Welcome!

Java Authors: Brian Lavallée, Raja Patel, Pat Romanski, Hovhannes Avoyan, Lori MacVittie

Related Topics: Security, Java, SOA & WOA, Linux, Web 2.0

Security: Article

Software Testers Too Need a Black Box

Consider evidence of testing to abide by compliance mandates and avoid getting yourself in hot water

Recording and maintaining good evidence of testing is growing more important all the time. The ability to document what actually happened during the development of hardware or software is vital in many industries. Medical equipment is a great example, as any failure could lead to unexpected complications or even death. In the event that this occurs, auditors must be able to review the original manufacturing process and track the usage and maintenance of the machine during its lifecycle.

Evidence of testing importance can be neatly summed up by considering the difference between an eyewitness memory and a video of an event. Our expectations and our circumstances can exert a great deal of influence on our recollections. Testers frequently note down what they were expected to do, rather than what they actually did.

Do you record and maintain complete evidence of your testing activities? If you're engaged in the medical or financial fields, then there's every chance it's a matter of compliance, but evidence of testing can benefit all sorts of industries. By collecting strong evidence as you test it's possible to safeguard against problems down the line, and the data you collect can provide some valuable insights.

Good evidence encompasses various qualities: it is authentic, it has integrity, it is readable and accessible, it is contemporary, and the original records, and any changes, are always attributable. Following these basic principles will guide you toward collecting the right kind of evidence. This could prove important during any auditing process, but it can also teach you about your processes and staff and help you to identify areas of weakness.

Assessing what evidence should be recorded is your first consideration. Video files may seem like an obvious solution, but organizing and storing them would be expensive and difficult. You ideally want to be able to record the pertinent data about a system, an application, a test session, and the responsible tester. You want a clear audit trail, with time stamps, and attributed changes, including the reasoning behind those changes.

Imagine that you want an investigator or auditor to arrive at the same conclusions as you did, but all they have to rely on is the evidence in front of them. What would convince you? Are you providing that level of assurance? You may imagine that it would be prohibitively expensive and time-consuming to set up, but you'd be wrong.

What I'm getting at is that you can't walk them through the evidence or explain it; it needs to be complete enough to tell the story on its own. People fill in the gaps for themselves when they're involved, but someone coming to it cold may see it differently.

It doesn't need to be an especially onerous undertaking. There are free tools you can use to collect quality evidence to fully configure exactly what you collect from individual test sessions and create a step-by-step trail. You can create individual records of test sessions encompassing multiple applications. This kind of evidence can be used to inform later testing sessions.

With more regulation and new auditing standards, compliance is becoming a real issue in financial services and healthcare. The Dodd-Frank Wall Street Reform and Consumer Protection Act demands increased transparency. The Sarbanes-Oxley Act (SOX) dictates that all business records must be stored for at least seven years. Auditing standards, such as SAS 70 closely examine the controls and safeguards that organizations have in place to deal with customer's data and financial reporting.

Collecting high quality evidence of testing can protect you from potential problems and keep you informed about exactly how testing is being carried out.

More Stories By Vu Lam

Vu Lam is founder and CEO of QASymphony, developers of defect capture tools that track user interactions with applications. He was previously with First Consulting Group and was an early pioneer in Vietnam’s offshore IT services industry since 1995. He holds an MS degree in electrical engineering from Purdue University. You may reach him at [email protected]

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.