QA Consultants Web Solution automatically generates tests to perform security penetration testing at the message layer. By testing the SOA with penetration attacks and analyzing the responses, security vulnerabilities can be discovered and fixed earlier in the software development cycle. The following penetration tests are currently supported: Parameter fuzzing, SQL injections, XPath injections, XML bombs, external entities, malformed XML, invalid XML, username harvesting, large XML.

SOA Security Policy Validation

QA Consultants Web Solution includes security support for testing Web services with security layers. At the transport level, we support SSL (both server and client authentication), basic, Digest and Kerberos authentication. At the message level, we support WS-Security including X509, SAML, Username security tokens, XML Encryption and XML Digital Signature. The solution allows for security token validation as well as negative tests that ensure proper enforcement of message integrity and authentication.

Web Interface Penetration Testing

QA Consultants Web Solution automatically generates tests to perform security penetration testing of Web interfaces. By simulating a hacker and “attacking” a Web site with malformed input data, we can uncover OWASP top ten issues such as SQL injection, cross site scripting, buffer overflow, command injection, unvalidated input, and more.

Additionally, we utilize a database of over 4,000 checks to find vulnerabilities related to outdated server applications, default installations, and so on. This helps secure and standardize HTML to enforce best practices related to login forms, comments, hidden fields, and other security-relevant HTML issues.

Language-Level Security Validation

QA Consultants pattern-based code analysis verifies that your organization’s security policy is implemented in your application code (JavaScript, VBScript/ASP, HTML, JSP, Java, .NET, and so on). It also identifies common security vulnerabilities. QA Consultants static analysis rule set is the most comprehensive in the industry, and is constantly being extended.

In addition, QA Consultants data flow static analysis detects injection vulnerabilities, XSS, exposure of sensitive data, and other vulnerabilities without test cases or application execution. Moreover, QA Consultants peer code review process automation facilitates the high-level code review that is often required for regulatory compliance (PCI DSS, etc.).

Web interface testing is difficult to automate. Too often teams abandon automated testing in favor of manual testing, due to too many false positives or too much effort required to maintain the test suites. SW Quality Assurance provides solutions that facilitates creation of automated test suites that are reliable and dependable. Its ability to isolate testing to specific elements of the Web application eliminates noise and provides accurate results.

SW Quality Assurance isolates and tests individual application components for correct functionality across multiple browsers without requiring scripts. Additionally, dynamic data can be stubbed out with constant data to reduce test case noise.

Validations can be performed at the page object level as well as the HTTP message level. We verify the client-side JavaScript engine under expected and unexpected conditions through asynchronous HTTP message stubbing. Test cases are flexible and can be easily reused and shared.

You can automatically create regression tests that ignore expected content changes for entire pages, or you can create specific regression tests on individual page elements, thus eliminating the noise of annoying false positives.

RIA/AJAX

AJAX and Rich Internet Applications deliver a richer user experience as well as bring a greater level of complexity to the architecture and development of Web applications. SW Quality Assurance delivers an automated framework to isolate and test the unique components of an AJAX/RIA application and then aggregates those components into a comprehensive test suite.

We validate the format and content of client/server messaging to ensure that the data is expected and correct. In addition, server messages are “frozen” and inserted in place of dynamic messages to validate that errors seen in the user interface elements are due to defects in the Ajax engine and not due to changes in dynamic application data.
Low-Noise, Script-less Tests

It can be challenging to create robust, noiseless regression tests for highly dynamic Web applications. In many testing environments, complex test creation means writing endless proprietary scripts and generating many false positives.

SW Quality Assurance eliminates the need for writing scripts, and instead provides a simple GUI interface to create tests. To provide additional flexibility, tests that are more suited to the control that scripting offers can be generated as JUnit tests and extended using the Java programming language.

You can automatically create regression tests that ignore expected content changes for entire pages, or you can create specific regression tests on individual page elements, thus eliminating the noise of annoying false positives.

End to End Testing

SW Quality Assurance offers the unique ability to create end-to-end test suites that cross application layers, SDLC phases, and testing methods:

• With a single test suite, you can continuously validate all critical aspects of complex transactions which may extend through web interfaces, backend services, ESBs, databases, and everything in between.
• “Unit tests” can be created as soon as a single “unit of work is completed, then this test suite can be incrementally enhanced to verify additional components as they are added, test the integration of components, and audit end-to-end business processes that span across composite applications.
• The same end-to-end test suites that are created for functional testing can also be leveraged for security as well as load testing— and all of these tests can easily be integrated into a robust regression testing suite.
• During test execution, you can visualize and trace the intra-process events triggered by tests, facilitating rapid diagnosis of problems directly from the test environment. You can also continuously validate whether critical events continue to satisfy functional expectations as the system evolves.

QA Consultants is now offering:

• Website testing and quality assurance
• Campaign quality assurance and testing
• Fixing hacked Joomla, Mamboo and Wordpress sites
• Web security consultation

For more inforamtion please contact us

CIT for .NET
Tuesday, January 23
11 a.m. PST/2 p.m. EST
Register now »

CIT for Java
Thursday, January 25
11 a.m. PST/2 p.m. EST
Register now »

• Testing that the correct data is being extracted from the source
• Testing the transformation logic
  Performing source to target validation
• Testing the error-handling logic
• Testing the data throughput rates
• The incremental testing is followed by integration testing – in which the separate jobs are scheduled together into an interdependent sequence and re-executed
• The analytics applications themselves must be tested against the data-warehouse to ensure delivery of the correct data
• In order for data warehouse QA project to succeed, the following has to be in place:
  A test team
• An independent test environment
• Support from Business Analysts, ETL developers, DBA and management
  While assessing the QA practices at a client as far they relate to data warehouse testing, these are the items which QA Consultants looks at.

QA Team Lead

• Is the DW QA team lead skilled enough to:
  Prepare project plan for testing efforts
  Evaluate staffing needs
• Provide size estimate for QA environment
  Has solid knowledge of data warehouse concepts and testing intricacies associated with business intelligence applications
  Strong enough and yet diplomatic to oppose pressure from development, business analyst and project management where quality sacrifices are required
• Strong enough technically to be able to address complex issues and to review work being done by the testers
• Able to review defects on the regular basis and perform root cause analysis
  Where and when necessary come up with processes and procedures and enforce them on the team
• Testing skills of DW QA team
  Do the team members understand basics of testing methodologies such as levels of testing – unit, system, regression, etc
  they purely black box testers, or can they also do white and grey box testing
  they have leadership strong enough to plan, size and distribute the work
• Is the test team leadership strong enough to oppose the pressures from development, business analysts and project management to “sweep things under the carpet”
• Is the test team in control of QA environment and code promotion
  the support of developers, business analysts, system administrator and DBA secured during the off-hours testing
• Can team members provide sizing for the test environment – data base and the file system

QA Environment

• Are the test carried in isolated test environment
• How closely does the environment replicate the actual production environment
• Does the QA team have control over the test environment, i.e. the code to be tested is pulled into QA environment rather then pushed by developers
• Is the test data properly backed up
• Are the snapshots taken at appropriate times to allow roll-back to a particular state
• Is the environment large enough to accommodate the data size for testing
• Can test environment easily be adopted for performance/stress/load testing

Project Environment

There may be issues at the project level that affect performance of the QA team, but be outside of QA team control

• Is QA involved in the process at an early stage
• Are business requirements, functional specifications and data model clearly defined and signed off by users, business analysts, developers and testers
• Is a change management process clearly defined, communicated and strictly adhered to especially with respect to signed off requirements
• Is a code freeze implemented when required and all subsequent code changes are either a result of defect fixes or approved change requests
• Is the promotion to production done from QA environment
  Potential Problems

QA Consultants –findings may point to existence of some of the following problems:

• Users are not sufficiently engaged
• Testing reports - not data
• Garbage in, garbage out
• Skipping the reconciliation of data warehouse data with source system data
• Relying only on  “made up” test data
• Underestimating the testing workload
• Failing to set proper expectations with business users
• Fast tracking” the testing phase.
• Underestimating the duration of the ETL process.
• Choosing the “wrong” testers.
• Skipping proper sign-offs

Objective

• Unit test is the test of individual units.
• The objective of the unit test is to ensure that each individual component works correctly in isolation according to any applicable requirements, as defined in the design documents.
• The following processes must be satisfied before Unit Testing can be executed efficiently.
• Developer has to check that following criteria are satisfied:
• Outstanding programming issues have been resolved
• All program code compiles cleanly and has been reviewed and documented appropriately
  Standards and procedures for unit test have been communicated to the team
  Individual development test environments must be set up

Conditions

It is the expectation that the developer will perform the following type of tests:

• Positive/Negative Tests
• Bug Fixes
• Responsible Team
• Development Team

• Determine the performance, stability and scalability of an application under various load conditions.
• Determine which configuration sizing provides the best performance level.
  Determine if the current architecture can support the application at peak user levels.
• Prove application is stable enough to go into production (Acceptance).
  Determine if the new version of the software adversely had an impact on response time.
• Determine at what point does degradation performance occur (Capacity Planning).
• Identify application and infrastructure bottlenecks.
• Evaluate product and/or hardware to determine if it can handle projected load volumes.

Conditions

• Passed assembly testing
• Responsible Team

• Overall system functionality, end-to-end business functionality works as expected

User interface

• Integration with external systems
• Security
• Technical architecture components
• Report failures to development team so defects can be identified and fixed

Conditions

• Passed assembly testing\
• Responsible Team
• Technical Team
• Test (Q/A)

QA Consultants recognizes the critical need for solid performance testing processes for development and deployment of mission critical applications.  Application availability / reliability, user experience, and business performance depend on applications operating effectively within a predicted service activity model.  QA Consultants has successfully implemented a performance test program on numerous client engagements and has developed a core competency in performance engineering.  While our typical implementation approach leverages the flexibility and power of Mercury’s LoadRunner product we do have resources skilled in all of the industry leading performance test platforms:  Empirix, IBM Rational, Segue, etc.

QA Consultants leverages industry best practices by conducting performance testing in three phases:

1. Performance Profiling
2. Load Testing
3. Stress Testing

Performance profiling is a performance test in which response times, transaction rates, and other time sensitive requirements are measured and evaluated.  The goal of Performance Profiling is to verify performance requirements have been achieved. Performance profiling is implemented and executed to profile and tune a target-of-test’s performance behaviors as a function of conditions such as workload or hardware configurations.

Load testing is a performance test which subjects the target-of-test to varying workloads to measure and evaluate the performance behaviors and ability of the target-of-test to continue to function properly under these different workloads.   The goal of load testing is to determine and ensure that the system functions properly beyond the expected maximum workload.  Additionally, load testing evaluates the performance characteristics (response times, transaction rates, and other time sensitive issues).

Stress testing is a type of performance test implemented and executed to find errors due to low resources or competition for resources. Low memory or disk space may reveal defects in the target-of-test that aren’t apparent under normal conditions. Other defects might results from competition for shared resource like database locks or network bandwidth. Stress testing can also be used to identify the peak workload the target-of-test can handle.