Part III: Execution – Based Verification and ValidationOutlineSlide 3Configuration testingConfiguration testing stepsSlide 6Recovery testingSlide 8Security testingSlide 10Security testing - Penetration testingPenetration testing - Adversary modelsPenetration testing - Why Red Team?Penetration testing - LimitationsSecurity testing - Fault injectionSlide 16Security testing – Fault injectionStress testingSlide 19Stress testingPerformance testingSlide 22Slide 23Examples of performance failuresPerformance measuresResponsiveness and scalabilitySlide 27Performance testingSlide 29Complications and variationsSlide 31Data collection toolsData collection tools: hardware monitorsData collection tools: software monitorsSlide 35Measurement modeMeasurement modeSlide 38Workload generationPerformance benchmarksSlide 41Stress and performance testing – QA tasksSlide 43Slide 44West Virginia UniversitySENG 530 Verification & Validation Slide 1Part III: Execution – Based Verification and ValidationKaterina Goseva - PopstojanovaLane Department of Computer Science and Electrical Engineering West Virginia University, Morgantown, [email protected] www.csee.wvu.edu/~katerinaWest Virginia UniversitySENG 530 Verification & Validation Slide 2OutlineIntroduction Definitions, objectives and limitationsTesting principles Testing criteriaTesting techniquesBlack box testingWhite box testingFault based testing Fault injectionMutation testingWest Virginia UniversitySENG 530 Verification & Validation Slide 3OutlineTesting levelsUnit testingIntegration testingTop-downBottom-upSandwichRegression testingValidation testingAcceptance testingAlpha and beta testingNon-functional testingConfiguration testingRecovery TestingSecurity testingStress testingPerformance testingWest Virginia UniversitySENG 530 Verification & Validation Slide 4Configuration testing Many programs work under wide range of hardware configurations and operating environments Configuration testing is concerned with checking the program’s compatibility with as many as possible configurations of hardware and system softwareWest Virginia UniversitySENG 530 Verification & Validation Slide 5Configuration testing stepsAnalyze the marketWhich devices (printers, video cards, etc.) must the program work with? How can you get them?Analyze the deviceHow does it work? How will this affect your testing? Which of its features does the program use?Analyze the way the software can drive the deviceHow can you identify a group of devices that share same characteristicsDoes this type of device interact with other devices Test the device with small sample of other devicesWest Virginia UniversitySENG 530 Verification & Validation Slide 6Configuration testing stepsSave timeTest only one device per group until you eliminate the errors. Then test each device in the group.Improve efficiencyConsider automation. Organize the lab effectively. Create precise planning and record keeping. Share your experienceOrganize and share your test results so the next project will plan and test more efficientlyWest Virginia UniversitySENG 530 Verification & Validation Slide 7Recovery testingMany computer based systems must recover from faults and resume processing within a prespecified timeRecovery testing forces the software to fail in a variety of ways and verifies that recovery is properly performedRecovery that requires human interventionAutomatic recoveryWest Virginia UniversitySENG 530 Verification & Validation Slide 8Recovery testingSystems with automatic recovery must haveMethods for detecting failures and malfunctionsRemoval of the failed componentSwitchover and initialization of the standby componentRecords of system states that must be preserved despite the failureWest Virginia UniversitySENG 530 Verification & Validation Slide 9Security testingSecurity testing attempts to establish a sufficient degree of confidence that the system is secureAssociating integrity and availability with respect to authorized actions, together with confidentiality, leads to securityavailability - readiness for usageintegrity - data and programs are modified or destroyed only in a specified and authorized mannerconfidentiality - sensitive information is not disclosed to unauthorized recipientsWest Virginia UniversitySENG 530 Verification & Validation Slide 10Security testingComplexity, RealismWhiteboardInteractive analysis of hypothesisAutomatedMay simulate human attacker or defenderSemi-automatedActual human attacker or defender (team)Interactive CyberwarDynamic interaction between human attacker & defenderWest Virginia UniversitySENG 530 Verification & Validation Slide 11Security testing - Penetration testingTraditionally security testing is performed using penetration testing attempt to break into an installed system by exploiting well-known vulnerabilitiesThe Red Team is a model adversaryDiffers from a real adversaryAttempts to limit actual damagesProperty destruction, information disclosure, etc.Discloses all tools, techniques, and methodsCooperates in the goals of the experimentWest Virginia UniversitySENG 530 Verification & Validation Slide 12Penetration testing - Adversary modelsAdversary TypesNaive NoviceAdvanced NoviceProfessional HackerOrganized Crime / Cyber TerroristForeign IntelligenceSo phisticatio nWest Virginia UniversitySENG 530 Verification & Validation Slide 13Penetration testing - Why Red Team?Better identification and understanding of vulnerabilitiesUnderstand adversary adaptation to defensesUnderstand adversary response to security responseEvaluate system information assuranceWest Virginia UniversitySENG 530 Verification & Validation Slide 14Penetration testing - LimitationsThere is no simple procedure to identify the appropriate test casesError prediction depends on the testers skills, experience and familiarity with the system There is no well defined criterion when to stop testingWest Virginia UniversitySENG 530 Verification & Validation Slide 15Security testing - Fault injection Deliberate insertion of faults into the system to determine its response Well known in the testing fault-tolerant systemsSecure program is one that tolerates injected faults without any security violationCapability ofautomating testing quantify the quality
View Full Document