It will not be news to anyone who has written code that the time to kill software bugs is early on in the application development lifecycle, before they can have a major impact. This is important for three reasons: first, better code is likely to be released in the first place; second, it will be less vulnerable to attack and therefore more secure; and third, the overall cost of software development will be reduced. All well and good, but how do you get closer to achieving the ultimate goal of bug-free code that delivers to requirements?
Unsurprisingly, thorough testing of software is a key part of achieving this. A major challenge for many is how to go about tests without compromising the often sensitive data that must be used to make them realistic. If an application processes healthcare records or credit card data, how can it be tested against meaningful data without compromising the privacy of the data subjects? Ensuring such data is available has been the long-term business of vendors such as IBM, Informatica and UK-based specialist Grid Tools.
The testing stage includes checking functionality, the impact of code changes and checking for errors that may lead to security vulnerabilities. The later was the subject of a 2012 Quocirca research report, Outsourcing the problem of software security, sponsored by Veracode (a provider of on-demand software security testing services).
One finding of the report was that the average company spent several hours per week patching software; reducing this would save money and reduce risk.
There are three approaches to safely providing the test data that effective tests rely on:
- Data masking – where sensitive fields are replaced with dummy data so they can no longer be linked back to actual individuals or accounts
- Data subsets – where the test data is processed in such a way that only the data relevant to testing is included and the sensitive data is removed, for example key fields may be all that are needed, not the actual customer data
- Data simulation – where a whole data set is created from scratch to mimic the real thing. This sounds like the safest approach, but it may miss common human errors that occur in real data sets that may be important for some testing
The provision of test data is all well and good, but how does it fit with the broader application development lifecycle? This includes everything from requirements gathering and specification design, through development, version control, testing, deployment and update. This continuous cycle is one all commercial software should be going through from inception until end of life. Application lifecycle management (ALM) tools support all or some of these phases helping to improve software quality. Vendors include Serena Software, IBM Rational, Perforce, CA, Borland and range of open-source options.
To extend its reach to other areas of the application lifecycle, Grid Tools has recently announced a new tool called Agile Designer, which will provide feedback to the design phase. This is the artier part of the process often carried out using flow charts created with tools such as Microsoft Visio or PowerPoint. Agile Designer tests the flows and highlights ambiguities, thus introducing more rigor in to the process. A key output is to analyze the minimum number of test cases needed to fully test all the possible paths through an application design. This helps with the creation of better test data and eliminates unnecessary use of sensitive data.
Software testing is a potential source of data leaks that is rarely talked about compared to high-profile coverage often given to leaks associated with production software; this is not an excuse to ignore the problem. Grid Tools has a long pedigree in producing test data, which is endorsed by its high-profile global partners CA and HP, both of which resell its products. The capability now provided through Agile Designer to better integrate test schedules into the overall software development lifecycle will further reduce the risk of exposing of sensitive data and has the potential to make the whole development process more efficient.