Since Web applications are becoming more prevalent, developers are becoming more involved in the security and site-management process. Developers must now consider different aspects of application security as part of their development process. Testing your Web application for security threats can help you catch many problems ahead of time, but testing isn’t just about security. There are several areas you have to look at to ensure you are properly building your application and in this guide, I will discuss 10 steps you can take to cover the most critical issues. While this article implies that you have a team to help you test your application, you can also use these steps to self-test for small Web applications as well.
Step 1: Project Objectives
Most people realize that if you can never find something if you don’t know what you are looking for. The same idea should go into your testing. Having testing objectives up front allows you to not only know what you are looking for, but also allows them to be measurable. If you write your objectives out, you and your team will have a central point of focus when testing your application and there won’t be any confusion. Having a written list of objectives will allow you to prioritize items so that you can focus on finding the most defects and still meet your time-to-market date.
Step 2: Reporting
It is critical that everyone that will be testing the application is aware of their role in the process. Make it clear when something should be reported, who should do the reporting and to whom the report goes. Leave no room for confusion or miscommunication that could allow defects to slip through. A definite reporting process will also lead to smoother testing. Here are some questions to help you define your reporting:
- Are team meetings scheduled in advance or as needed?
- Who decides if a meeting needs to be scheduled?
- Who needs what report and when?
- How will issues be categorized?
- Who can assign issues?
- How will issues be reported?
The main idea in setting up your reporting process is to allow your team to function in an organized way that supports your testing objectives. The reporting process should also take into account the individual personalities of your team. There is no “one size fits all” strategy when dealing with people, so use your best judgment.
Step 3: Environment
You will need to set up a testing environment that is separate from your development and production environments where the testing team can work. All elements of the application will need to be duplicated, including things like web servers, database servers, application servers and test data. You may or may not be able to use existing computers to setup a separate testing environment and these computers should mimic the customer’s environment for accurate testing. It is not good to find out that your application conflicts with a plug-in that is required at your customer’s site. Be sure to get a list of items that need to be installed.
Along with the physical environment, you will need to setup a process for moving code to and from your test environment and make sure the procedure is forced. This will ensure that each new version of source code is tested and uniquely identified to help with bug and issue tracking between versions.
Step 4: Tracking
Once your testing process is underway you will need a way to track all of the bugs, issues, defects, etc…that you are generating. You need an easy way to store, organize and distribute the information that needs to be given to your team members and members of the technical team. You will need access to the information needed by management so they can stay informed of your testing efforts. Try to take advantage of a system that may already be in place in your organization if possible since this cuts down on training time for the testing team.
If your company doesn’t already have a tracking solution you may need to spend some time researching a solution that will work for you and your team. There are easy systems hosted online that allow you to organize and track your efforts without having to deal with installation and maintenance of the product.
Step 5: Usability Testing
Usability testing is used to look at all aspects of your Web application and determine what affects the user’s experience. You want to evaluate whether your application takes an intuitive and common sense approach to usability. Here is a list of common items to look at:
- Is the look-and-feel of the site consistent from page to page?
- Are font sizes and colors consistent and easy to read?
- How easy is it to navigate through the Web application?
- Does the user need to hunt for common functionality?
- Is it obvious to the user what actions are available to them?
Aside from navigation and look-and-feel issues, you also want to address Section 508 compliance to be sure your Web application meets areas of necessary compliance. The 1998 Amendment to Section 508 of the Rehabilitation Act spells out accessibility requirements for individuals with certain disabilities.
For more details, refer to:
There is a great resource that can help analyze your HTML pages for Section 508 compliance can be found at:
If you are working with the United States federal government, Section 508 compliance is not only good design, it most likely is a legal requirement. You may want to utilize the following information regarding techniques for accessibility evaluation and repair tools, which can be found at:
Step 6: Unit Testing
Unit testing is the practice of testing very small parts of the application for functionality. A unit test may only focus on verifying that correct data was saved to the database when the Submit button was clicked. Be sure to focus on often-overlooked areas such as range checking and making sure that all fields that collect data from the user can gracefully handle the specific required values for their field. Don’t only check that a numeric field can take a number – check for less common and problematic exceptions. For example, what happens with a user’s last name contains an accent mark such as José or an apostrophe like in O’Reilly?
Thorough testing with different combinations of databases and database drivers can find flaws such as the one mentioned above and will produce different results. Good unit testing can help rid your Web application of errors that would frustrate the user. It is your job to ensure they do not encounter them.
Step 7: Verification of HTML
Verification of HTML is a simple and logical step, yet it is often overlooked. A good place to start is with the World Wide Web Consortium’s free HTML Markup Validation Service:
|HTML Markup Validation Service|
One of the main objectives of HTML is to allow anyone to access information on the Web, from anywhere. However, the concept only holds true if you have written an accessible Web page that conforms to your relevant version of HTML.
There are two main areas to focus on when validating HTML: first, you want to be sure that the page has correct syntax and there are no tags that were improperly used. Tags should be closed in the order that they were opened, ensure that there are closing slashes on tags that need them and that all attribute values are in quotes. Second, you want to focus on how your page looks in different browsers, at different screen resolutions and on different operating systems. These changes can make your page look dramatically different. You will want to have a profile of your target audience or customer to ensure that you can make some decisions on which browsers and operating systems you can support. To avoid any unpleasant surprises down the road, start validating your HTML as soon as possible.
Step 8: Load Testing
Load testing is another important step that is sometimes overlooked and it involves a “stress test” that simulates how users will use your Web application and your expected traffic in the real world. This will allow you to identify whether your application will be able to withstand a flood of people on launch day or continue to function normally under peak load.
Simple design changes can often make a significant impact on site performance, so it is important to begin load testing early in the development cycle. A good overview of how to perform load testing can be found on Microsoft’s Developer Network (MSDN) website:
|Real-World Load Testing Tips to Avoid Bottlenecks When Your Web App Goes Live|
Along with load testing, you can also do some performance tuning to help your Web application run better. Again, performance tuning should be started early in the design of your application so it can be tightly integrated and won’t require major changes later.
In our on-demand world, people hate waiting for Web pages to load. A general rule of thumb is to make sure that all pages load in 15 seconds or less. This may depend on your particular application but you will want to understand the expectations of your customer and user.
Step 9: Acceptance Testing
Acceptance testing is the process of making sure that the Web application meets the needs of the user it was intended for. You are wanting to be sure that your application is solving a problem for the user and not just creating more stress. Beta testing is usually and accepted method of user acceptance testing and valuable feedback can be obtained to help tweak your application before its final release.
Step 10: Security
Since site security is a large concern for developers of Web applications, we want to be sure we thoroughly test for security concerns from both external and internal threats. Since testing a Web application for security issues can be an overwhelming task, you will need to prioritize and focus on the most important aspects of your application. Best practice is to have your Web application verified by qualified security specialists that can help you identify and fix any problems they find. Some additional online resources to help you stay up to date on the latest Internet security issues include:
|CERT Coordination Center:||http://www.cert.org|
|Computer Security Resource Center:||http://csrc.nist.gov/|
Once you have performed your initial security testing you should plan ongoing security audits to be sure that your Web application will remain secure over time and to keep up with changes in technology.
By following the above steps you are sure to have a Web application that is strong, secure and ready for the world. Proper testing is an integral part of the development process an essential for creating a positive user experience. Happy users mean success for your Web application and you can take great satisfaction in knowing that your team’s efforts made all the different in its successful adoption.