Agility Testing Methods
Our various client engagements have allowed us to perform diverse software testing methods. Typically, our scenarios were based on the following:
- Dynamic Testing
- Penetration Testing
- Static Testing; and
- Synthetic Transactions
Our clients have on occasion requested that we perform penetrating testing as a white hat hacker, with authorization from the client to attempt to break into the organization’s physical and/or electronic perimeter. The testing is designed to determine if black hat hackers can utilize the same techniques successfully. Typically, our software testing engagements include developing a traceability matrix. The matrix is used to map the customer’s requirements to our software testing plan. We trace the requirements and ensure that they are being met. We resolve the matrix by mapping the customer use cases to test cases. Note that a traceability matrix is sometimes called a Requirements Traceability Matrix (RTM).
Static and Dynamic Testing:
The primary goal of static testing is code testing passively, that is the code is not running. This includes walk-throughs, code reviews, and syntax checking. The source code is reviewed looking for known insecure practices, libraries, functions, or other know SDKs/APIs vulnerabilities. Dynamic testing is concerned with testing the code while it is executing. Typically, this will uncover implementation flaws.
This involves building automation scripts or tools that simulate activities normally performed by applications. Typically, the goal is to establish expected normal behavior while performing the various transactions. We have automated synthetic transactions to run periodically to ensure applications are still performing as expected. Additionally, we have used these types of transactions to ensure patched systems perform accordingly before deployment.
Software Testing Levels:
We have several years of experience with various challenges of testing software from multiple angles. We have addressed numerous testing levels. The software testing levels of Unit Testing, Installation Testing, Integration Testing, Regression Testing, and Acceptance Testing serve as guidelines to accomplish our testing goals.
Fuzzing, also known as fuzz testing, is a type of black box testing. We have used this method to submit random, malformed data inputs to applications to determine if they will crash. It has been our experience that applications that crash due to random or malformed data are vulnerable to buffer overflow attacks. We typically automate repeated random input strings that affect the command line switches, and other application inputs.