fulfill all users’ requests and secure enough to cope with any security-trial.
How to Test Service Access Points: Let me explain it with the example of stock trading web application; an investor (who wants to purchase the shares) should have access to current and historical data of stock prices. User should be given the facility to download this historical data. This demands that application should be open enough. By accommodating and secure, I mean that application should facilitate investors to trade freely (under the legislative regulations). They may purchase or sale 24/7 and the data of transactions must be immune to any hacking attack. Moreover, a large number of users will be interacting with application simultaneously, so the application should provide enough number access point to entertain all the users.
In some cases these access points can be sealed for unwanted applications or people. This depends upon the business domain of application and its users, e.g. a custom web based Office Management System may recognize its users on the basis of IP Addresses and denies to establish a connection with all other systems (applications) that do not lie in the range of valid IPs for that application.
Tester must ensure that all the inter-network and intra-network access to the application is from trusted applications, machines (IPs) and users. In order to verify that an open access point is secure enough, tester must try to access it from different machines having both trusted and untrusted IP addresses. Different sort of real-time transactions should be tried in a bulk to have a good confidence of application’s performance. By doing so, the capacity of access points of the application will also be observed clearly.
Tester must ensure that the application entertains all the communication requests from trusted IPs and applications only while all the other request are rejected. Similarly, if the application has some open access point, then tester should ensure that it allows (if required) uploading of data by users in secure way. By this secure way I mean, the file size limit, file type restriction and scanning of uploaded file for viruses or other security threats. This is all how a tester can verify the security of an application with respect to its access points.
If you enjoy reading this article please make sure to share it with your friends. Please leave your questions/tips/suggestions in the comment section below and I’ll try to answer as many as I can.
Like this post? Please subscribe to Email Newsletter or RSS Feed to have future Software Testing Tips delivered to your email inbox or feed reader!
Application Testing – Into the Basics of Software Testing!
- Application Testing
- Categories of Applications
- Application Testing Methodologies
- Application Testing Tools
- Software Test Plan
- Application Testing Cycles
- Application Testing – Best Practices
Application Testing is an activity that every software tester performs daily in his career. These two words are extremely broad in practical aspect. However, only the core and most important areas will be discussed here. The purpose of this article is to touch all the primary areas so that the readers will get all the basic briefing at a single place.
Categories of Applications
Whether it is small calculator software with only the basic arithmeticoperations, or an online enterprise solution; there are two categories of applications.
a. Desktop
b. Web
For desktop applications, testing should take into account the UI, business logic, database, reports, roles and rights, integrity, usability and data flow. For web applications, along with all these major areas; testers should give sufficient importance to performance, load and security of the application. So AUT is either desktop software or a website.
Application Testing Methodologies
This is a well-known and well discussed aspect; there are only 3 universally accepted methodologies;
a. Black Box: In black-box testing, the AUT is validated against its requirements considering the inputs and expected outputs, regardless of how the inputs are transformed into outputs. Testers are least concerned with internal structure or code that implements the business logic of the application. There are four primary techniques to design test cases for black box testing;
i. BVA (Boundary value Analysis)
ii. EP (Equivalence Partitioning)
iii. Decision Tables
iv. State Transition Tables (and diagrams)
a. White Box: Primary focus of this methodology is to validate, how the business logic of application is implemented by code. Internal structure of the application is tested and the techniques available to do so are;
i. Code Coverage
ii. Path Coverage
Both the above listed techniques contain several other strategies that may be discussed in some other article. Some techniques are discussed in ‘Test Case Design Techniques’ topic.
a. Grey Box: Practically speaking, this is a mixture of black box and white box. In this methodology, mainly the tester tests the application as in black box. But, for some business critical or vulnerable modules of application; testing is done as white box.
Application Testing Tools
According to the best of my knowledge, there are at least 50 testing tools available in market today. These include both paid and open source tools. Moreover, some tools are purpose specific e.g. UI testing, Functional Testing, DB Testing, Load Testing, Performance, Security Testing and Link validation testing etc. However, some tools are strong and provide the facility of testing several major aspects of an application. The general concept of ‘Application Testing’ is its functional testing. So, our focus will be on functional testing tools.
Here is the list of some most important and fundamental features that are provided by almost all of the ‘Functional Testing’ tools.
a. Record and Play
b. Parametrize the Values
c. Script Editor
d. Run (the test or script, with debug and update modes)
c. Report of Run session
Different vendors provide some specific features that make their product unique to other competitor products. But the five features listed above are the most common and can be found in almost all the functional testing tools.
Following is the list of few widely used Functional Testing tools.
1) HP QTP (Quick Test Professional)
2) Selenium
3) IBM Rational Robot
4) Test Complete
5) Push to Test
6) Telerik
Software Test Plan (STP)
For any activity, some planning is always required and same is true for
software testing. Without proper plan there is always high risk of getting distracted during the testing. If this risk becomes a fact, the results could be horrible.
Following are the 5 main parts of a good Test Plan:
a. Scope
i. Overview of AUT
ii. Features (or areas) to be tested
iii. Exclusions (features or areas not to be tested) with reason
iv. Dependencies (of testing activities on each other, if any)
b. Objectives: This section describes the goals of testing activity e.g. validation of bug fixes, new features added or revamp of AUT etc.
c. Focus: This section describes what aspect of application will be included in the testing e.g. security, functionality, usability, reliability, performance or efficiency etc.
d. Approach: This section describes what testing methodology will be adopted for which areas of AUT. For example, in the STP of an ERP application; the approach section may contain the information that black box testing will be approach for payroll. On the other hand, for reports the approach will be grey box testing.
e. Schedule: This sections describes that who will be doing what and where on the AUT, when and how. Schedule section is, in fact, a ’4Ws and H’ of the STP. Normally it is a simple table, but every organization may have its own customized format according to their own needs. Once the test plan is ready and application is under development; testers design and document the test cases. In the “Application Testing – Methodologies” section above, I have listed the TC design techniques.
Application Testing Cycles
Once the AUT is ready for testing, the practical phase of testing cycle starts in which testers actually execute the test cases on AUT. Keep in mind that here the testing cycle is discussed regardless of Testing Levels (Unit, Module, Integration, System and User Acceptance) and Testing Environments (Dev, QA, Client’s Replica, Live).
a. Smoke Testing: The very first testing cycle that is wide and shallow in approach. The purpose of smoke testing is to verify that there are no crashes in the application and it is suitable for further testing.
b. Sanity Testing: The second testing cycle that is narrow and deep in its approach. Its purpose is to verify that a specific module is working properly and is suitable for complete testing.
Tip: Usually there is not ample amount of time available to run these two cycles separately. So, a mixture of both these cycles is adopted in practical.
c. Functional Testing: The proper and full fledged testing of application is performed in this cycle. The primary focus of this activity is to verify the business logic of the application.
d. Regression Testing: This is the final cycle of testing in which the bug-fixes and/or updates are verified. Moreover, regression testing also ensures that there is no malfunctioning in other areas of AUT due to fixes and changes.
Bugs are logged in every testing cycle. There is no distinct border line between the testing cycles. For example, in Regression the Functionality is also verified and it may also require smoke, sanity or their merger first.
Application Testing – Best Practices
I think, hundreds of articles are available about this on internet. Every article suggests different number of best practices ranging from 7 to 30 (that I have seen so far). However, I have just 5 tips for readers.
- Plan Properly
- Test Keenly
- Log the bugs Clearly
- Do Regression Test Efficiently
- Improve above four skills Continuously
Conclusion: Application Testing is a vast subject and the primary activity of any software tester. In this article, I have provided the overview of some most fundamental and necessary areas that fall under this topic. Application Testing involves strategies, phenomena, approaches, tools, technologies and guidelines. However, I have addressed the conceptual and practical insight of its salient concerns.
http://softwaretestingpro.blogspot.com
