Thursday, January 6, 2011
Monday, January 3, 2011
Auditing Software Testing Process
Introduction:
To ensure transparency and reliability of the IT systems it may be necessary to audit the Software Development Processes including the most important aspect – Software Testing Process.
Auditing is an important activity in organizations. In the context of testing it helps us ensure that the Testing processes are followed as defined.
Types of Testing Process Audits
There can be various reasons to conduct Audits. The Audits may serve aim to achieve certain definite goals. Based on that we can classify them as follows:
Audit to verify compliance: In this type of auditing the prime motivation is to judge if the process complies with a standards. In these scenarios, the actual testing process is compared with the documented process. For example ISO Standards require us to define our Software testing process. The audit will try to verify if we actually conducted the testing as documented
Audit for process improvement/problem solving:
In this type of audit the motivation is to audit and trace the various steps in the process and try to weed out process problems. For instance it is observed that too many software defects escaped detection even though the testing process was apparently followed. So the audit is done as a preliminary step to collect facts and analyze them.
Audit for Root Cause Analysis
In this type of audit the motivation is to audit the testing process is to find a Root Cause of a specific problem. For example the customers discovered a huge problem with the software. So we retrace our testing steps to find out what went wrong in this specific case.
Internal Audits
Typically the internal audits are initiated from within the organizations
External Audits
External Audits are done by and initiated by external agencies
Why Audit Software Testing Process?
Auditing Test Process helps the management understand if the process is being followed as specified. Typically Testing audit may be done for one or more of the following factors:
• To ensure continued reliability and integrity of the process
• To verify compliance of standards (ISO, CMM, etc)
• To solve process related problems
• To find the root cause of a specific problem
• To detect or prevent Fraud
• To improve the Testing process
Auditing of the Testing process may also be done if the Software Product is a mission critical one such as used for Medical Life Support Systems
This is done to prevent any loop holes or bugs in the system
How to Audit
Typically the Audit of the Testing Process will include the following steps:
• reviewing the Testing process as documented in the Quality Manual
This helps the auditor understand the process as defined.
• Reviewing the deliverable documents at each step
• Document reviewed include
............... Test Strategy
............... Test Plans
............... Test Cases
............... Test Logs
............... Defects Tracked
............... Test Coverage Matrix
............... any other relevant records
Each of the above document provides a certain level of traceability that the process was followed and the necessary steps were taken
• Interviewing the Project Team at various levels – PM, Coordinator, Tester
Interviewing the Project Team members gives an understanding of the thought process prevalent in those conducting the Testing Process.
This can provide valuable insights over an above what was actually documented
ISACA – ww.isaca.org provides guidelines and standards for Auditing Information Systems & Software Development Lifecycle
CISA stands for Certified Information Systems Auditor
Similarly independent agencies may verify the Test Processes and SDLC for ensuring compliance with FDA ( Food and Drug Administration)
What can be audited?
Whether the test process deliverables exist as specified
The only thing that can be really verified in an audit is that the process deliverables exist. The process deliverables are taken as a proof that the necessary steps were taken to do the testing. For example if Test Logs exist, we assume that testing was done and the Test Logs were created as a result of actual tests executed.
A separate exercise may be initiated to verify the authenticity of the Test Logs or other test deliverables
Whether test cases created covered all requirements/use cases
This analysis reveals if the test coverage was sufficient. It indicates that whether the testing team did the best to provide adequate amount of testing
Whether all Defects were fixed
The Status of all the Defects logged is checked to verify if all were fixed and verified
Whether there are any known bugs in the software released
Sometimes all the defects may not be fixed, the software may be released with known problems. Test Logs would indicate the actual results and evidence of any bugs being present.
Whether the levels of testing was effective enough
If Defects pass thru the various levels of testing undetected, it may reflect poorly on the effectiveness of the testing process
* What were the number of defects (Defect Leaks) that went by undetected in each phase
* Number of iterations of testing in each level
* Time taken to test each module/component
* This data may be used for process improvement
* Versions of source code actually tested
The Test Logs and Defect Logs may indicate (if the information was captured) the actual versions of code/components tested. This information may be valuable in root cause analysis.
Summary
In this article we reviewed the process of auditing the Software Testing Process and some of the reasons why auditing is done
To ensure transparency and reliability of the IT systems it may be necessary to audit the Software Development Processes including the most important aspect – Software Testing Process.
Auditing is an important activity in organizations. In the context of testing it helps us ensure that the Testing processes are followed as defined.
Types of Testing Process Audits
There can be various reasons to conduct Audits. The Audits may serve aim to achieve certain definite goals. Based on that we can classify them as follows:
Audit to verify compliance: In this type of auditing the prime motivation is to judge if the process complies with a standards. In these scenarios, the actual testing process is compared with the documented process. For example ISO Standards require us to define our Software testing process. The audit will try to verify if we actually conducted the testing as documented
Audit for process improvement/problem solving:
In this type of audit the motivation is to audit and trace the various steps in the process and try to weed out process problems. For instance it is observed that too many software defects escaped detection even though the testing process was apparently followed. So the audit is done as a preliminary step to collect facts and analyze them.
Audit for Root Cause Analysis
In this type of audit the motivation is to audit the testing process is to find a Root Cause of a specific problem. For example the customers discovered a huge problem with the software. So we retrace our testing steps to find out what went wrong in this specific case.
Internal Audits
Typically the internal audits are initiated from within the organizations
External Audits
External Audits are done by and initiated by external agencies
Why Audit Software Testing Process?
Auditing Test Process helps the management understand if the process is being followed as specified. Typically Testing audit may be done for one or more of the following factors:
• To ensure continued reliability and integrity of the process
• To verify compliance of standards (ISO, CMM, etc)
• To solve process related problems
• To find the root cause of a specific problem
• To detect or prevent Fraud
• To improve the Testing process
Auditing of the Testing process may also be done if the Software Product is a mission critical one such as used for Medical Life Support Systems
This is done to prevent any loop holes or bugs in the system
How to Audit
Typically the Audit of the Testing Process will include the following steps:
• reviewing the Testing process as documented in the Quality Manual
This helps the auditor understand the process as defined.
• Reviewing the deliverable documents at each step
• Document reviewed include
............... Test Strategy
............... Test Plans
............... Test Cases
............... Test Logs
............... Defects Tracked
............... Test Coverage Matrix
............... any other relevant records
Each of the above document provides a certain level of traceability that the process was followed and the necessary steps were taken
• Interviewing the Project Team at various levels – PM, Coordinator, Tester
Interviewing the Project Team members gives an understanding of the thought process prevalent in those conducting the Testing Process.
This can provide valuable insights over an above what was actually documented
ISACA – ww.isaca.org provides guidelines and standards for Auditing Information Systems & Software Development Lifecycle
CISA stands for Certified Information Systems Auditor
Similarly independent agencies may verify the Test Processes and SDLC for ensuring compliance with FDA ( Food and Drug Administration)
What can be audited?
Whether the test process deliverables exist as specified
The only thing that can be really verified in an audit is that the process deliverables exist. The process deliverables are taken as a proof that the necessary steps were taken to do the testing. For example if Test Logs exist, we assume that testing was done and the Test Logs were created as a result of actual tests executed.
A separate exercise may be initiated to verify the authenticity of the Test Logs or other test deliverables
Whether test cases created covered all requirements/use cases
This analysis reveals if the test coverage was sufficient. It indicates that whether the testing team did the best to provide adequate amount of testing
Whether all Defects were fixed
The Status of all the Defects logged is checked to verify if all were fixed and verified
Whether there are any known bugs in the software released
Sometimes all the defects may not be fixed, the software may be released with known problems. Test Logs would indicate the actual results and evidence of any bugs being present.
Whether the levels of testing was effective enough
If Defects pass thru the various levels of testing undetected, it may reflect poorly on the effectiveness of the testing process
* What were the number of defects (Defect Leaks) that went by undetected in each phase
* Number of iterations of testing in each level
* Time taken to test each module/component
* This data may be used for process improvement
* Versions of source code actually tested
The Test Logs and Defect Logs may indicate (if the information was captured) the actual versions of code/components tested. This information may be valuable in root cause analysis.
Summary
In this article we reviewed the process of auditing the Software Testing Process and some of the reasons why auditing is done
Glass Box Testing
Software testing approaches that examine the program structure and derive test data from the program logic. Structural testing is sometimes referred to as clear-box testing since white boxes are considered opaque and do not really permit visibility into the code.
Synonyms:
1) White Box Testing
2) Structural Testing
3) Clear Box Testing
4) Open BoxTesting
Types of Glass Box Testing:
1) Static and Dynamic Analysis: static analysis techniques do not necessitate the execution of the software, dynamic analysis is what is generally considered as ``testing``, i.e. it involves running the system.
2) Statement Coverage: Testing performed where every statement is executed at least once.
3) Branch Coverage: Running a series of tests to ensure that all branches are tested at least once.
4) Path Coverage: Testing all paths.
5) All-Definition-use-path coverage: All paths between the definition of a variable and the use of that definition are now identified and tested.
Advantages:
1) Forces test developer to reason carefully about implementation
2) Approximates the partitioning done by execution equivalence
3) Reveals errors in "hidden" code
4) Beneficent side-effects
5) Optimizations
Disadvantages:
1) Expensive
2) Miss cases omitted in the code
Synonyms:
1) White Box Testing
2) Structural Testing
3) Clear Box Testing
4) Open BoxTesting
Types of Glass Box Testing:
1) Static and Dynamic Analysis: static analysis techniques do not necessitate the execution of the software, dynamic analysis is what is generally considered as ``testing``, i.e. it involves running the system.
2) Statement Coverage: Testing performed where every statement is executed at least once.
3) Branch Coverage: Running a series of tests to ensure that all branches are tested at least once.
4) Path Coverage: Testing all paths.
5) All-Definition-use-path coverage: All paths between the definition of a variable and the use of that definition are now identified and tested.
Advantages:
1) Forces test developer to reason carefully about implementation
2) Approximates the partitioning done by execution equivalence
3) Reveals errors in "hidden" code
4) Beneficent side-effects
5) Optimizations
Disadvantages:
1) Expensive
2) Miss cases omitted in the code
Subscribe to:
Posts (Atom)