Blog article
See all stories »

An article relating to this blog post on Finextra:

Bank software testing putting customer data at risk - Informatica

UK banks are putting customer data at risk by using it during software development and testing without proper safeguards, according to a study commissioned by vendor Informatica.


See article

Better planning means better security

The statistics quoted within the Informatica report carried out by the Ponemon Institute present a picture that does not surprise me and rightly emphasises the risks around the use of ‘real’ data.

Over the last 15-20 years, the use of such data within the software testing of banking applications has become increasingly prevalent and worryingly regarded as the norm. There are several reasons for this and it is worth understanding a couple of the key factors that have led to this trend. 

First, there remains a lack of understanding around the importance of software testing and consequently a lack of sufficient investment in testing. This alone impacts many aspects of testing.

Secondly, in relation to data, there is rarely enough time set aside to design and prepare the effective tests let alone the data that would be needed to support those tests. The only option left to testers in this scenario is to get hold of a copy of production data and use that.

Thirdly, there is a degree of laziness among development and testing teams who view taking and using a copy of production data as the ‘easy option’.

The optimum approach, and one that will provide maximum coverage of data combinations, is to run a series of controlled tests using specifically manufactured test data and then run a series of ‘exploratory’ tests using a set of desensitised production data.

Fundamentally, the importance of software testing must be understood and that includes having the processes in place that maximise the efficiency of testing and the controls over how all test assets, including test data, are created and managed.

 

3774

Comments: (1)

Anthony Walton
Anthony Walton - Iliad Solutions - Leeds 21 March, 2011, 16:47Be the first to give this comment the thumbs up 0 likes

Some very valid points made here.  Production data in my view can be a great starting point for defining things like transaction mixes, peak transaction times and loads etc.  But for good test coverage you need well defined tests that you can actually control. 

Like most testers, production data doesn't age well.  More time seems to be spent jumping through hoops maintaining some level of PCI compliance, changing dates/times and recalculating encrypted fields than would have been needed to define the test properly in the first place.