A study conducted by the National Institute of Standards & Technology (NIST) reports that inadequate testing methods and tools annually cost between $22.2 billion and $59.5 billion. Wherein, roughly half of these costs is accounted by the software developers in the form of extra testing and half by software users in the form of failure avoidance and mitigation efforts.
The same study notes that about 25-29% of software development budgets are often spent on testing.
In spite of the huge investment in testing as mentioned above, recent data from a market research shows that the different types of testing efforts are relatively ineffective. In particular, the testing methods used only identifies from one-fourth to one-half of defects, while other verification methods, such as inspections, are typically more effective. Inadequate testing is one of the main reasons that software is delivered with approximately with 2 to 7 defects per thousand lines of code. However, this may look like a negligible number, but the result is that the major software systems are placed into operation with residual defects.
Most Risky Software Issues
- Incorrect calculations can be seen in financial and date calculations. The key factor is when mathematical functions and mathematical operators are involved.
- Incorrect data edits cause a major issue when the software does not apply existing data edits correctly.
For example, when a data edit is coded to prohibit the entry of the day, which is greater than “31”, but not for the month such as allowing the entry of February 30, which is an invalid date.
- Ineffective data edits – This is when data edits are in place and working correctly, but still fail to prevent incorrect data from being entered into the system. An example of this is an alphanumeric address field that allows spaces to enter before any numbers or letters in the address. Therefore, when searches or sorts are performed on the address field, will not find the intended address.
- Incorrect coding/implementation of business rules – The mistakes that occur between development or implementation and what is actually delivered. These defects can be traced back to incorrect/missing system specifications.
- Inadequate software performance – This refers to slow system response times and transaction throughput rates.
- Confusing or misleading data – This means that the data shown to users may be correct, but the users might not understand how to interpret the data.
- Software that is difficult to use – Many people have experienced the frustration of using a software that is cumbersome, difficult to navigate, and requires several steps to perform simple tasks. This problem relates to a lack of understanding of how humans interact with computers. This is also the result of a history of unplanned modifications, which are not coordinated to account.
- Obsolete software – Software that no longer works due to new hardware or support software changes – This refers to software, which is based on the functions found in older versions of databases and operating systems. Many vendors try to make new releases of support software upwardly compatible, but there are usually cases where one minor area of non-support from the base system can cause a major revision of the system.
- Inconsistent processing – Software that only works correctly in one environment and cannot be easily transported and used in another environment. Of course, some software is designed to work in only one environment. However, if an organization adopts new technology that requires software be portable to new environments, it will require a modification.
- Difficult to maintain and understand – This refers to the ability of a programmer or developer to maintain the software. To maintain software, the person performing the maintenance must analyze and understand the software thoroughly. This software is written in an unstructured manner and patched. This type of software structure results in “spaghetti code,” which is complex and unstructured. To add to the problem, when changes are made to this kind of software, there is a higher risk of creating new defects unintentionally.
- Inadequate support of business needs or objectives – refers to software that is inflexible to meeting business needs. For example, a system may be difficult to modify to meet and organization’s needs or may lack features to allow the users to customize business rules.
- Incorrect matching and merging of data – This refers to situations where data is obtained from one source and matched or merged with data from another source. Examples include sorting multiple files into a single file or table or matching data from a master file to an ID number entered as a lookup entry.
- Data searches that yield incorrect results – This means that a search retrieves incorrect data as the result of a search. In the worst case situation, the data retrieved appears to be correct in format, but only by tracing back to source documents and other original data can it be determined that the data is incorrect for the search criteria. An example of this would be searching for the time worked by a particular employee in a payroll system. The employee’s name at the top of the information may be displayed correctly, but the detailed time data may belong to another employee. The only ways to verify the information would be to compare the time worked back to time sheets or to tables that indicate the employee ID.
- Incorrect processing of data relationships – This means that data relationships are not created or maintained correctly between one or more data elements. These data elements can reside on interactive interfaces, reports, or files. For example, a system may allow a user to enter incorrect data area code which will be invalid for the state specified in an address field.
- Inadequate security controls – This means that unauthorized access to the system is not adequately controlled and detected. In addition, people may also be able to perform transactions in excess of the authorization levels appropriate for their job functions. For example, a person without managerial levels of security access might be able to approve their own over time. On the other hand, a person not in the payroll department might be able to view the employee payroll files.
It is a huge challenge to cover all of them completely. Like everything else in testing, looking at relative risk and the situation at hand will narrow core focus. One approach would be to design a risk questionnaire for each problem area. Another method would be to interview users to assess the risk impact. A third approach would be to study past defect reports and correlate them to each of the problem areas, giving the highest priority to the most troublesome areas.
If you like this article, consider subscribing to get all Testing Updates in your inbox FREE.