Transcription
SoftwareQuality AssuranceIntegrating Testing, Security, and AuditAbu Sayed MahfuzSoftware Quality Assurance: Integrating Testing, Security, and Audithttps://www.crcpress.com/9781498735537
CRC PressTaylor & Francis Group6000 Broken Sound Parkway NW, Suite 300Boca Raton, FL 33487-2742 2016 by Taylor & Francis Group, LLCCRC Press is an imprint of Taylor & Francis Group, an Informa businessNo claim to original U.S. Government worksPrinted on acid-free paperVersion Date: 20151124International Standard Book Number-13: 978-1-4987-3553-7 (Hardback)This book contains information obtained from authentic and highly regarded sources. Reasonable effortshave been made to publish reliable data and information, but the author and publisher cannot assumeresponsibility for the validity of all materials or the consequences of their use. The authors and publishershave attempted to trace the copyright holders of all material reproduced in this publication and apologize tocopyright holders if permission to publish in this form has not been obtained. If any copyright material hasnot been acknowledged please write and let us know so we may rectify in any future reprint.Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented,including photocopying, microfilming, and recording, or in any information storage or retrieval system,without written permission from the publishers.For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 RosewoodDrive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses andregistration for a variety of users. For organizations that have been granted a photocopy license by the CCC,a separate system of payment has been arranged.Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are usedonly for identification and explanation without intent to infringe.Library of Congress Cataloging‑in‑Publication DataNames: Mahfuz, Abu Sayed, author.Title: Software quality assurance : integrating testing, security, and audit / author, AbuSayed Mahfuz.Description: Boca Raton : Taylor & Francis, 2015. Includes bibliographical referencesand index.Identifiers: LCCN 2015045370 ISBN 9781498735537 (alk. paper)Subjects: LCSH: Computer software--Quality control. Computer software--Testing.Classification: LCC QA76.76.Q35 M34 2015 DDC 005.3028/7--dc23LC record available at http://lccn.loc.gov/2015045370Visit the Taylor & Francis Web site athttp://www.taylorandfrancis.comand the CRC Press Web site athttp://www.crcpress.comSoftware Quality Assurance: Integrating Testing, Security, and Audithttps://www.crcpress.com/9781498735537
ContentsxxvP r e fa c exxviiContent OverviewxxxiAcknowledgmentsxxxiiiAuthorSection IChapter 1ConceptQuality ConceptandPerspectivesIntroductionPart 1: Software Quality ConceptDefining Software QualityIntegrating Test, Security, and AuditWhy Is Software Quality Important?What Is the Benefit of Software Quality in Business?Lack of Quality Is the Reason for FailureFailure FactorsPart 2: Software Quality CharacteristicsWhat Is the Business Benefit of Quality Characteristics?Standard for Quality Characteristics ISO/IEC 9126Quality CharacteristicsDetailed Descriptions of Quality eroperabilitySecurityFunctionality Compliance3333567881010101113131313131313vSoftware Quality Assurance: Integrating Testing, Security, and Audithttps://www.crcpress.com/9781498735537
viC o n t en t sReliabilityMaturityFault ToleranceRecoverabilityReliability erabilityUsability ComplianceEfficiencyTime BehaviorResource BehaviorEfficiency yStabilityTestabilityMaintainability xistence/ConformancePortability ComplianceControl Objectives for Information and Related bility Maturity Model Integration (CMMI)Quality Characteristics, COBIT, and CMMIPart 3: Validation and VerificationRole of V&V in Software QualitySoftware V&V ProcessesV&V Task ReportsV&V Activity Summary ReportsV&V Anomaly ReportsTesting: ApplicationUnit Testing PlanDetermine Features to Be TestedDesign the Test SetImplement the Test PlanExecute the Test ProceduresPart 4: Reviews and AuditManagement 222232323242525Software Quality Assurance: Integrating Testing, Security, and Audithttps://www.crcpress.com/9781498735537
C o n t en t sInputWhen to Conduct a Management ReviewReview ProceduresPlanningPreparation and ExecutionTechnical itiesInspection Rules and ProceduresWalkthroughsResponsibilitiesAuditsC h a p t e r 2 M a n a g e m e n tandProcessIntroductionPart 1: Software ManagementSoftware ManagementInformation GovernanceInformation Governance, IT Governance, and DataGovernanceIT GovernanceData GovernanceIG–EG and Strategic PlanningMaking the Process SystematicIT Process AlignmentThe Expert Models for Software ManagementISO 12207/IEEE 12207.0Serves as a Model forIntegration of IEEE 12207 and SESCAcquisitionDevelopmentOperationSupporting DocumentationPart 2: Software Life Cycle ModelsWhat Is Software Life Cycle?Life Cycle ModelsBoehm’s SpiralAgile MethodologyWhat Is Agile? What Does It Mean?Agile PrinciplesWaterfallPart 3: Life Cycle ProcessesPrimary Life Cycle ProcessAcquisition ProcessSupply Software Quality Assurance: Integrating Testing, Security, and Audithttps://www.crcpress.com/9781498735537
viiiC o n t en t sDevelopment ProcessOperations ProcessMaintenance ProcessSupporting Life Cycle ProcessesDocumentation ProcessConfiguration Management ProcessQuality Assurance ProcessVerification ProcessValidation ProcessJoint Review ProcessAudit ProcessAudit Process TasksS e c t i o n II495051525252535454555556Te s t i n gC h a p t e r 3 Te s t i n g : C o n c e p tandDefinitionIntroductionPart 1: Testing in the Software Life CycleWhat Is Software Testing?RequirementsIdentification and SpecificationSpecificationFunctional System DevelopmentTechnical System DesignComponent SpecificationCodingTestingAre We Building the Right System?Are We Building the System Right?Part 2: Software Testing Life CycleSDLC and STLCPart 3: Kinds/Types of TestingBlack Box TestingWhite Box TestingUnit TestingIntegration TestingIncremental Integration TestingFunctional TestingSystem TestingEnd-to-End TestingSanity TestingRegression TestingAcceptance TestingLoad TestingStress TestingPerformance TestingUsability TestingInstall/Uninstall 66666676767686868696969Software Quality Assurance: Integrating Testing, Security, and Audithttps://www.crcpress.com/9781498735537
C o n t en t sRecovery TestingSecurity TestingComparison TestingAlpha TestingBeta TestingAutomated TestingAgile TestingSuggested ReadingsC h a p t e r 4 Te s t i n g : P l a nandix6970707070707171DesignIntroductionPart 1: Plan and StrategyTest PlanContents of a Test PlanTest Plan IdentificationDocument Change Control LogPurpose of the DocumentReferencesSample Reference MetricsSoftware Product Overview/Project DescriptionTest ObjectivesSoftware Risk Issue and MitigationCommunication and Status ReportingTest ToolsTest ScopePart 2: Test Approach and StagesRequirements AnalysisSolution SpecificationsTesting LevelsUnit TestingSystem/Integration TestingSystem TestSystem Test ExecutionDefect ManagementAcceptance TestingTest Data PreparationTest EnvironmentsSample Entry/Exit CriteriaTest ScheduleDefect Reporting and TrackingRoles and ResponsibilitiesAppendixReference DocumentsTesting EstimationLessons LearnedProject DescriptionWhat Went WellWhat Could Have Gone 7979797980808081818383838484848888Software Quality Assurance: Integrating Testing, Security, and Audithttps://www.crcpress.com/9781498735537
xC o n t en t sNEW OpportunitiesLOE AccuracyTop Three Recommended ImprovementsPart 3: Test Design FactorsSoftware RequirementRequirement IdentificationRequirement IdentifierSoftware Requirement SpecificationRequirements Evaluation MatrixBusiness Value of RequirementsScales/MeasuresSignificant Requirement Conflicts and EnablersEstimated Costs and Risks to Satisfy RequirementsScales/MeasuresRequirements Cost/Benefit and Prioritization SummaryPart 4: Test Case Specification and DesignTest Case SpecificationDeliverablesTest Environment SetupDeliverablesSample Test CasesIntroductionScopeObjectiveSample Test CasesTesting Condition 1.1—Login with Correct User IDand PasswordTesting Condition 1.2—Wrong User IDTesting Condition 1.3—Wrong PasswordTesting Condition 1.4—Username BlankTesting Condition 1.5—Password BlankTesting Condition 1.6—Username and Password BlankTesting Condition 1.7—Cancel Button ClickedTesting Condition 1.8—Invalid UserSummaryC h a p t e r 5 Te s t : E x e c u t i o nandReportingIntroductionPart 1: Starting Test ExecutionGetting Ready to Start Test ExecutionRequirement CoverageRequirements Test Coverage StatementScheduling Test RunsAssigning Test ExecutionPart 2: Test Result ReportingStatus ReportDaily Stand-Up Update by IndividualWeekly Status Report 105107107107108Software Quality Assurance: Integrating Testing, Security, and Audithttps://www.crcpress.com/9781498735537
C o n t en t sxiTest Result Summary ReportDocument Change Control LogPurpose of the DocumentReferences: (Sample Reference Metrics)Progression Test Case Execution StatusRegression Test Case Execution StatusPart 3: View and Analyze Test ResultsDefect: As a Part of Test ResultRequirement Test Case—Defect TraceabilityMetricsDefect DetailsDeferred DefectsDefects by Root CauseCanceled DefectsDefect SummaryRequirement Traceability Matrices (RTM)System Test Coverage Metrics (Sample)Test Execution Quality MetricsDefect Tracking OverviewDefect Linkage109109109109110111112112S e c t i o n III112112113113113113115116116117117ChallengesC h a p t e r 6 I n c i d e n t M a n a g e m e n tIntroductionOverview on Incident ManagementWhy Incident Management Is ImportantPart 1: IdentificationDefinitionIncidentInformation Security IncidentAccidentDefectFailureIncident IdentificationIdentifying WaysIdentifying the Attacking HostsIncident Initial DocumentationIncident ClassificationType of IncidentInitial AssessmentPart 2: Investigation and AnalysisReasons to InvestigateInvestigation ProcessIncident Root CauseCollecting EvidencesSix Steps for Successful Incident 24125125126127127128128128129129130Software Quality Assurance: Integrating Testing, Security, and Audithttps://www.crcpress.com/9781498735537
x iiC o n t en t sIncident AnalysisSome Examples of Analyzing an IncidentBarrier AnalysisDamage Mode Effect AnalysisScenario AnalysisTime/Loss Analysis for Emergence ResponseEvaluationAnalyzing Warning TimePart 3: Response and RecoveryIncident ResponseInitiate Recovery MechanismsReview Preliminary Investigation ResultsPreventing IncidentsIncident NotificationEvidence Collection and DocumentationPart 4: IssuesIssues ListProject Issues List InstructionsProject Issues LogPart 5: Security IncidentsSecurity Incidents ReportingBefore an Incident Happens the Team ShouldAfter an Incident HappensResponding to a Security IncidentTips for Responding to Security IncidentsSteps to Take during the IncidentResponding to Security ViolationsSecurity Office ActionsC h a p t e r 7 D e f e c t M a n a g e m e n tIntroductionPart 1: Definition and AnalysisDefinitionsDefectDefinition of an ErrorDefect RepositoryWhat Causes Defects in SoftwareDetecting a Defect EarlyWhat Is the Cost of Defects Not Being Detected Early?Defect Life Cycle StepsStep 1: Recognition or IdentificationStep 2: InvestigationStep 3: ActionStep 4: DispositionObjectives of TestingReduce the Risk of FailureReduce the Cost of 145146146146148148150150150150151151151151Software Quality Assurance: Integrating Testing, Security, and Audithttps://www.crcpress.com/9781498735537
C o n t en t sAnalyze Root CausesAddress Causes of DefectsInstitutionalize a Defined ProcessImplement the Action ProposalsPart 2: Process and MethodologyDefect Management gResolvingVerifyingClosingManagement ReportingRoles and Responsibilities in Software DevelopmentLife CycleBusiness OwnerStakeholdersAnalystDeveloperTesterConflict Resolution and Escalations during DefectDefect Management MethodologyDocument Change ControlDocumentationStatement of PurposeRisksDefect StepsDefect StatesDefect AttributesDefect PrioritiesDefect SeveritiesPart 3: Root Cause AnalysisDefinitionRoot Cause FieldsRequirementsDefect Cause in Not TraceableNot TestableImplementation DependentDesignCodeEnvironmentTestx 63163164164164164164164164164164164165165Software Quality Assurance: Integrating Testing, Security, and Audithttps://www.crcpress.com/9781498735537
xivC o n t en t sDataAnalysisThe Most Common Root Cause ClassificationDefect PreventionBenefits of Defect PreventionDefect PredictionC h a p t e r 8 R i s k , V u l n e r a b i l i t y,Manag e m e ntand165165165167167170Th r e atIntroductionPart 1: Risk ManagementTypes of RisksImpact of RiskDealing with RiskRisk Management Life CycleRisk IdentificationTen Effective Methods to Identify RisksBrainstormingSurveyInterviewPractical Experience and UnderstandingResearchPotential Risk ListsLessons LearnedRisk-Oriented AnalysisDesign TemplateRisk AssessmentWhat Is Risk Assessment?Risk Assessment ProcessRisk Assessment Involves Identified RisksTechnology Risk Assessment and Mitigation(TRAM) (Sample)Business RiskCatastrophic (A)Critical (B)Moderate (C)Minor (D)Risk Assessment MatrixNegligible (E)Risk ResponseAvoidTransferReduceAcceptRisk MitigationRisk Contingency PlanTechnology Contingency Plan (TCP) 1181181182182182183184Software Quality Assurance: Integrating Testing, Security, and Audithttps://www.crcpress.com/9781498735537
C o n t en t sApplication Risk Questionnaire (ARQ )Project Risk LogPart 2: Vulnerability, Risk, and Threat AnalysisVulnerability and RiskStep 1: Determine What Is BeingProtected and WhySample StatementStep 2: Identify the SystemStep 3: Characterize System OperationsStep 4: Ascertain What One Does and Does NotHave Control OverVulnerability and ThreatDefinitionsFour Levels of ThreatsFour Steps of Risk AssessmentStep 1: Analysis Techniques AreSelected and UsedStep 2: Identify Vulnerabilities, Their Type, Source,and SeverityStep 3: Identify Threats, Their Type, Source, andLikelihoodStep 4: Evaluate Transaction Paths, Threat Zones,and Risk ExposurePart 3: OCTAVE and Risk ManagementWhat Is OCTAVE?OCTAVE PhasesPhase 1: Build Asset-Based Threat ProfilesPhase 2: Identify Infrastructure VulnerabilitiesPhase 3: Develop Security Strategy and PlansOCTAVE Way of Risk ManagementOCTAVE in Risk ManagementAppendix A—SampleVulnerability/Risk AssessmentFor Pharmacy Handheld TechnologyIntroductionStatement of GoalsHigh-Level System Entity Control AnalysisVulnerability and Threat AnalysisPhysical StructureVirtual Private Network as a RiskThe Major Strengths of Utilizing Internet-BasedVPN ServicesAssumptionsAppendix BRisk Factors AssumptionsInvestment SizeManagement Process 197200202202203203204204204205Software Quality Assurance: Integrating Testing, Security, and Audithttps://www.crcpress.com/9781498735537
xviC o n t en t sDegree of Technical RiskReturn FactorsConclusionS e c t i o n IV206206206S o f t wa r e Q ua l i t y E x p e c tat i o nC h a p t e r 9 I n f o r m at i o n S e c u r i t yIntroductionPart 1: Definition and ImportanceWhat Is Information Security?Difference between Privacy and SecurityKey Points on Information SecurityFrom What Threats Does Information Need to BeSecured?CybercrimeTypes of CybercrimeComputer VirusScamMoney LaunderingPhishingWhat Kind of Information Needs to Be SecuredSome Examples of Recent PhishingIdentity TheftInformation That Is Considered IdentitySocial Security NumbersDate of BirthCurrent and Previous Addresses andPhone NumbersCurrent and Previous Employment InformationFinancial Account InformationMother’s Maiden NameOther Personal InformationPassword for Nonfinancial AccountsPassword for Financial AccountsCriminal Activities That Lead to CybercrimeSpywareObjective of Information SecurityWhy Is Security Important?What Is the Benefit of Information Security?Part 2: MethodologyThe StrategySecurity StandardsISO 15408Control Objectives for Information and (Related)Technology (COBIT)ISO 1221221222222224224224224224225225225225Software Quality Assurance: Integrating Testing, Security, and Audithttps://www.crcpress.com/9781498735537
C o n t en t sISO 15408 vs. ISO 17799Security PolicyOrganizational SecurityAsset Classification and ControlPersonnel SecurityPhysical and Environmental SecurityCommunications and Operations ManagementAccess ControlSystem Development and MaintenanceBusiness Continuity ManagementCompliancePrecautionary GuidelinesRefrain from Giving Out Personal InformationStoring Financial RecordsUse Firewall ProgramsDo Not Open Files Sent from an Unknown SourceUse a Secure BrowserDelete All Stored Personal InformationDo Not Disclose Passwords to AnyoneBeware of Phishing, Spoofing, and Spam AttemptsCOBIT Security BaselineBusiness Model Information SecurityThe Broader Scope of InfoSecOperational Procedure for DoctorOperational Procedure for PharmacyCommon Information Security CriteriaOperational Procedure for PatientOperation Procedure for Pharmacy HubOperational Change ControlIncident Management ProcedureExternal Facilities ManagementSystem Planning and AcceptanceCapacity PlanningSystem AcceptanceProtection against Malicious SoftwareControl against Malicious SoftwareHousekeepingInformation BackupOperator LogsFault LoggingNetwork ManagementNetwork ControlsMedia Handling and SecurityManagement of Removable Computer MediaDisposal of MediaExchange of Information and SoftwareSecurity of Media in Transitx re Quality Assurance: Integrating Testing, Security, and Audithttps://www.crcpress.com/9781498735537
x viiiC o n t en t sElectronic Commerce SecuritySecurity of Electronic MailBusiness Requirement for Access ControlAccess Control PolicyUser Access ManagementUser RegistrationPrivilege ManagementUser Password ManagementReview of User Access RightsUser ResponsibilitiesNetwork Access ControlPolicy on Use of Network ServicesRemote Diagnostic Port ProtectionNetwork Connection ControlOperating System Access ControlAutomatic Terminal IdentificationTerminal Log-On ProceduresUser Identification and AuthenticationPassword Management SystemUse of System UtilitiesDuress Alarm to Safeguard UsersTerminal Time-OutLimitation of Connection TimeApplication Access ControlInformation Access RestrictionSensitive System IsolationMonitoring System Access and UseEvent LoggingMonitoring System UseClock SynchronizationMobile Computing and TeleworkingMobile ComputingTeleworkingSecurity Requirements of SystemsSecurity in Application SystemsData ValidationBusiness Continuity ManagementAspects of Business Continuity ManagementPrimary Focus of the PlanPrimary Objectives of the PlanPlanPersonnelSalvage Operations at the Disaster SiteDesignate Recovery SitePurchase New EquipmentBegin Reassembly at the Recovery SiteRestore Data from ftware Quality Assurance: Integrating Testing, Security, and Audithttps://www.crcpress.com/9781498735537
C o n t en t sRestore Applications DataMove Back to Restored Permanent FacilityComplianceCompliance with Legal RequirementsIdentification of Applicable LegislationIntellectual Property RightsCopyrightReviews of Security Policy and Technical ComplianceSystem Audit ConsiderationsSystem Audit ControlsProtection of System Audit ToolsPart 3: Security Policy DocumentInformation Security PolicyBoard-Level ActionManagement-Level ActionOrganizational SecurityInformation Security InfrastructureManagement Information Security ForumInformation Security CoordinationAllocation of Information Security ResponsibilitiesAuthorization Process for Information ProcessingFacilitiesSpecialist Information Security AdviceCooperation between OrganizationsIndependent Review of Information SecuritySecurity of Third-Party AccessIdentification of Risks from Third-Party AccessTypes of AccessReasons for AccessOn-Site ContractorsSecurity Requirements in Third-Party ContractsOutsourcingSecurity Requirements in Outsourcing ContractsAsset Classification and ControlAccountability for AssetsInventory of AssetsInformation ClassificationClassification GuidelinesInformation Labeling and HandlingPersonnel SecuritySecurity in Job DefinitionPersonnel Screening PolicyTesting EmployeesEvaluate Key Job BehaviorsConfidentiality AgreementsTerms and Conditions for EmploymentUser oftware Quality Assurance: Integrating Testing, Security, and Audithttps://www.crcpress.com/9781498735537
xxC o n t en t sInformation Security Education and TrainingReporting Security IncidentsSecurity Incidents Reporting GuidelineReporting Security WeaknessesPhysical and Environmental SecurityPhysical SecurityPhysical Entry ControlSecuring Offices, Rooms, and FacilitiesEquipment SecurityProtect the System from Undesirable BootingSet Up Storage Protection for Backup TapesEquipment Sitting and ProtectionPower SuppliesCabling SecurityEquipment MaintenanceGeneral ControlsClear Desk and Clear Screen PolicyRemoval of PropertyCommunication and Operation ManagementOperational Procedure and ResponsibilitiesDocumented Operating ProceduresInformation Security Certification Procedure (Sample)Document Change Control LogSecurity StandardsISO 15408COBITISO 17799/BS7799OCTAVEC h a p t e r 10 I n f o r m at i o n A u d i tIntroductionPart 1: Definition and PlanningDefinitionAudit PlanningIT Audit Plan Development ProcessRole of Supporting TechnologiesUnderstanding the BusinessOperating EnvironmentDetails of the IT AuditExamining the Business ModelFormalizing the IT Audit PlanIntegration of the IT Audit PlanValidating the Audit PlanThe IT Audit Plan Should Be DynamicTen Key IT Considerations for Internal AuditResponsibilities of IT Audit Team MembersLead 285286Software Quality Assurance: Integrating Testing, Security, and Audithttps://www.crcpress.com/9781498735537
C o n t en t sAuditorInitiatorAudited OrganizationAuditor’s QualificationsChoosing an AuditorAuditor’s EducationKnowledge and SkillsExperienceKnowledgeTalentCompetencePart 2: Audit Process and ProcedureAudit ProcessAudit Process ImplementationSupport for the Audit ProcessProceduresManagement PreparationVerification of Quality ManualVerification of Implementation of theQuality ManualSample Work InstructionsPostimplementation ReviewKey Phase ReviewProject Management Methodology AssessmentPrivacy and Audit ManagementFive Key Focus Areas for Project AuditsBusiness and IT AlignmentProject ManagementIT Solution ReadinessSolution DesignOrganizational and Process Change ManagementThe Audit ReportPart 3: Auditing and Information SecurityDefined and Planned StrategyAuditing Privacy RisksAuditing Data CategorizationAuditing Law and Regulation AspectsOrganization ThreatsApplication RisksBusiness Process RisksAuditing IT VulnerabilitiesIdentifying Insignificant Vulnerability ManagementThe Internal Auditor’s Role AboutInformation SecurityVulnerability and RiskPersistent Auditing and MonitoringSuggested ware Quality Assurance: Integrating Testing, Security, and Audithttps://www.crcpress.com/9781498735537
x x iiC o n t en t sC h a p t e r 11 S o f t wa r e R e l i a b i l i t yIm p rov e m e ntandProcessIntroductionPart 1: Definition and MeasurementWhat Is Reliability?What Are Reliability Metrics?ClassificationsStandards Defining Reliability MeasurementSelection of MeasuresMeasures from IEEE 982.2Measurement-Based AssuranceCriteria for SelectionSample Primitive MetricsPrimitive Cost and Effort MetricsPrimitive Change MetricsSoftware Requirements MetricsRequirements Size MetricsRequirements TraceabilityCompletenessFault-Days NumberSoftware Design MetricsPrimitive Size MetricsPrimitive Fault MetricsPrimitive Complexity MetricsDefect DensityTest-Related PrimitivesCode MetricsCyclomatic Complexity (C)Amount of DataLive VariablesTest MetricsFault DensityDefect AgeDefect Response TimeDefect CostDefect Removal EfficiencyPrimitive Test Case MetricsStatement CoverageBranch CoveragePath CoverageData Flow CoverageTest CoverageMean Time to FailureFailure RateCumulative Failure ProfileCustomer RatingsCustomer Service are Quality Assurance: Integrating Testing, Security, and Audithttps://www.crcpress.com/9781498735537
C o n t en t sMaking Reliability Metrics MeaningfulStandards Defining Software MeasurementProductivity Metrics: IEEE 1045Software Reliability: IEEE 982Quality Metrics MethodologyIEEE 1061–1992Software Reliability MeasurementWhat Is a Model?Qualities of a Good ModelThe Importance of DataMetrics and ModelsModel Development and Independent MetricsThe Issue of AvailabilityData Retention and UseValiditySoftware Reliability EstimationCMMs: The Software Engineering Institute’sCapability Maturity ModelMaturity on FeaturesCMMIStaged RepresentationContinuous RepresentationDisciplines and EnvironmentsCMMI ApplicationMaturity LevelsProcess AreasLevel Three Process AreasLevel Four Process AreasLevel Five Process AreasIDEALPart 2: Software Process Improvement and CapabilityDetermination (SPICE)ISO 15504 and ManagementThe Assessment ProcessThe Reference ModelThe Capability DimensionThe Engineering Process CategoryThe Project Process CategoryThe Support Process CategoryThe Organization Process CategoryISO/IEC 15288 Processesx x 27327327328328328328329329330330330330Software Quality Assurance: Integrating Testing, Security, and Audithttps://www.crcpress.com/9781498735537
x xivC o n t en t sISO 15288 Relation to OtherFrameworksPersonal and Team ApproachesPSP and TSP to CMMThe PSP Process StructurePSP Quality ManagementEarly Defect RemovalDefect PreventionPSP Project Plan SummaryOutcomes of the ProcessThe Team Software ProcessDefinitionThe TSP Team Working ProcessWhat Does TSP Do for Software?MeasurementApplicationTSP Quality ManagementThe Quality PlanIdentifying Quality ProblemsFinding and Preventing Quality ProblemsRelationship of PSP and TSP to CMMAppendixSoftware Process traintsComplianceAcronyms and ReferencesAcronymsOrganization and 41341342343Software Quality Assurance: Integrating Testing, Security, and Audithttps://www.crcpress.com/9781498735537
7Defect ManagementIntroductionThis chapter, as the name implies, deals with the conceptual aspects ofdefect management. There are three parts in this chapter. Part 1 discusses the basic concepts of a defect and why a defect happens. Part 2introduces the practical methodologies of how to manage the defects.In this section, some sample documents and templates are providedto manage the defect properly. Part 3 discusses and analyzes the rootcauses of defects and provides recommendations of how to preventdefects in the future.Part 1: Definition and AnalysisDefinitionsA defect in simple terms is a variance from expectation.Another definition is that a defect is a condition in a process/productwhich does not meet a documented requirement. In other words, adefect is an error in a process or product’s behavior that causes it tomalfunction or to produce incorrect or unexpected results.The root cause of a defect may originate from different sources suchas code, requirements, design, environment, build/compilation, testcase, and data.DefectDefect in Hardware In IEEE 610, defect or fault is defined as“A defect in a hardware device or component; for example, a shortcircuit or broken wire.”14 5Software Quali
Part 1: Software Quality Concept 3 Defining Software Quality 3 Integrating Test, Security, and Audit 5 Why Is Software Quality Important? 6 What Is the Benefit of Software Quality in Business? 7 Lack of Quality Is the Reason for Failure 8 Failure Factors 8 Part 2: Software Quality Characteristics 10
