| || |
Moderator: I am not sure if this should be in the Requirements and Design Forum, as it is the basis for my functional testing approach. If so, I apologize.
I am currently implementing a risk-based testing approach in my organization. I have done a lot of research on this approach. I am still a little unclear on risk analysis for requirements. If I have a requirement that a user must enter a user name and password to login to the system, what types of risk analysis would be performed on this requirement? User enters invalid user name/password, user leaves user name/password field blank?
If there is someone who can possibly post an example or two of actual requirements or functions and the risks associated with them to help clarify this, I would appreciate it. A lot of the articles and books give examples of this, however, they are usually very elementary and often when I return to my AUT, I draw a blank.
Any suggestions are welcomed...
[ 08-13-2003, 01:15 PM: Message edited by: b2manley ]
Re: Risk-Based Testing
In general - risks are used to assign priority to what gets tested and in what order; assuming your world is normal where not everything can be tested. Risk is but one of a few factors in prioritizing tests. Other factors in prioritizing tests may include and not be limited to:
3) whether realtime or not
Each of these speak to risk!
Here is a bit more data specific to your question and the example you provided. These are some of the questions I would use to establish a risk profile.
What are all the ways the username and/or password can be compromised?
Is there a firewall?
Is there an encryption server?
What level of encryption?
Will the userid/password go over a wireless network?
Is there web-user management?
Can more than one user have the same password?
Is a change to a user's password required frequently?
What are the methods of authentication?
Are there application (local and remote) and/or data access permissions with user type? (View data, read/write data, etc.)
What are some environmental factors that may affect security?
Example: Environment openness? Can someone easily capture another user's login info?
How/where are userids/passwords stored? Can those facilities be compromised?
If the answers to these questions expose manyweaknesses, then you have risk. Are the risks of not testing relative to those questions, acceptable to your customer?
I hope this little bit is helpful.
[ 08-19-2003, 10:45 AM: Message edited by: jpensyl ]