IT Security Standard: Web Applications - Software Testing

Brief Description:

This standard addresses the quality assurance review and web application source code testing for software development projects.  Comprehensive testing of web applications is important in mitigating problems during production processing and is critical in protecting sensitive data and minimizing risks to our university.

Related Policy:

• CSU Information Security Policy 8000

Introduction:

The Web Application Software Testing standard exists to ensure that consistent and thorough processes are followed during the release of new software by the developer(s) to the campus community.

Scope:

These standards apply to all individuals who develop and deploy Web applications.  The target audience is anyone who has responsibility for designing, developing, reviewing and approving web applications.

Standard:

Required:

1. Web applications must be tested in a pre-production environment prior to production implementation.
2.  The programmer/developer responsible for code modifications must document the enhancements or bug fixes that are to be introduced, the general timeline for production release, and the users affected by the change(s).
3. Web application modifications must be reviewed and approved by the functional users (refer to IT Security Standard: Web Application Approval Process)

Recommended:

Immediately following the completion of source code modification(s) and prior to deploying software changes to production:

1. Test case scenarios ought to be documented and completed for both unit/module testing and integrated testing. Scenarios may include:
   1. What will be tested
   2. What are the expected results of the testing
   3. What are the actual results of the testing
2. The deployment of new applications may include pre-production peer review of the development source code.  The complexity of the application may indicate whether or not peer review is required
3. Resources required and testing considerations to be identified may include:
   1. Hardware
      1. Are there any considerations for testing the software in the existing available hardware environment? E.g. does the test/pre-production environment sufficiently replicate the production environment?
      2. Performance/usability impacts to this system and/or other applications?
      3. System administration support for backups of test cases, snapshots, installation of system software patches, etc.?
   2. Software
      1. What test tools will be used during testing?
      2. What software interfaces should be identified?
      3. Are there potential compatibility problems with other application software?
   3. Staff
      1. Functional users responsible for testing
      2. Developer responsibilities: peer review, unit testing, integrated testing
      3. Administrative signoff on test cases
4. A proposed schedule ought to be created and published to the development team and/or appropriate functional users. Items on the schedule may include dates and team assignments for:
   1. Unit Testing
   2. Integrated Testing
   3. Regression Testing
   4. Functional User Testing
   5. Production Rollout
   6. Post-Production Testing

Definitions:

Web Application- For the purposes of these IT Security Standards, a web application is defined as any application that connects to a campus network and/or the Internet and that dynamically accepts user input.

Responsibilities: 

Anyone who develops and/or maintains web application source code is expected to have knowledge of and exposure to the best practices for software testing as reflected in software development life-cycle methodologies.

Non-Compliance and Exceptions:

Developers may be required to produce documentation or other evidence verifying compliance with this standard.  If found to be non-compliant and the problem is not resolved in the timeframe determined in consultation with the Information Security Office, the host device may be removed from the Cal Poly network until it does comply.  If it is technically infeasible for an information asset to meet this standard, departments must submit a request for exception to the Vice Provost/CIO and Information Security Officer for review and approval.

Related Procedures and Resources:

The UC Systems Development and Maintenance Standards provides a comprehensive guideline for developing and testing software applications:

Implementation:

Effective Date:	9/30/2010
Review Frequency:	Annual
Responsible Officer:	Vice Provost/Chief Information Officer

Revision History

Date	Action	Pages
9/30/2010	Release of New Document by Dara Manker and Linda Sandy	All
9/09/2014	Reviewed and created web page	All