It will not be news to anyone that has written code that the time to kill software bugs is early on in the application development life-cycle, before they can have a major impact. This is important for three reasons; first, better code is likely to be released in the first place, second, it will be less vulnerable to attack and therefore more secure, and third, the overall cost of software development will be reduced. All well and good, but how do you get closer achieving the ultimate goal of bug free code that delivers to requirements?
Unsurprisingly, thorough testing of software is a key part of achieving this. A major challenge for many is how to go about tests without compromising the often sensitive data that must be used to make them realistic. If an application processes healthcare records or credit card data, how can it be tested against meaningful data without compromising the privacy of the data subjects? Ensuring such data is available has been the long term business of vendors such as IBM, Informatica and UK-based specialist Grid Tools.
The testing stage includes checking functionality, the impact of code changes and checking for errors that may lead to security vulnerabilities. The later was the subject of a 2012 Quocirca research report, Outsourcing the problem of software security, sponsored by Veracode (a provider of on-demand software security testing services). One finding of the report was that the average company spent several hours per week patching software; reducing this would save money and reduce risk.
There are three approaches to safely providing the test data that effective tests rely on:
- Data masking - where sensitive fields are replaced with dummy data so they can no longer be linked back to actual individuals or account
- Data subsets - where the test data is processed in such a way that only the data relevant to testing is included and the sensitive data is removed, for example key fields may be all that are needed, not the actual customer data
- Data simulation - where a whole data set is created from scratch to mimic the real thing. This sounds like the safest approach, but it may miss common human errors that occur in real data sets that may be important for some testing
The provision of test data is all well and good, but how does it fit with the broader application development life-cycle? This includes everything from requirements gathering and specification design, through development, version control, testing, deployment and update. This continuous cycle is one all commercial software should be going through from inception until end of life. Application life cycle management (ALM) tools support all or some of these phases helping to improve software quality. Vendors include Serena Software, IBM Rational, Perforce, CA, Borland and range of open source options.
To extend its reach to other areas of the application life-cycle, Grid Tools has recently announced a new tool call Agile Designer, which will provide feedback to the design phase. This is the artier part of the process often carried out using flow charts created with tools such as Microsoft Visio or PowerPoint. Agile Designer tests the flows and highlights ambiguities thus introducing more rigour in to the process. A key output is to analyse the minimum number of test cases needed to fully test all the possible paths through an application design. This helps with to creation of better test data and eliminates unnecessary use of sensitive data.
Software testing is a potential source of data leaks that is rarely talked about compared to high profile coverage often given to leaks associated with production software; this is not an excuse to ignore the problem. Grid Tools has a long pedigree in producing test data, which is endorsed by its high profile global partners CA and HP, both of which resell its products. The capability it is now providing through Agile Designer to better integrate test schedules into the overall software development life-cycle will further reduce the risk of exposing of sensitive data and has the potential to make the whole development process more efficient.