NRM SDLC - Test
Testing starts with the migration of the delivered components into a test environment and the execution of a user acceptance test plan.
The development of solutions includes the specification and execution of unit tests, integration tests and user acceptance tests. Test cases must be constructed for each project. These tests should be structured to provided adequate coverage of both system and business functionality. Wherever possible, automated testing should be implemented in order to reduce the burden that manual testing imposes on developers and business staff.
1.1 Test Plan
The Test Plan is a document that is used to review and sign off testing activities. The Test Plan is a mandatory deliverable for development projects.
1.2 Unit Testing
Unit tests should be created for all classes and significant methods identified in the design. The JUnit tool will be used to create unit tests. However, not all classes require a unit test. The number of unit tests should reflect a useful coverage of major functionality for each class or component.
1.3 Integration Testing
To assist testers conducting integration testing, documentation of expected results should include expected results at the completion of significant points in the test steps. The design of integration tests should be informed by messages that are conveyed between component elements or objects as depicted in the system design.
1.4 User Acceptance Testing
Acceptance Testing (UAT) is based upon scenario tests to be executed by business staff. To assist business users conducting acceptance tests, documentation of expected results should be included for each step in the test. The NRS provides a template to be used as a guide to help create UAT document.
A test plan is mandatory for development projects.
There are no samples available.
The User Acceptance Test Summary Report is a mandatory deliverable that summarizes the test activities and overall final results. It is prepared after user testing is completed.
No template is available at this time.
A UAT report is mandatory for development projects.
There are no samples available.
Vulnerability scans (finds vulnerabilities in your web application dynamically):
- Required by policy (Information Security Policy) and standards (Security Standards for Web Development and Deployment)
- Scans are to happen anytime there is significant change (OCIO defines significant as “requires a contractor/skilled employee to develop the change”)
- Scans should happen annually even if no changes have been done
- Remediation timelines for found vulnerabilities should be based off of risk (higher risk should equate to faster remediation)
- Recommend vulnerabilities be ranked based off of CVSS score (Common Vulnerability Scoring System)
- Consideration of risk should include other applications if in a shared environment (i.e. your application is low sensitivity, but you share the environment with a highly sensitive application)
- CVSS scores of 9 to 10 (critical) are expected to be remediated immediately
Penetration test (someone tries to hack your system and documents how they did it):
- Should be considered based off of risk (public facing/high value/high profile/shared environment)
- From a financial side, these tests are known to be quite expensive (tens of thousands)
- Remediation timelines should be risk based (higher risk, faster remediation)