EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

Size: px

Start display at page:

Download "EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)"

Avice Holland
6 years ago
Views:

1 EPRI Software Development 2016 Guide for Testing Your Software Software Quality Assurance (SQA)

2 Usability Testing Sections Installation and Un-Installation Software Documentation Test Cases or Tutorial Graphical User Interface Stress Testing Security Vulnerability Testing 2

3 Installation EPRI Requirements: Run a Virus Scan Verify Documentation Network installation instructions if necessary. Documentation required for Application like Web Applications & Spreadsheets. 3

4 Installation Installation Settings Typical v. Custom Install Directories Shortcuts Confirm successful installation & un-installation of Applications. Software Encryption Input serial numbers or security keys if necessary Test invalid inputs for validation 4

Software Documentation EPRI Requirements: http://swdev.epri.com/req-doc.asp Check if the EPRI Software Manual Template was used.

5 Software Documentation EPRI Requirements: Check if the EPRI Software Manual Template was used. Check headers and footer Check for system requirements: Hardware and Software specifications Permissions such as Administrator rights Check application feature descriptions Check spelling and grammar 5

Test Cases EPRI Requirements: http://swdev.epri.com/req-testcase.asp Reminder: One tutorial is required or at least three solved example problems.

6 Test Cases EPRI Requirements: Reminder: One tutorial is required or at least three solved example problems. Execute & confirm all tutorials for correct inputs and outputs. Verify that the calculations, graphs, and screenshots match the documentation. Note: If any inputs or results do not match, the software can not be approved to send to customers. 6

Graphical User Interface EPRI Requirements: http://swdev.epri.com/req-gui.

7 Graphical User Interface EPRI Requirements: Check for the Preproduction Splash Screen (if preproduction stage) Windows fit in the main application screen and nothing is cut-off if windows are resized Make sure all information is accessible Internationalization Check compatibility SI Units Change appearance settings Tab order and hot-keys (alt-keys) Check embedded Help feature, including buttons to open the Help feature 7

8 Stress Testing Range checking Boundaries of numeric inputs Input type Numerical Alphabetical Special Characters Follow the solved example problems, but then skip a step or do them in a different sequence 8

9 Stress Testing Check print feature Try different login combinations Check error messages for clarity. Error messages should appear when the error occurs. Check for spelling within the application 9

10 Stress Testing For databases: Ensure all connections through the application are valid when accessing data Ensure single quotes and double quotes are tested to verify they do not corrupt the database Add duplicate records Delete all records to make sure it does not crash the application Modify data files to make sure the application gives a correct error message 10

Office applications if applicable (such as copy and paste features) Test

11 Stress Testing With administrative feature Verify Admin privilege and how it differs from a regular user Check for compatibility with Microsoft Office applications if applicable (such as copy and paste features) Test functionalities of buttons Check save feature Without administrative feature 11

12 Stress Testing Check open file feature correct file extensions, choosing incorrect file type brings up error message, etc.) The International Standard date notation DD-MM-YYYY United States Standard If there are graphs, check graph features and settings Check options/settings not covered in the sample problems. Check to make sure international units are converted correctly date notation MM-DD-YYYY 12

13 Stress Testing Maximize, minimize, and resize windows to make sure the application responds correctly. Check keyboard shortcuts Check all menu items, including the pop-up menus that come up when the user right-mouse clicks an item If there are hardware/software keys, check to see if the application responds when executed with the key(s), then without the key(s) X C V 13

Security Vulnerability Testing OWASP Top Ten Web Application Vulnerabilities

php/owasp_top_ten_project 1: Injection 2: Cross-Site Scripting (XSS) 3: Broken

Cross-Site Request Forgery (CSRF) 6: Security Misconfiguration 7: Insecure

14 Security Vulnerability Testing OWASP Top Ten Web Application Vulnerabilities 1: Injection 2: Cross-Site Scripting (XSS) 3: Broken Authentication and Session Management 4: Insecure Direct Object References 5: Cross-Site Request Forgery (CSRF) 6: Security Misconfiguration 7: Insecure Cryptographic Storage 8: Failure to Restrict URL Access 9: Insufficient Transport Layer Protection 10: Unvalidated Redirects and Forwards 14

15 Security Vulnerability Testing Two vulnerabilities SQA will test for: Structured Query Language (SQL) Injection Cross-Site Scripting The developer is expected to address security vulnerabilities when developing an application 15

16 Security Vulnerability Testing SQL Injection Injection of a SQL Query through input data, such as a querystring or form Examples: In the querystring, enter a SQL Statement, such as " ; Delete from users -- ", into a querystring variable Enter in " ' OR 1=1 " into a form field or querystring variable See the following for more information and testing examples: 16

17 Security Vulnerability Testing Cross-Site Scripting - Harmful scripts are entered into web sites via querystring or form field Example: Enter in "<script type="text/javascript"> alert( hello ); </script>" into a form field to check whether the form field is validated Allows the user to execute scripts that are harmful See the following for more information: 17

18 Security Vulnerability Testing Testing tools: OWASP s Web Scarab (Manual) OWASP s Zed Attack Proxy (Automated) Nexpose (Automated) Rapid 7 (Automated) Reference: Open Web Application Security Project (OWASP) 18

19 What SQA Does Not Do SQA software usability testing does not do: V&V (Verification and Validation) testing Test or validate real world data (this should be done by beta testers) Exhaustive testing or white box (source code) testing SQA usability testing will not find all errors and is not intended to All errors are expected to be found by developers 19

20 Together Shaping the Future of Electricity

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing Advancing Expertise in Security Testing Taming the Wild West Canberra, Australia 1 Who is this guy? Andrew