CTFL – Syllabus v3.1 – 5. Test Management – Part 5/5

5.4 Configuration Management

The purpose of configuration management is to establish and maintain the integrity of the component or system, the testware, and their relationships to one another through the project and product lifecycle. To properly support testing, configuration management may involve ensuring the following:

• All test items are uniquely identified, version controlled, tracked for changes, and related to each other
• All items of testware are uniquely identified, version controlled, tracked for changes, related to each other and related to versions of the test item(s) so that traceability can be maintained throughout the test process
• All identified documents and software items are referenced unambiguously in test documentation

During test planning, configuration management procedures and infrastructure (tools) should be identified and implemented.

5.5 Risks and Testing

5.5.1 Definition of Risk

Risk involves the possibility of an event in the future which has negative consequences. The level of risk is determined by the likelihood of the event and the impact (the harm) from that event.

5.5.2 Product and Project Risks

Product risk involves the possibility that a work product (e.g., a specification, component, system, or test) may fail to satisfy the legitimate needs of its users and/or stakeholders. When the product risks are associated with specific quality characteristics of a product (e.g., functional suitability, reliability, performance efficiency, usability, security, compatibility, maintainability, and portability), product risks are also called quality risks. Examples of product risks include:

• Software might not perform its intended functions according to the specification
• Software might not perform its intended functions according to user, customer, and/or stakeholder needs
• A system architecture may not adequately support some non-functional requirement(s)
• A particular computation may be performed incorrectly in some circumstances
• A loop control structure may be coded incorrectly
• Response-times may be inadequate for a high-performance transaction processing system
• User experience (UX) feedback might not meet product expectations

Project risk involves situations that, should they occur, may have a negative effect on a project’s ability to achieve its objectives. Examples of project risks include:

• Project issues:
  • Delays may occur in delivery, task completion, or satisfaction of exit criteria or definition of done
  • Inaccurate estimates, reallocation of funds to higher priority projects, or general cost cutting across the organization may result in inadequate funding
  • Late changes may result in substantial re-work
• Organizational issues:
  • Skills, training, and staff may not be sufficient
  • Personnel issues may cause conflict and problems
  • Users, business staff, or subject matter experts may not be available due to conflicting business priorities
• Political issues:
  • Testers may not communicate their needs and/or the test results adequately
  • Developers and/or testers may fail to follow up on information found in testing and reviews (e.g., not improving development and testing practices)
  • There may be an improper attitude toward, or expectations of, testing (e.g., not appreciating the value of finding defects during testing)
• Technical issues:
  • Requirements may not be defined well enough
  • The requirements may not be met, given existing constraints
  • The test environment may not be ready on time
  • Data conversion, migration planning, and their tool support may be late
  • Weaknesses in the development process may impact the consistency or quality of project work products such as design, code, configuration, test data, and test cases
  • Poor defect management and similar problems may result in accumulated defects and other technical debt
• Supplier issues:
  • A third party may fail to deliver a necessary product or service, or go bankrupt
  • Contractual issues may cause problems to the project

Project risks may affect both development activities and test activities. In some cases, project managers are responsible for handling all project risks, but it is not unusual for test managers to have responsibility for test-related project risks.

5.5.3 Risk-based Testing and Product Quality

Risk is used to focus the effort required during testing. It is used to decide where and when to start testing and to identify areas that need more attention. Testing is used to reduce the probability of an adverse event occurring, or to reduce the impact of an adverse event. Testing is used as a risk mitigation activity, to provide information about identified risks, as well as providing information on residual (unresolved) risks.

A risk-based approach to testing provides proactive opportunities to reduce the levels of product risk. It involves product risk analysis, which includes the identification of product risks and the assessment of each risk’s likelihood and impact. The resulting product risk information is used to guide test planning, the specification, preparation and execution of test cases, and test monitoring and control. Analyzing product risks early contributes to the success of a project.

In a risk-based approach, the results of product risk analysis are used to:

• Determine the test techniques to be employed
• Determine the particular levels and types of testing to be performed (e.g., security testing, accessibility testing)
• Determine the extent of testing to be carried out
• Prioritize testing in an attempt to find the critical defects as early as possible
• Determine whether any activities in addition to testing could be employed to reduce risk (e.g., providing training to inexperienced designers)

Risk-based testing draws on the collective knowledge and insight of the project stakeholders to carry out product risk analysis. To ensure that the likelihood of a product failure is minimized, risk management activities provide a disciplined approach to:

• Analyze (and re-evaluate on a regular basis) what can go wrong (risks)
• Determine which risks are important to deal with
• Implement actions to mitigate those risks
• Make contingency plans to deal with the risks should they become actual events

In addition, testing may identify new risks, help to determine what risks should be mitigated, and lower uncertainty about risks.

5.6 Defect Management

Since one of the objectives of testing is to find defects, defects found during testing should be logged. The way in which defects are logged may vary, depending on the context of the component or system being tested, the test level, and the software development lifecycle model. Any defects identified should be investigated and should be tracked from discovery and classification to their resolution (e.g., correction of the defects and successful confirmation testing of the solution, deferral to a subsequent release, acceptance as a permanent product limitation, etc.). In order to manage all defects to resolution, an organization should establish a defect management process which includes a workflow and rules for classification. This process must be agreed with all those participating in defect management, including architects, designers, developers, testers, and product owners. In some organizations, defect logging and tracking may be very informal.

During the defect management process, some of the reports may turn out to describe false positives, not actual failures due to defects. For example, a test may fail when a network connection is broken or times out. This behavior does not result from a defect in the test object, but is an anomaly that needs to be investigated. Testers should attempt to minimize the number of false positives reported as defects.

Defects may be reported during coding, static analysis, reviews, or during dynamic testing, or use of a software product. Defects may be reported for issues in code or working systems, or in any type of documentation including requirements, user stories and acceptance criteria, development documents, test documents, user manuals, or installation guides. In order to have an effective and efficient defect management process, organizations may define standards for the attributes, classification, and workflow of defects.

Typical defect reports have the following objectives:

• Provide developers and other parties with information about any adverse event that occurred, to enable them to identify specific effects, to isolate the problem with a minimal reproducing test, and to correct the potential defect(s), as needed or to otherwise resolve the problem
• Provide test managers a means of tracking the quality of the work product and the impact on the testing (e.g., if a lot of defects are reported, the testers will have spent a lot of time reporting them instead of running tests, and there will be more confirmation testing needed)
• Provide ideas for development and test process improvement

A defect report filed during dynamic testing typically includes:

• An identifier
• A title and a short summary of the defect being reported
• Date of the defect report, issuing organization, and author
• Identification of the test item (configuration item being tested) and environment
• The development lifecycle phase(s) in which the defect was observed
• A description of the defect to enable reproduction and resolution, including logs, database dumps, screenshots, or recordings (if found during test execution)
• Expected and actual results
• Scope or degree of impact (severity) of the defect on the interests of stakeholder(s)
• Urgency/priority to fix• State of the defect report (e.g., open, deferred, duplicate, waiting to be fixed, awaiting confirmation testing, re-opened, closed)
• Conclusions, recommendations and approvals
• Global issues, such as other areas that may be affected by a change resulting from the defect
• Change history, such as the sequence of actions taken by project team members with respect to the defect to isolate, repair, and confirm it as fixed
• References, including the test case that revealed the problem

Some of these details may be automatically included and/or managed when using defect management tools, e.g., automatic assignment of an identifier, assignment and update of the defect report state during the workflow, etc. Defects found during static testing, particularly reviews, will normally be documented in a different way, e.g., in review meeting notes.

An example of the contents of a defect report can be found in ISO standard (ISO/IEC/IEEE 29119-3) (which refers to defect reports as incident reports).