testing during new IT developments

Posted on 2012-09-05
Last Modified: 2012-09-07
1) Is there any specific order of which testing comes first when testing a new technology before it goes live, say a new payroll application? And what are the specifics of the testing regime, a quick look about mentioned “user acceptance testing” and “load testing” seem to be most common, are there any others you use?

2) And how long before the system is due to go live do you implement the test procedures – as presumably you have to have a period of time to review the results and make any specific changes?

3) Are there any specific workflows out there that show the entire process from building a new application, to testing it, to deploying it? So someone not involved in either can see the various stages of a new implementation project?  

4) Where would security / configuration testing come into the process, for example you may want to scan your test system with vulnerability scanners, best practice analyzers before it goes live – at what stage would this take place in the process?
Question by:pma111
    1 Comment
    LVL 38

    Accepted Solution

    Of course the typical qualifying and due diligence are needed, is the company being sued, sold, good reputation etc... As far as security, we look at both ease of use as well as security. Does it tie into our existing AD/LDAP/PAM authentication or is it lame and require it's own separate usernames/passwords. Does it encrypt the credentials for all authentication, or can it be made to easily? HttpS is good, esp for a payroll type of app, even if it's internal. Does it use LDAPS (ldap over ssl) as opposed to plain-text ldap, this is critical on an internal application that may house SSN/Banking info etc...
    Vulnerabilities aren't as big an issue internally as information disclosure are. Maybe it's a insurance portal, using HTTP in plain-text is a big no-no as your insurance/health records contains you and your families SSN's.

    We follow this process:
    Round up 3 or more vendors(if possible), do Proof of Concepts with the top 3. Demo's such as those online are not sufficient, implementation, setup, and roll out scenarios must be run by our staff whenever applicable.
    Test in an isolated lab area, recruit a significant cross-section of the population or coordinate enough sessions to load test. Usability will also be tested and rated by the testing groups as well as IT staff. Security will be tested by everyone, but look toward the security folk to really "break" the application. Weigh cost, ease of use, applicability, features or possible add-on costs. Choose the winner, or in most cases, the lesser of the 3 evils.
    From the security perspective, I don't find any software application good enough out of the box. We find ways to break just about everything, even if it's a far fetched scheme or idea, it must fail :) Most applications out of the box are very weak, and need to be secured, like using LDAPS is a prime example. We've used very big, industry leaders, who only support HTTP basic authentication (password is changed to base 64, aka plain-text) and they act like no one has ever told them... Or they can't support HttpS without an upgrade or better hardware etc... Using Telnet (another plain-text protocol) on network equipment that face the internet, instead of ssh. Industry leaders, as of last year still try to stick it to you by selling an upgrade to support SSH... Anyway, the basics are try to break it, see what they do when you do break it, do they say it's broken, to they fix, do they ignore. Most ignore you, and we don't like them :)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Suggested Solutions

    In Agile (, time and again people ask this question "How would you estimate a release for a product?". When it comes from management they want to know the following: Calculate the man hours wh…
    Article by: x-men
    Where used to see Gantt charts for illustrating project timelines, but what if I wanted to visualize passed timed events? Here's how.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now