Web Quality

Because of its possible instant worldwide audience, a Web site's quality and reliability are crucial. The very special nature of the Web and Web sites poses unique software testing challenges. Webmasters, Web applications developers, and Web site quality assurance managers need tools and methods that can match up to the new needs. Mechanized testing via special purpose Web testing software offers the potential to meet these challenges.

Web Site Testing

Web sites are essentially client/server applications - with web servers and 'browser' clients. Consideration should be given to the interactions between html pages, TCP/IP communications, Internet connections, firewalls, applications that run in web pages (such as applets, javascript, plug-in applications), and applications that run on the server side (such as cgi scripts, database interfaces, logging applications, dynamic page generators, asp, etc.). Additionally, there are a wide variety of servers and browsers, various versions of each, small but sometimes significant differences between them, variations in connection speeds, rapidly changing technologies, and multiple standards and protocols. The end result is that testing for web sites can become a major ongoing effort. Other considerations include:

  • What are the expected loads on the server (e.g., number of hits per unit time?), and what kind of performance is required under such loads (such as web server response time, database query response times). What kinds of tools will be needed for performance testing (such as web load testing tools, other tools already in house that can be adapted, web robot downloading tools, etc.)?
  • Who is the target audience? What kind of browsers will they be using? What kind of connection speeds will they by using? Are they intra- organization (thus with likely high connection speeds and similar browsers) or Internet-wide (thus with a wide variety of connection speeds and browser types)?
  • What kind of performance is expected on the client side (e.g., how fast should pages appear, how fast should animations, applets, etc. load and run)?
  • Will down time for server and content maintenance/upgrades be allowed? how much?
  • What kinds of security (firewalls, encryptions, passwords, etc.) will be required and what is it expected to do? How can it be tested?
  • How reliable are the site's Internet connections required to be? And how does that affect backup system or redundant connection requirements and testing?
  • What processes will be required to manage updates to the web site's content, and what are the requirements for maintaining, tracking, and controlling page content, graphics, links, etc.?
  • Which HTML specification will be adhered to? How strictly? What variations will be allowed for targeted browsers?
  • Will there be any standards or requirements for page appearance and/or graphics throughout a site or parts of a site??
  • How will internal and external links be validated and updated? how often?
  • Can testing be done on the production system, or will a separate test system be required? How are browser caching, variations in browser option settings, dial-up connection variabilities, and real-world internet 'traffic congestion' problems to be accounted for in testing?
  • How extensive or customized are the server logging and reporting requirements; are they considered an integral part of the system and do they require testing?
  • How are cgi programs, applets, javascripts, ActiveX components, etc. to be maintained, tracked, controlled, and tested?

Some design guidelines to consider

These are subjective and may or may not apply to a given situation:

  1. Pages should be 3-5 screens max unless content is tightly focused on a single topic. If larger, provide internal links within the page.
  2. The page layouts and design elements should be consistent throughout a site, so that it's clear to the user that they're still within a site.
  3. Pages should be as browser-independent as possible, or pages should be provided or generated based on the browser-type.
  4. All pages should have links external to the page; there should be no dead-end pages.
  5. The page owner, revision date, and a link to a contact person or organization should be included on each page.

Web Testing Resources

Web Security Testing

  • Computer Audit FAQ
    Good introductory information from IsecT Ltd. on 'Computer Audit', which refers to the analysis of computer systems and networks by examining the effectiveness of their technical and procedural controls (information security control systems) to minimise risks. Also has links to other resources, and some articles such as 'Strategic Approach to Information Security Management'.
  • SANS Top 20 List
    List and descriptions of top Windows and UNIX internet security vulnerabilities, along with links to other resources.
  • CVE
    Searchable, downloadable, and on-the-web 'Common Vulnerabilities and Exposures' list hosted by Mitre Corp. CVE goal is to standardize the names for all publicly known vulnerabilities and security exposures, so that security information can be efficiently shared and handled. Many security test tools are utilizing or planning on utilizing this standardized naming/numbering system.
  • IBM DeveloperWorks Security Zone
    Software Security-related articles, resources, and tutorials from IBM's developerWorks web site.
  • W3 Security Resources
    Large collection of information and resources on web security, including an FAQ, hosted by the W3C Consortium (the folks who set web standards/protocols, etc.)
  • Microsoft Security Advisor
    Microsoft's web site for discussion of security issues for MS products, including their web server products.
  • NIAP website
    The National Information Assurance Partnership web site - partners are US govt. agencies NIST and NSA. Includes sections for 'Security Testing', 'Tools and Techniques', 'Automated Testing', info re international IT security standard ISO/IEC 15408, the 'Common Criteria for Information Technology Security Evaluation' and the associated 'Common Evaluation Methodology'.
  • SANS website
    Web site of SANS (System Administration, Networking, and Security Institute), a cooperative research and education organization through which more than 96,000 sysadmins, security professionals, and network administrators share lessons learned and solutions.
  • Security Focus.Com
    Site for news, forums, resources, vulnerability info, conference info, tools, etc. related to computer security including web and internet security issues. Search vulnerability database by keywords, date, vendor, version, etc.
  • CERIAS Security Archive
    Purdue University's computer security site; includes extensive collection of links organized by subject to security tools, info resources, etc. Tools list of more than 100 security tools includes many test tools such as CRACK, COPS, IPSend, Tiger, Secure Sun, etc.; all tools listed are available for download from the CERIAS site.
  • Computer Emergency Response Team site
    CERT's internet security web site; includes web server security information; hosted by the Software Engineering Institute at Carnegie Mellon University.

Web Usability

  • Useit.com
    Jakob Nielsen's web usability website with such articles as 'How Users Read on the Web", 'Costs of User Testing', and 'Differences between Print Design and Web Design'.
  • Usability Testing of Advanced Web Concepts
    Article on usability testing at Sun web site.
  • User Interface Engineering
    Site of UIE, a UI training and consulting company; info and links re usability testing and a chapter from the book "Web Site Usability" by Jarod Spool.
  • Microsoft Usability Home Page
    Microsoft's collection of info about their usability labs, related issues, listings of resources; includes info from the 'Human Factors and the Web' conference series.

Resources