[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 502
  • Last Modified:

testing during new IT developments

1) Is there any specific order of which testing comes first when testing a new technology before it goes live, say a new payroll application? And what are the specifics of the testing regime, a quick look about mentioned “user acceptance testing” and “load testing” seem to be most common, are there any others you use?

2) And how long before the system is due to go live do you implement the test procedures – as presumably you have to have a period of time to review the results and make any specific changes?

3) Are there any specific workflows out there that show the entire process from building a new application, to testing it, to deploying it? So someone not involved in either can see the various stages of a new implementation project?  

4) Where would security / configuration testing come into the process, for example you may want to scan your test system with vulnerability scanners, best practice analyzers before it goes live – at what stage would this take place in the process?
0
pma111
Asked:
pma111
1 Solution
 
Rich RumbleSecurity SamuraiCommented:
Of course the typical qualifying and due diligence are needed, is the company being sued, sold, good reputation etc... As far as security, we look at both ease of use as well as security. Does it tie into our existing AD/LDAP/PAM authentication or is it lame and require it's own separate usernames/passwords. Does it encrypt the credentials for all authentication, or can it be made to easily? HttpS is good, esp for a payroll type of app, even if it's internal. Does it use LDAPS (ldap over ssl) as opposed to plain-text ldap, this is critical on an internal application that may house SSN/Banking info etc...
Vulnerabilities aren't as big an issue internally as information disclosure are. Maybe it's a insurance portal, using HTTP in plain-text is a big no-no as your insurance/health records contains you and your families SSN's.

We follow this process:
Round up 3 or more vendors(if possible), do Proof of Concepts with the top 3. Demo's such as those online are not sufficient, implementation, setup, and roll out scenarios must be run by our staff whenever applicable.
Test in an isolated lab area, recruit a significant cross-section of the population or coordinate enough sessions to load test. Usability will also be tested and rated by the testing groups as well as IT staff. Security will be tested by everyone, but look toward the security folk to really "break" the application. Weigh cost, ease of use, applicability, features or possible add-on costs. Choose the winner, or in most cases, the lesser of the 3 evils.
From the security perspective, I don't find any software application good enough out of the box. We find ways to break just about everything, even if it's a far fetched scheme or idea, it must fail :) Most applications out of the box are very weak, and need to be secured, like using LDAPS is a prime example. We've used very big, industry leaders, who only support HTTP basic authentication (password is changed to base 64, aka plain-text) and they act like no one has ever told them... Or they can't support HttpS without an upgrade or better hardware etc... Using Telnet (another plain-text protocol) on network equipment that face the internet, instead of ssh. Industry leaders, as of last year still try to stick it to you by selling an upgrade to support SSH... Anyway, the basics are try to break it, see what they do when you do break it, do they say it's broken, to they fix, do they ignore. Most ignore you, and we don't like them :)
-rich
0

Featured Post

[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now