On April 17th 2008 I visit the Software Quality Conference in Dusseldorf. Based on past experience I knew that it would be a interesting day. The main topics I intended to visit was Model based testing and security testing.
Presentations I attended:
Security Development Lifecycle by Michael Kranawetter, Microsoft (D): Interesting points here were the obvious awareness you are never on time on testing security. As at the moment you are deploying a fix, the next exploit is already waiting. A strong point of the presentation was defining a security development lifecycle. M. Kranawetter recommended to plan about 20% of the time of a regular testing process for security testing. See picture below for the model of the security lifecycle:
Based on this lifecycle he mentioned that there must be actions taken for process improvement.
He ended his presentation with a short movie see: http://video.google.com/videoplay?docid=5627966010916286426 somehow I forgot the reason he showed this to us, though it was very funny.
Software Security Metrics 101 – Why & How? by Dr. Markus Schumacher, Virtual Forge (D): This presentation gave using examples a basic overview why security is important and will become more important in the nearby future. He came up with a quote that 0.2% of the CPU's are placed in PC's/Servers and the remaining 99.8% in regular products like watches, toasters, cars and perhaps in the nearby future in milk cans. He used this statement to express that our environment will change in the future as we will use more of the information on those cpu's like RFID's etc. At least he opened my eyes that testing security for those situations like embedded software will take a much important place in the nearby future. And since embedded will result in using cheaper production methods, security might become an issue over there which needs our attention.
Model-based Testing Enhances Action-word Based Testing to Boost Test Automation by Emmanuel Verge (Fr): In this presentation the position of model based testing was explained and how their tools can support that approach. It gave some basic view how a process of model based testing looked like based on an example UML model using their tools. One of the strengths I see is that you start defining you test model based on requirements and define models for it which can be used for deriving test cases. The tool they have to support this is called: Leirios Test Designer. Using this tool test cases can be designed based on the model of test cases. You immediately get an overview how your coverage is against the models and therefore the requirements. If the test cases are defined you can use their tool called Leirios Test Publisher to create test script.
In the approach related to model based testing you have the following phases:
- Requirement Management
- Model-based testing
- Test Management
- Test Automation
A Maturity Model for Model-based Testing by Thomas Rossner, Imbus (D): One of the first statements T. Rossner made was: "Model based testing is not UML" With this statement he tried to trigger us that we have to see model based testing as a process where models are used. During his presentation he explained more in detail how a maturity model fits in Test Process Improvement (TPI) Model. He explained which key-areas are suitable for usage in model based testing and how the maturity levels would be according to him. As he defined that model based testing also knows a certain maturity leveling, therefore it is hard to expect that the usage of model based testing will result immediately in fast and better results. I think the main thought he wanted to give is that you can also improve your model based testing process during time based on a customization of the TPI model.
Some Exhibitors I talked to are:
- Leirios: After I had the presentation about model based testing I visit their stand. One of the strengths of their tool is not only that if a requirement changes you only have to alter on just a limited number of locations you script. I think that based on their approach and tooling as tester you are able to tell management what the impact for testing will be if a requirement will change based on the effect of the number of test script that will change. I think it is worthwhile to take a look at their approach and their tools.
- Microsoft: At this stand some detailed information was given about the usage of Visual Studio Team System 2008. And how it incorporate several processes of development in one suite. I think one of the benefits of using tools like this is that you can embed tests better to development. They gave me some trial versions of the Team Foundation Server and Team Suite. I hope I can post some experience of these tools very soon on my blog.
- Metrixware: They provided information about a tool to monitor not only the infrastructure during test processes, though also monitor the system while it is in production. This area is quite new for me, perhaps it is a tool which can be supporting infrastructure testing.
- SQS: I obtained a demonstration about SQS Professional. As I know this tool from own experience it was good to get again confirmation the focus more on automating the test process rather then automating test execution. I still think the first gains can be get in this area.
- Frologic: The presented a tool called Squish. The strength of this "record/playback" tool is that it supports different platforms. And supports different scripting languages like: perl, Python, Java, Tk and some more. for an overview you might take a look at: Squish
- Wibas: I was triggered by the Map Of Change they presented (see picture below). I think with this map the tending to trigger people that testing is not a process on their own. It should be part of the process of improvements.
Some interesting links related to:
The Security Development Lifecycle
Security Developer Center
Michael Howard's Web Log
Security Development Lifecycle (SDL) Banned Function Calls
Wikipedia - Model based testing
model-based testing home page
Model-Based Testing in Practice
Model Based Test Generation Tools