Cloud software assurance and validation

- [Narrator] Welcome to this lesson on Cloud Software Assurance and Validation. In this lesson, we'll have two key objectives. The first one is to define a few terms which are functional and non-functional testing, and then the second one is to walk through a handful of security testing methodologies. Starting with functional and non-functional testing, both of these testing types are critical to ensuring that a software system not only operates as intended, but also meets the various requirements critical to its overall performance and security. Functional testing involves validating the software against its functional specifications, and this is often through things like unit integration and usability testing. It's also important to perform these tests in environments that closely resemble the production environment to ensure the highest level of accuracy. Non-functional testing, on the other hand, addresses aspects like security, system load capacity, and cross platform compatibility. These tests are also integral to assessing these systems overall robustness and effectiveness beyond its primary functional capabilities. More specifically over here, we have a handful of functional testing categories and a brief definition of what that test type is. Starting with unit testing, this is testing a single function or module, and this is the first step in ensuring that each individual component is functioning. After that, you would do integration testing, which is chaining together these modules to ensure that even if each module functions independently, that when they are put together that they still continue to work. Next up, we have usability testing, which is an assessment of users interaction with the application and whether or not components of the system work as expected and are reasonably intuitive. And then finally, we have regression testing, which is checks that ensure that errors and vulnerabilities that previously existed within the application or code base weren't unintentionally reintroduced during a subsequent release. Once again, some key objectives of this functional testing is going to be realistic testing environment, defining whether or not the application has met the minimum criteria for acceptance, and ideally, achieving a bug-free environment. Getting more specific into non-functional testing, first we have security testing, and this is where we might look at something like data encryption to ensure that the encryption mechanisms are being applied properly and are also using approved encryption algorithms. And then we have capacity testing, which is where we would be assessing whether or not the load balancing mechanisms and application infrastructure scaling can properly scale either horizontally or vertically to meet demand dynamically, and that when applications do scale, such as an horizontal scaling instance, that the load balancer is properly distributing the load between the individual components. Next, we have compatibility testing, which is where we check to see whether or not the application supports various platforms. Think of this as being a website where after the deployment of the website, where sometime through the development process of the website, we would test to make sure that the website looks good and functions as expected on both a computer screen as well as a much smaller screen such as your smartphone to validate that users are going to have a similar experience regardless of the device that they're using to browse to the website. And then finally, another non-functional test is validating that the documentation that supports the application and the code base are being properly updated to make sure that it's available when needed. Some key objectives of non-functional testing are meeting compliance requirements and assessing the overall performance of the application. Finally, let's talk about secure testing methodologies. And these are essential for validating that the software complies with the organization's security strategy and fulfills all the security related requirements. The methodologies vary based on the level of knowledge access. So for example, we have white-box testing, which involves thorough testing where the tester has access to things like the source code and a full repository of documentation about systems and components that exist within the application. Next, we have grey-box testing, which is testing with limited internal knowledge. And this can be difficult to quantify, but it's just a type of testing that is somewhere between white-box and black-box where the tester doesn't necessarily have full knowledge of the system, but they also have some knowledge of the system which would preclude it from being black-box testing. And finally, of course, black-box testing is simulating an external attacker where they have no internal knowledge of the systems or the components. Some of the information and documentation that might be included in gray and white-box testing could be things like architectural diagrams, network diagrams, including things like IPs and Hostnames, as well as some application details like source code and algorithms that are being used in things like encryption. Now, the choice of which methodology you use is influenced by a variety of different factors, including the nature of the application, the availability of the source code and restrictions imposed by the cloud service providers or CSPs. In general, a solid method can be using some combination of all three of these methodologies throughout your testing lifecycle. In summary, in this lesson, we talked about both functional and non-functional testing, and we talked about a handful of different specific test types that would fall within each of these categories. And then finally, we talked about secure testing methodologies and we broke down the difference between black-box, grey-box and white-box testing. Thanks for joining. I'll see you in the next lesson.