7/27/2019 stp-2008-03

1/40

A Publication

Manage Performance ByTesting Early and Often

Buildings Not in the Cards?Minimize Risk When Buying

Motivate a Team WithSome Spade Work

The FoundationOf Good Testing

BESTPRACTICES:

Change

Management

VOLUME 5 ISSUE 3 MARCH 2008 $8.95 www.stpmag.com

http://www.bzmedia.com/http://www.bzmedia.com/

7/27/2019 stp-2008-03

2/40

April 15-17, 2008San Mateo Marriott

San Mateo, CA

ABZMedia Eve

nt

SPRING

http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/

7/27/2019 stp-2008-03

3/40

Platinum Sponsors Gold Sponsors Silver Sponsor

www.stpcon.co

Register ByMarch 28 to GetThe Early-Bird RateSAVE OVER $200!

break your old testing habits

Learn the Latest Tips and TechniquesTry Out the Newest TechnologyAll at STPCon!

Great, informativeconference for soft-ware testers, leads

and managers alike.Useful tutorials andtechnical classes ofwide varietyA must-

attend for all seriousQA/SQE professionals!Alan Abar

Software QualityEngineering Manager,Covad Communications

SUPERB SPEAKERS

Michael Bolton, Jeff Feldstein,

Michael Hackett, Jeff Johnson, Bj Rollison,

Rob Sabourin, Mary Sweeney, Robert Walsh

AND DOZENS MORE!

TERRIFIC TOPICS

Improving Web Application Performance

Optimizing the Software Quality Process

Developing Quality Metrics

Testing SOA Applications

Charting Performance Results

Managing Test Teams

AND OVER 70 MORE TO

CHOOSE FROM!

Youll find information outside of your dailyactivities, and options/alternatives to think aboutnew approaches to testing.Alex Kang

Staff Engineer, Tellabs

It solidifies the total testing experience and opensyour eyes to alternative approaches and methodsthat you simply cannot get from books.John Croft

QA Manager, I4Commerce

http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/http://www.stpcon.com/

7/27/2019 stp-2008-03

4/40

http://www.seapine%2Ccom/qualityready2

7/27/2019 stp-2008-03

5/40

ContentsA Publication

VOLUME 5 ISSUE 3 MARCH 2008

14COVER STORYKeep Your Web App FromFalling Like a House of Cards

Dont wait until the end stages to discover that your applications archi-tecture doesnt scale well. Test early and often to keep your Web apps fromfalling apart. By Ernst Ambichl

Departments7 EditorialSelling software vulnerabilities to the

highest bidderfree market or shakedown?

8 ContributorsGet to know this months experts and the

best practices they preach.

9 FeedbackIts your chance to tell us where to go.

11 Out of the BoxNew products for testers.

36 Best PracticesFrom tulips to leaky levees: a comparative

study in change management.By Geoff Koch

38 Future TestUsage metering and software security join

forces for IP protection. By Kevin Morgan

29 Motivate YourTeam With AFew Simple Tricks

33 Testing FromThe Ground Up

24 Buy vs. Build:Minimize Risk

To find the best practices that chargeup your team, look for its motivators

and demotivators.

Shrink manage-ment, dumpgroupthink,e n c o u r a g e

c irculat ion ,and watch your

team get going.By Alan Berg

MARCH 2008 www.stpmag.com 5

Custom-developed and COTS software

bring a slippery slope of opportunity

and riskto system quality. Learn the

dangers of buying vs. building, andstrategies that can transform risk into

profit. By Rex Black

In software testing, as in construction,

a solid foundation is crucial. Ground

your project with comprehensible

requirements, a well-prepared test

strategy and continuous enhancement

of the test suite. By Kiran Vankatesh

7/27/2019 stp-2008-03

6/40

Empirix gives you the freedom to test yourway.

Tired of being held captive by proprietary scripting? Empirix offers a suite of

testing solutions that allow you to take your QA initiatives wherever you like.

Download our white paper,Lowering Switching Costs for Load Testing

Software, and let Empirix set you free.

HANDCUFFS OFF

4AKE THE

QUALITY ASSURANCE

www.empirix.com/freedom

http://www.empirix.com/freedomhttp://www.empirix.com/freedomhttp://www.empirix.com/freedomhttp://www.empirix.com/freedomhttp://www.empirix.com/freedomhttp://www.empirix.com/freedomhttp://www.empirix.com/freedomhttp://www.empirix.com/freedomhttp://www.empirix.com/freedomhttp://www.empirix.com/freedomhttp://www.empirix.com/freedom

7/27/2019 stp-2008-03

7/40

In a newsletter last Octo-

ber, I wrote about a Swiss

company with a name as

unusual as its mission.

WabiSabiLabi is one of a

growing number of compa-

nies to begin selling software

security vulnerabilities to

the highest bidder. As I re-ported at the time, the

model encourages security

companies, researchers and

others to capitalize their findings in an

open marketplace.

The idea was that buyers and sell-

ers would be vetted by the company,

and transactions would be limited to

legitimate organizations. After only

two months in business, the company

had logged 160,000 unique visitors,

1,000 registered sellers and 150 vul-

nerabilities.WSLabi attributed the quick success

to a security community anxious for an

opportunity to spread their experience

and research to an eager and ready audi-

ence of vetted buyers prepared to pay

for the latest information. Patrons of the

site (wslabi.com) include enterprises,

government agencies and major software

vendors in the IT security sector keen on

learning about the vulnerabilities as they

enter the world.

All that may sound good on paper, buttheres a dark side.

A Russian security research firm

called GLEG Ltd. is one of a number of

companies that analyze software for

security defects and offer the informa-

tion for sale to the softwares developer.

The company on January 1 announced

that it had identified a zero-day vulnera-

bility in RealNetworks RealPlayer 11

(build 6.0.14.74) that reportedly allows

for code execution when RealPlayer

opens a malicious song file. GLEG gives

this information to its customers andwants to be paid by RealNetworks before

revealing the exploit.

Security ShakedownAlthough this is perfectly

legal, it might seem more

like legalized extortion.

Somewhat akin to the local

locksmith, after youve pur-

chased a new lockset for

your home, shaking you

down so he wont sell copiesof your house keys.

A protocol that better

protects the security of our

software ecosystem would be for vul-

nerability finders to contract directly

with the vendor to find vulnerabilities,

says Chris Wysopal, CTO and co-

founder of Veracode, of the incident

on his blog. Veracode too offers securi-

ty testing solutions and services, but

operates a bit differently.

If a company is concerned about the

security of software its about to buy, it canhire Veracode to conduct an assessment.

We will contact the vendor and have

them upload their software binary exe-

cutable to our portal, Wysopal explains.

We analyze the software and deliver a

detailed report of the security issues we

find in the code. We also generate a sum-

mary report for the customer to under-

stand the security risks of the software.

This seems a more reasonable

approach; Veracode customers know

about the vulnerability and can weigh therisks of using the product, while the

applications developer gets what it needs

to fix the flaw.

Theres just one problem: The solu-

tion completely overlooks vulnerabili-

ties of the type found by GLEGin soft-

ware that is free. And for software thats

not free, Veracode serves only people

who ask for their services, leaving a lot

of software unchecked.

Im a firm believer in the free market,

as long as its solutions are fair to all sides.

I suppose that the simplest answer inRealNetworks case would be to become a

customer of GLEG.

Hackers and The

Free Market

MARCH 2008 www.stpmag.com 7

VOLUME 5 ISSUE 3 MARCH 2008

Ed Notes

PresidentTed Bahr

Executive Vice PresidentAlan Zeichick

Software Test & Performance (ISSN- #1548-3460) ispublished monthly by BZ Media LLC, 7 High Street,Suite 407, Huntington, NY, 11743. Periodicals postagepaid at Huntington, NY and additional offices.

Software Test & Performance is a registered trade-mark of BZ Media LLC. All contents copyrighted2008 BZ Media LLC. All rights reserved. The priceof a one year subscription is US $49.95, $69.95 inCanada, $99.95 elsewhere.

POSTMASTER: Send changes of address to Software

Test & Performance, PO Box 2169, Skokie, IL 60076.Software Test & Performance Subscribers Servicesmay be reached at stpmag@halldata.com or bycalling 1-847-763-9692.

Cover Photograph by Alexey Kashin

Director of Circulation

Agnes Vanek

+1-631-443-4158

avanek@bzmedia.com

EDITORIAL

SALES & MARKETING

READER SERVICE

Art Director

LuAnn T. Palazzo

lpalazzo@bzmedia.com

Art /Production Assistant

Erin Broadhurst

ebroadhurst@bzmedia.com

ART & PRODUCTION

BZ Media LLC7 High Street, Suite 407Huntington, NY 11743+1-631-421-4158fax +1-631-421-4130www.bzmedia.cominfo@bzmedia.com

Editor

Edward J. Correia

+1-631-421-4158 x100

ecorreia@bzmedia.com

Copy Editor

Laurie OConnell

loconnell@bzmedia.com

Editorial Director

Alan Zeichick

+1-650-359-4763

alan@bzmedia.com

Contributing Editor

Geoff Koch

koch.geoff@gmail.com

Publisher

Ted Bahr

+1-631-421-4158 x101

ted@bzmedia.com

Associate Publisher

David Karp

+1-631-421-4158 x102

dkarp@bzmedia.com

Advertising Traffic

Phyllis Oakes

+1-631-421-4158 x115

poakes@bzmedia.com

Director of Marketing

Marilyn Daly

+1-631-421-4158 x118

mdaly@bzmedia.com

List Services

Lisa Fiske

+1-631-479-2977

lfiske@bzmedia.com

Reprints

Lisa Abelson

+1-516-379-7097

labelson@bzmedia.com

Accounting

Viena Ludewig

+1-631-421-4158 x110

vludewig@bzmedia.com

Customer Service/Subscriptions

+1-847-763-9692

stpmag@halldata.com

Edward J. Correia

http://wslabi.com/mailto:koch.geoff@gmail.commailto:koch.geoff@gmail.comhttp://www.bzmedia.com/http://www.americanbusinessmarketing.com/http://www.bpaww.com/mailto:koch.geoff@gmail.comhttp://wslabi.com/

7/27/2019 stp-2008-03

8/40

Were pleased to welcome ERNST AMBICHL, Borlands

chief scientist, to our pages. Ernst served as chief tech-

nology officer at Segue Software until 2006, when the

maker of SilkTest and other QA tools was acquired by

Borland. He joined Segue in 1998 and helped buildit into a leader in its field.

At Borland, Ernst is responsible for the architec-

ture of Borlands Lifecycle Quality Management prod-

ucts. In our lead feature, which begins on page 14,

Ernst will school you on methods of load testing ear-

ly in the development cycleeven when parts of an

application arent yet completedwith an eye toward

preventing downstream performance issues.

REX BLACKhas a quarter-century of software and sys-

tems engineering experience, and is president of

RBCS, a software, hardware and systems testing con-

sultancy.

In this issue, Rex lends his considerable expertise

to the practice of minimizing the risks of testing and

integrating outsourced application components.

Beginning on page 24, Rex mixes practical wisdom

with real-world experience from working with cor-

porations in dozens of countries to bring you an analy-

sis of the risk factors of integration, how to select a

component vendor and how to test its products and

processes.

We once again bring you the enjoyable style and wit

ofALAN BERG, the author of numerous articles andpapers on software development and testing. This

time, he draws from his experience on numerous

teams to enlighten us on motivating a development

team, beginning on page 29. And yes, bribery is one

of several techniques he espouses.

Alan is the lead developer of Central Computer

Services at the University of Amsterdam, a post he

has held for more than seven years. He holds a bach-

elors degree, two masters degrees and a teaching

certification.

KIRAN VANKATESHis test lead of the Testing Practiceat MindTree Consulting, an IT services and consult-

ing company with offices in the U.S., Europe and Asia-

Pacific. Beginning on page 33, Kiran offers a tutorial

covering the basics of good testing practice.

Kiran has been a software tester for four years, and

has a strong conceptual background in financial, health-

care and asset management systems. He is proficient in

functional testing, verification and general software test-

ing, and also has worked on real-time transactional appli-

cations. Kiran works in MindTrees Bangalore office and

holds a Software Test Engineer certificate from the

International Software Testing Qualifications Board.

Contributors

TO CONTACT AN AUTHOR, please send e-mail to feedback@bzmedia.com.

8 Software Test & Performance MARCH 2008

http://www.itko.com/lisa

7/27/2019 stp-2008-03

9/40

The following letters refer to Edward J. Correias

editorial Defect Tracker for Politicians (Software

Test & Performance magazine, Feb. 2008; reti-

tled Track Politicians Like Bugs in the Feb. 5,

2008, edition of Test & QA Report newsletter;

seehttp://stpmag.com /retrieve/stp-0802.htm).

FROM FANTASTICJust received and read todays Test & QA

Report. I just wanted to say that was fan-

tastic.

Jo Compton

Los Angeles, CA

TO REFRESHINGA note to let you know how absolutely

refreshing your Ed Notes column was in

the February 2008 issue of Software Test &

Performance. Frankly, I did not even oncehave to mumble under my breath and

grind my teeth as I have been told that I

do when reading some of the liberal, pro-

gressive propaganda that always seems to

work its wayI am sure by no accident

into just about every issue of eWeek. Bravo!Michael Hyman

San Diego, CA

TO IGNORANT POOR TASTEI found this article to be in very poor taste.

First of all, it is probably a very bad idea

to inflict your political views on the read-ership of your publication. Second, many

of the statements you made were based on

faulty logic or ignorance of the facts, or

were just plain simplistic and/or not reflec-

tive of very high intelligence. You may want

to consider avoiding this kind of content

in the future.Steve Munger

Portland, OR

SPRINGTIME MEANS SUNSHINE,BASEBALL AND STPCON

Here they come again. No, not Derek Jeter and Barry Bonds. Im referring to Michael

Bolton, Hans Buwalda, Mary Sweeneyand Rob Sabourin, who also delivers the keynote

on testing in Scrum. These are just a few of the instructors youve told us are

your favorites, so weve brought them back to the Software Test & Performance

Conference in San Mateo, along with a few new faces too.

The San Mateo Marriott is where well break out of the box; the performancebox, that is. Youve told us you

wanted more performance class-

esand weve delivered. This

years conference will be loaded

(so to speak) with nearly a dozen

classes designed specifically to help

you find ways of improving the

performance of your applications.

Weve also brought Karen

Johnson to town, and shell offer

a two-part class on charting and

presenting performance results

using graphical analysisand proven storytelling

techniques.

If you were with us last

year, you might remem-

ber the Hands-On Testing

Showcase, a successful

event we introduced in

San Mateo and expand-

ed last fall in Boston. Well,

HOTS is back and will be

better than ever, with mul-

tiple vendors inviting youto test their latest prod-

ucts while enjoying copi-

ous quantities of fabulous

food and bottomless bins

of potent potables.

Well also be intro-

ducing Lightning Talks to

STPCon, where conference-goers can hear as many as 10 speakers in a single hour

give short, targeted lectures on the essence of a subject relevant to your job. Speakers

might test-drive a new topic, promote one of their classes or new pet project, or just

provoke thought among the audience with a brilliant concept.

So here it is, your ticket to advancing your testing skills, expanding your contact

base and broadening your mindall at the Software Test & Performance Conference.I hope to see you there, April 15-17, at the San Mateo Marriott. Edward J. Correia

MARCH 2008 www.stpmag.com 9

FEEDBACK: Letters should include the writers

name, city, state and e-mail address . Send

your thoughts to feedback@bzmedia.com.Letters become the property of BZ Media and

may be edited for space and style.

STPCon in San Mateo this April will feature a demo hall

thats bigger than ever before and stocked to the rafters with the

newest products for software testers, and knowledgeable com-

pany reps to explain how to put them to use.

Feedback

SPRING

http://stpmag.com/retrieve/stp-0802.htmhttp://stpmag.com/retrieve/stp-0802.htm

7/27/2019 stp-2008-03

10/40

http://www.testcomplete.com/stp

7/27/2019 stp-2008-03

11/40

SOAPscope Server 6.1, the latest version

of Mindreefs SOA and Web services test-ing platform, now includes three desktop

modules aimed specifically at testers and

developers. The company also increased

support in the platform for OASIS WS-

Security specifications.

Among the new trio is SOAPscope

Architect 6.1, which the company describes

as a design-time governance and SOA

quality and testing platform for authoring

policy rules, design-time support, proto-

typing, change-time and runtime support.

The tool incorporates industry standardsand specifications for SOA applications and

enables design teams to build compliant

components in combination with their own

customized best practices.

Also new is SOAPscope Tester 6.1, which

brings load testing and test automation

to the SOA quality platform, and helps to

QA engineers, testers and consultants

identify quality problems and potential

performance bottlenecks early in the life

cycle.

SOAPscope Developer 6.1 integrates

tools for problem diagnosis and resolu-tion, unit testing and supporting service

customers. The tool allows teams to cre-

ate, test, deliver and support Web services

and SOA components, and automates

XML-oriented tasks. The three new mod-

ules are included with SOAPscope Server

6.1, a server-based solution intended for

use and collaboration by all members of

the SOA and Web services team, including

analysts and managers.

An Oasis of InteroperabilityAs OASIS and other specifications advance,

it becomes ever more important for com-

panies to remain compliant so their appli-cations continue to interoperate with those

of other organizations. According to the

company, all version 6.1 Mindreef prod-

ucts can be used to test Web services that

use WS-Security. They do this by invoking

and resending protected SOAP messages,

running scenario tests using the specified

X.509 Token Profile, signing and encrypt-

ing. Testers can use SOAPscope tools to

create working security profiles for differ-

ent WS-Security configurations and switch

between them for testing.Frank Grossman, president and CTO

of Mindreef, said, Project teams have been

lacking the ability to quickly and easilycheck for adherence to standards as serv-

ices are being created, tested and imple-

mented. The expanded line was designed

with this problem in mind, he added.

SOAPscope Server 6.1 introduces the

concept of the service space, a container

that allows teams to organize, collaborate

and share assets with other project teams

members, and run tests based on prede-

fined profiles, the company said in a state-

ment announcing the new products.

SOAPscope Server 6.1 is available now;pricing is based on project scope.

SOAPscope Trio Spots a Test-Team Oasis

Out of the Box

Break-out apps in SOAPscope Server 6.1 target application designers, testers and developers.

MARCH 2008 www.stpmag.com 11

Aternity, which makes user experience

management tools, in late January began

shipping the Frontline Performance

Intelligence Platform, which it claims can

pre-emptively detect software problems,

monitor application usage and usability,

analyze end-user productivity, correlatebusiness performance and help with

capacity planning. Licensing starts at

US$75,000.

At the heart of the system is a series of

Microsoft Certified Agents, which gather

data about end-user activities and trans-

actions, and report back to an aggrega-

tion service. According to company

claims, the agents consume a maximumCPU utilization of 3 percent, and 0.1 per-

cent on average. Other services handle

data analysis and management.

By transforming every desktop into a

self-monitoring platform that is end-user-

experience aware, were enabling these

enterprises to harness the frontline intel-

ligence they need to make effective busi-

ness decisions that will drive increased

productivity, performance and usability,

said Aternity president and CEO Trevor

Matz in a statement introducing the prod-uct at the DEMO 08 Conference in Palm

Desert, Calif.

From Here to Aternity

7/27/2019 stp-2008-03

12/40

Talend updated its flagship Open Studio

data integration solution in February,

adding more than 30 new components,

connectivity to more databases and sup-

port for event triggering based on real-

time data conditions. The tool also now

can execute groovy scripts, dynamical-

ly load and execute Java classes, and gen-

erate graphs compatible with the

Portable Network Graphics (PNG) loss-

less compression specification.According to the company, the lat-

est version, Open Studio 2.3, now fully

supports the WSDL specifications,

enabling Talends data integration

processes to become data services com-

ponents of an SOA.

The company also claims perform-

ance gains of as much as 600 percent

over the previous versions, and major

enhancements to debugging and trace

modes for viewing data as it flows

through processes. These enhancements

add expand/collapse, pause/resumeand step-by-step viewing modes to the

viewing capabilities.

Connectivity in Open Studio 2.3 now

includes JasperSoft iReports, Microsoft

Dynamics and SQL Server 2008,

Mondrian, Palo, Sage CRM and Vertica,

all of which can be used for integration

as data targets or sources, the company

said. The release also expands support

for the data warehousing phenomenon

of Slowly Changing Dimensions (types

1, 2 and 3), adding IBM DB2, Ingres,

MySQL, SQL Server, Oracle,PostgreSQL and Sybase ASE to its sup-

ported list. Talend Open Studio 2.3 is

available now; pricing was not disclosed.

In related news, Talend in late

January struck a dea l under which

Microsoft will dedicate resources to help

the company optimize performance and

integration of Talends software prod-

ucts with Windows.

In a statement, Microsoft director of

platform technology strategy Sam Ramji

said that the companys motivation for

the move was expanding our cus-tomers options for data integration and

extending both Windows and SQL

Server.

Out of the Box

12 Software Test & Performance MARCH 2008

Open Studio

Goes Live

Open Studio 2.3 now supports event triggering based on real-time data conditions.

By now it would be a stretchto claim that software as a serv-

ice is a new thing, particular-

ly when companies are report-

ing half-billion-dollar fiscal

years, as Salesforce.com did in

2007.

But a scant few have

offered SaaS solutions for

testers, and none as complete

as promised by the forthcom-

ing Zephyr from D Software.

Zephyr consists of a series

of modern-looking, dynamicWeb pages centering around the con-

cept of desktops and dashboards.

Executives, managers and test team

members access the system through

desktops customized for theirspecific roles on the team.

All relevant applications are

contained in the desktop and

can open in multiple windows.

Managers might see project

and resource management

apps while testers see test case

creation and execution pro-

grams.

Changes to any data shared

among multiple team mem-

bers are updated on all screens

instantly, according to infor-mation on the companys Web site

(www.getzephyr.com).

Zephyrs sleek, dynamic interfaces take on the look of a high-end hi-fi

systemand present real-time data on project status.

The Credo of Zephyr QA Test Management:Of Desktops and Dashboards

http://salesforce.com/http://salesforce.com/

7/27/2019 stp-2008-03

13/40

VDI Spreads TheVirtual LoveVMware claims to have simplified the way

administrators using its tools can connectto and manage the virtual desktops under

their control. Virtual Desktop Manager

2 is an enhancement to VMware Virtual

Desktop Infrastructure (VDI) that the

company claims streamlines secure con-

nections to the data center and provides

continuity services that were previously

offered only for mission-critical applica-

tions.

VDI is available now starting at US$150

per concurrent user. Virtual Desktop

Manager 2 can connect from a PC or thin

client, can manage thousands of desktops

at once and reduces the time it takes to

provision a new desktop from hours to

minutes, according to a company news

release. The tool also is available in vari-

ous bundles.

Insight on Byte CodeAnalysisSource code analysis tool maker Klocwork

on Feb. 12 began shipping a new version

of Insight for Java, its automated analysis

tool that it claims now delivers accurate

bug and security vulnerability results from

byte code scans, regardless of the com-

piler and framework used to build it.

Insight for Java supports all versions

of Java up to and including 1.6, Java EE

and ME. It also works with AWT, GWT,

Hibernate and JavaMail, and integrates

with Eclipse, IBM Rational Application

Developer, IntelliJ IDEA and JBuilder

2007 IDEs, as well as ANT and Maven

build tools.

Springing Into .NETDevelopmentSpringSource has released Spring.NET

1.1, extending the Spring open source

framework for Java to the .NET environ-

ment. The tool is available now for free

download at www.springframework.net

/download.html.

According to a company news release,

features implemented or improved in ver-sion 1.1 include an inversion of control

container for configuring application

classes using dependency injection; an

ASP.NET framework for Web develop-

ment with bi-directional data binding and

improved localization support, data mod-

el and process management; externalizednavigation through result mapping; and

a UI-agnostic data validation framework.

We believe Sprint.NET will prove ben-

eficial to both the .NET developer com-

munity as well as the growing number

of developers who work on both [Java and

.NET] platforms, said Rob Johnson, CEO

and founder of SpringSource, which pri-

or to November was known as Inter-

face21. Johnson also founded the Spring

Framework for Java.

Also implemented are an aspect-ori-

ented programming framework, portableservice transactions, an aspect library, an

ADO.NET data access framework and

declarative transaction management via

XML configuration and attributes. It

reportedly integrates with ASP.NET AJAX,

NUnit and NHibernate 1.0 and 1.2, and

can mix ADO.NET and NHibernate oper-

ations in a single transaction.

Linux App? Now You

Can GuardITArxan Technologies has released a Linuxversion of GuardIT, giving Linux devel-

opers a solution for protecting their

applications from tampering.

According to Arxan, its solutions are

deployed using a binary solution that isnt

intrusive to application performance.

Through an interconnected mesh of

small security units called Guards scat-

tered across a compiled binary and then

dissolved into the application, Arxans

GuardIT fortifies the overall software

product against piracy, reverse engineer-ing, insertion of malware and other forms

of attack.

With the release in late January,

GuardIT now works with Linux desktop,

server and embedded platforms on x86

and PowerPC systems as well as on

Windows and .NET. GuardIT for Linux

offers feature parity with the Windows

version on both 32- and 64-bit architec-

tures. The new version also introduces

anti-tamper, anti-debug, obfuscation and

encryption technologies, the companysaid, as well as the ability to selectively

analyze and aim at specific portions of

the binary for targeted code protection.

GuardIT is available now; pricing was

not disclosed.

GlobalLogic: HeresVersion 1.0 Version 1.0No, its not a misprint. GlobalLogic last

month unveiled Version 1.0, a concep-

tualization and software development

service that it says is designed to help

startups and small shops get new soft-

ware applications or ventures off the

ground quickly and with relatively low

financial outlay.

With Version 1.0, GlobalLogic will

provide everything entrepreneurs need

to rapidly and qualitatively take an ideascribbled on a napkin to a product of

service in the market, said GlobalLogic

CEO Peter Harrison in a statement

announcing the new service. By pro-

viding early innovators with end-to-end

product engineering services, we let

them focus on strategy, marketing, cus-

tomer acquisition and go-to-market chal-

lenges.

Harrison compared the idea to what

has been common practice in the semi-

conductor industry for decades. We areseeing the emergence of a new breed of

fabless software company, and we are

excited to be an enabler of this new

trend.

For its part, GlobalLogic offers to pro-

duce early applications prototypes to

help companies attract customers and

investor feedback, and even fill in as

head of engineering or CTO when nec-

essary. The service also is offered to estab-

lished companies looking to overcome

the roadblocks they typically face when

launching an entirely new product, suchas slow internal procedures, lack of

domain experience and scarce software

engineering talent, according to a doc-

ument announcing the release. Though

pricing wasnt disclosed, the company

claims it can cut timelines and operat-

ing costs by as much 60 percent com-

pared with in-house development.

GlobalLogic employs nearly 3,000

people and has offices in the U.S., China,

India, and Ukraine.

Send product announcements to

stpnews@bzmedia.com

MARCH 2008 www.stpmag.com 13

http://www.springframework.net/download.htmlhttp://www.springframework.net/download.htmlhttp://www.springframework.net/download.html

7/27/2019 stp-2008-03

14/4014 Software Test & Performance MARCH 2008

Testing Early and Often Can Help

Prevent Web Applications From Crumbling

Under Pressure Like a House of Cards

7/27/2019 stp-2008-03

15/40

Photograph

byAlexeyKashin

to the discovery that the architecture

doesnt scale well, at a time when its too

late to do anything about it.

The earlier you start load testing dur-

ing the application life cycle, the earlier

the underlying infrastructures software

defects, design flaws and bottlenecks

will be found. A methodology that

establishes quality and perform-

ance-related activities early in the

application life cycle helps to miti-gate the risk of project failure, reduces

overall project costs, and increases

the applications quality and per-

formance.

Despite the well-known fact that the

cost of issue correction increases in

each downstream phase, project teams

often wait until the end of development

to set up and integrate load testing.

While its good practice to perform end-

to-end load tests on an application

shortly before going live with a new orupdated product to prove that the appli-

cation performs and scales as expected,

if the results dont meet the expecta-

tions, you cant do much to salvage

the project at such a late stage.

Usually these activities are lim-

ited to tuning the hardware or

software configurations, and

often, as a last resort, throw-

ing more or faster hardware

at the problem. If neither of

these activities is successful, its

back to development to find theroot cause of the problem in the

application code. In the worst-case

scenario, the core architecture isnt suit-

ed for scalability and performance, and

you have to redo core parts of the appli-

cation.

With the emergence of application

technologies such as SOA and the Web,

you also need to adapt your load testing

process to the new requirements and

challenges that new technologies bring.

What to Test EarlyDecisions about infrastructure and

application architecture are usually

done early in the application life cycle.

Both have a strong impact on applica-

tion design, implementation and opera-

tion. Reverting infrastructure and archi-

tectural decisions until late in the devel-

opment process can be painful. If you

want to prove your architectural con-

cept or different architectural alterna-

tives, you often start with a prototype

that implements your major concepts.By applying the prototype to the

planned hardware/software infrastruc-

ture early, you can test how well the cho-

sen architecture is suited to the infra-

structure it will run on.

Component load testing can be done

against business logic components as

soon as theyre ready, and without the

need of a fully developed UI or other

software components. With SOA-com-

ponent load testing, early load testing

becomes even more critical.

The earlier you start developing load

Ernst Ambichl is chief scientist at Borland.

By Ernst Ambichl

Many organizations wait until the end stages of applicationdevelopment to perform load testing. This practice often leads

MARCH 2008 www.stpmag.com 15

7/27/2019 stp-2008-03

16/4016 Software Test & Performance MARCH 2008

tests for components of your system, the

earlier you can start to find regressions

of performance when these compo-

nents change. By integrating load tests

as part of your regression test suite, you

can avoid detecting performance prob-

lems long after they are introduced.

Focus on Infrastructure AndArchitectureSome could argue that testing with a

focus on infrastructure is a classic bench-marking domain and doesnt have much

to do with load testing an application.

Basic hardware/software infrastructures

such as network switches, Web servers,

firewalls, application servers, DBMSs or

messaging middleware are already well

known and mature. Often you can even

find standard benchmarks for most

parts of your infrastructure. But be care-

ful: Standard benchmarks have down

sides, as they:

Ignore your applications individ-ual structure and workload

Exist only for discrete infrastruc-

ture parts, not for the specific com-

binationof infrastructure parts that

make up your application infra-

structure

Usually arent available for new

application technologies

The benefits of early load tests of

parts of the application within the tar-

get infrastructure are:

Early capacity assessment of the

application infrastructure Early check for scalability of your

architecture

Early identification of relevant per-

formance indicators and configu-

ration settings

Early information for infrastruc-

ture tuning

By load testing the infrastructure

early, youre able to learn about the con-

figuration settings and metrics that are

relevant to performance. Knowledge of

the relevant performance indicators

and configuration settings is highly

valuable, not only for later testing andtuning, but also for setting up the right

set of infrastructure monitors for your

live application.

For this kind of test, especially with-

in large IT organizations, two or more

groups often need to cooperate. The

first is IT operations, which is responsi-

ble for the infrastructure the applica-

tion will run on in production. The sec-

ond is the development team, which is

responsible for the application and the

scalability of the architecture. A dedi-

cated performance team (perhaps part

of the QA group, development or IT)

can greatly facilitate these efforts andact as the bridging group between

development and IT.

Load Testing a UI PrototypeLets assume you need to build a highly

scalable architecture for a Web-based

application with a high standard for

usability and speed of the user inter-

face. The application will be delivered

to all locations using the existing corpo-

rate intranet.

As part of the application develop-ment, youre designing a new HTML/UI

framework including third-party AJAX

components. You want to ensure early in

the process that the existing network

infrastructureas well as the companys

standard Web server infrastructurewill

deliver the required performance and

responsiveness for the new application.

To accomplish this goal, youll

load test a prototype of the applica-

tion UI using a new UI framework.

The prototype includes only a small

subset of the planned applicationsUI logic and is already using the

frameworks UI controls.

Since you dont yet have the business

logic in place, youre emulating the

business logic as hard-coded parts

WEB-APP LOAD TESTING

Web Server

UI Prototype

Web Server

UI Prototype

Database

Server

App. Server

App. Server

App. Server

Load Test Load Test Load Test

IntranetLoad

Balancer

FIG. 1: UI PROTOTYPE

Load Test

Web Server

(UI)

UI

Component 1

Database

Server

Data Access

Component 1

Data Access

Component 2App. ServerWeb Server

IntranetLoad

Balancer

UI Component

2...n

App. Server

(Business Logic)

BL

Component 1

BL Component

2...n

App. Server

FIG. 2:WITH FULL-TIER PROTOTYPE

7/27/2019 stp-2008-03

17/40MARCH 2008 www.stpmag.com 17

inside the UI prototype (see Figure 1).

Having this UI prototype in place, you

already can test how well the UI frame-

work performs on the planned infra-

structure. Stepwise, you can do tests

against a single Web server, load-bal-

anced Web servers, and across the cor-

porate intranet.

The idea of this type of early testing

is to determine whether some UI com-ponents might not be suitable for your

intranets network latency, for exam-

ple, or are consuming too much mem-

ory on the Web server to scale well.

This can and should be done beforeyou

base your whole application on these

components.

Load Testing a Full-Tier PrototypeIn another scenario, you may want to

verify that your applications planned

distributed architecture actually runsand scales as expected on the infra-

structure chosen for deployment.

To accomplish this, you can use anoth-

er prototype of your application for load

testing. The prototype needs only to con-

tain a small subset of the real application;

it doesnt need to be complete in terms of

the functionality it will deliver. Its impor-

tant that the prototype allows you to test

against a small set of use cases that already

touch all tiers of the application using the

proposed distributed architecture for the

application. For a typical Web-based appli-

cation, these tiers are Web server, applica-

tion server, database server and external

providers, if applicable.Load tests using a full-tier prototype

on the target infrastructure can help you

to get answers to the following questions:

What is the viability of the infrastruc-

ture?With a small subset of functionali-

ty touching all tiers, you can determine

whether the different infrastructure

components can work together to deliv-

er acceptable performance.

What are the design flaws that result in

bottlenecks?Your software architectures

scalability and performance, which

define how the different parts of the

infrastructure will work together, also

can be verified by a prototype that imple-

ments the architectural framework used

by the applications components. Even

different design alternatives (if availableas prototypes) can be tested for per-

formance, scalability and reliability.

Are there incompatibilities between the

different technologies used?Early detection

of incompatible parts of the infrastruc-

ture can be accomplished when a full-

tier prototype (as in Figure 2) exists that

touches all tiers of the application.

I ran into such a problem when test-

ing the servlet engine used in certain

Web-based products (in our case,

Tomcat) with one of the Web servers we

needed to support (in this case, IIS).

The problems occurred only under load

conditions. Testing our application onTomcat without IIS as the servlet con-

tainer never showed similar problems.

Component Load TestingModern multi-user applications are usu-

ally built with frameworks that allow for

modular, componentized design and

architecture. Componentizing your

application is the first and most impor-

tant step to enable you to begin your test-

ing earlier, when certain individual com-

ponents are getting ready. Especiallywith components that are accessible

remotely and/or concurrently from mul-

tiple clients, functional testing should be

expanded to component load testing as

soon as possible.

Often, functional tests for compo-

nents are already completed by devel-

opers with the help of standard unit-

testing frameworks like JUnit or NUnit.

With the right tools in place, its only a

small step to extend these JUnit/NUnit-

based tests to small component load

tests. My experience has shown thatmany elusive performance problems

can easily be found when exposing

WEB-APP LOAD TESTING

UI Component

Load Test

Web Server

(User Interface)

UI

Component 1

Database

Server

Data Access

Component 1

Data Access

Component 2App. ServerWeb Server

IntranetLoad

Balancer

UI Component

2...n

App. Server

(Business Logic)

BL

Component 1

BL Component

2...n

App. Server

BL Component

Load Test

DA Component

Load Test

FIG. 3: COMPONENTS IN A MULTI-TIER APP

App 1 App 2

Service A Service B

App 2 App 3

Consumers

Services

Providers

Services Framework

FIG. 4: EXEMPLARY SOA

7/27/2019 stp-2008-03

18/4018 Software Test & Performance MARCH 2008

remote and multi-instance components

to moderate load conditions.

What components should be load tested?

Its important to concentrate your load

testing on remote components and/or

components that are used concurrently

by multiple clients (Figure 3). From a

technology view, these are components

that expose their functionality via inter-

faces like RMI, RCP, CORBA and

(D)COM, .NET Remoting and, of

course, Web services. (SOA will be han-

dled in more detail later in this article).I also typically include SQL-based data

access components in my roster of can-

didates for load testing. Database per-

formance remains one of the critical

elements in a distributed application

architecture.

With the evolution of SOA technolo-

gy, there comes the need to adapt your

load testing approaches to SOAs new

requirements and challenges. First, lets

define SOA. As defined by XML.com:

SOA is an architectural style whose goalis to achieve loose coupling among interact-

ing software agents. A service is a unit of

work done by a service provider to achieve

desired end results for a service consumer.

Both provider and consumer are roles played

by software agents on behalf of their owners.

Loose couplingis the magic phrase in

this definition, and is the enabling fac-

tor that allows us to start testing as

soon as the services contract (or inter-

face) between the software agents is

defined. In theory, SOA architectures

are well suited for applying testingearly principles, as services should be

built with a high degree of autonomy

and with minimal dependencies to the

environment they run in. The termsWeb services and SOAP are purposely

omitted from this definition of SOA,

which is a much broader architectural

concept.

Factors that influence your load test-

ing approach for SOA applications

include:

A decreased predictability of use. The

agility SOA provides for building new

applications based on existing services

leads to more unpredictable usage pat-

terns and workloads compared to classic

n-tier applications. As a service

provider, you may not know who mightultimately consume your service at the

time youre developing it. Hence, test-

ing early for the scalability of your serv-

ices is important.

Increased complexity. Since applica-

tions based on SOA often consume mul-

tiple services (such as composite appli-

cations), the services call chain to fulfill

an application request can get quite

long, especially when using services that

themselves consume services.

Availability of service providers comeslate in the application life cycle. This is

especially true when your application

depends on a service provided by a

third party, such as a business partner. If

this is the case, you need to ensure that

you can test your application when not

all service providers are available.

Availability of service consumers comes

late in the application life cycle. You need

to ensure that you can test your service

before the service consumers begin con-

suming it.SOA facilitates distributed development.

Often, distributed teams or even differ-

ent organizations work on service

providers and service consumers. To

avoid finger pointing when perform-

ance problems are found during system

testing, its important to test the services

in isolation.

Complex root-cause analysis. Due to

the complexity and the distributed

nature of SOA applications, identifying

the root cause of SOA performance

problems is harder than in traditional n-

tier systems. The earlier you detect

problems in isolation, the easier it will

be to fix them.Impact of change increase. SOA-based

applications typically evolve over time

Consumers

Services

Providers

Services Test Framework

App 1

Service A

App 2

Simulator

App 2

Service B

App 3

FIG. 5:TESTING SERVICE B IN TEST FRAMEWORK

Consumers

Services

Providers

Services Test Framework

Simulator

App 1

Service A

App 2

App 2

Mock

Service B

App 3

FIG. 6:TESTING SERVICE A IN TEST FRAMEWORK

WEB-APP LOAD TESTING

7/27/2019 stp-2008-03

19/40MARCH 2008 www.stpmag.com 19

and change constantly by adding new

applications on top of existing services

and new providers for existing services,

or by creating new services on top of

existing services. A simple change in a

service can impact multiple applications

consuming this service. This also intro-

duces the need to constantly retest and

carefully monitor your services whenev-

er you change the service.Different types of load tests can be

done in different stages of system devel-

opment. This depends on your testing

strategy and the availability of your SOA

components.

Isolation Load TestLoad testing should be done before you

integrate the service with your con-

sumer applications or integrate it into

the services framework.

Isolation load tests are the cheap-est load tests because you can do them

without having the whole infrastructure

in place. In addition, you typically wont

need a lot of virtual users to test a single

service behavior under load conditions

(synthetic workload in contrast to realis-

tic loads for end-to-end load tests).

This makes such tests good candi-

dates for regression testing. As soon as

the service changes, you can run isola-

tion load tests to check if the behavior

of the service has changed under load

conditions. Often, a fix of a defect relat-ed to the components functional

behavior just introduces a degradation

of performance.

Testing Without a ConsumerWhen developing services, you often

have no access to the client application,

or the application isnt ready for testing.

Also, if a service is consumed by multi-

ple applications, you wont reach suffi-

cient test coverage when testing is done

with only one client application.In the absence of a client applica-

tion, traditional test-script creation

techniques such as recording client

interactions arent possible. So, even if

you arent working in an agile develop-

ment shop, developing functional tests

as part of service implementation is a

good practice. You might even say its a

necessity. These functional tests can also

be reused for load testing.

Testing Without a Services Test

FrameworkDevelopers usually dont work within the

deployment infrastructure. They typically

use a small subset of the deployment

infrastructure or are developing within a

test framework (Figure 5) to execute and

debug their work, which is different from

the target framework.

Conducting small load tests as part of

developer activities (which can most often

be directly derived from unit tests) with-

out the burden to set up big infrastruc-

tures for testing helps to move load test-

ing nearer to the developer and earlier

into the application life cycle. You can dosmall load tests with your nightly develop-

er builds, which can signal changes in per-

formance as soon as possible.

Testing Without a ProviderAlthough SOA fosters loose coupling

between components and therefore

minimizes dependencies between

components, real dependency always

exists and cant be reduced. Real

dependencyis the set of features or serv-

ices that a system consumes from

other systems.

So how can you test a service that

depends on another service before that

service is available? In object-orientedprogramming, you use mock objects,

which are simulated objects that mimic

the behavior of real objects in con-

trolled ways. Similarly, you can create

mock servicesfor services that arent avail-

able or that you want to factor out of

your test (Figure 6).

Factoring out services by emulating

their behavior through mock services

offers the advantage of allowing testers

to control the behavior of the emulat-

ed service. This allows you to easilybuild load testing scenarios in which

you emulate the misbehavior of

dependent services such as service

calls that are tardy, time out or return

incorrect data.

Integration Load Test: ServicesFramework Integration TestAfter isolation testing, in which you

test the service in your services test

framework, you can replace your test

framework with the services frame-

work used for deployment. This letsyou test how well your service works in

the target environment. While this

usually adds the work of deploying

your services and providing a test envi-

ronment with the target services

framework, you can reuse the tests

Consumers

Services

Providers

Services Framework

App 1

Service A

App 2

Simulator

App 2

Service B

App 3

FIG. 7:TESTING SERVICE B IN SERVICES FRAMEWORK

You cancreate mock

services for

services that

arent available.

WEB-APP LOAD TESTING

7/27/2019 stp-2008-03

20/40

http://ibm.com/takebackcontrol/innovate

7/27/2019 stp-2008-03

21/40

http://ibm.com/takebackcontrol/innovate

7/27/2019 stp-2008-03

22/4022 Software Test & Performance MARCH 2008

youve already written.You wont perform integration load

testing (Figures 7 and 8) as often as

your isolation tests (as with every check-

in). But they should be done on a regu-

lar basis, such as every time develop-

ment passes a build to QA. This ensures

that QA isnt wasting time on testing

builds that dont pass the performance

criteria checked by your service frame-

work integration tests.

Youll also most likely increase work-

load by testing the scalability of the serv-

ices framework in combination withyour service. Extending your isolation

tests to services framework integration

tests helps to answers questions like:

How does the service scale within

the services framework?

How much overhead is the frame-

work adding to the service?

Does the framework correctly han-

dle the life cycle of the service?

What is the payload for enabling

security?

Integration Load Test: ServiceInteraction TestAs important as it is to test services in iso-

lation as early as possible to detect per-

formance problems, its equally crucial

to test the services in combination to

detect problems related to their interac-

tion with other services. No isolation test

will ever give you absolute certainty that

your system will pass even the most sim-

ple integration test, even if your isola-

tion tests cover almost all your code.

This is especially true of the per-formance, scalability and stability

aspects of your SOA-based application.

Establishing integration load tests assoon as two interacting services are

available helps to find integration prob-

lems early. Rerunning integration load

tests (regression testing) as soon as

dependent services change helps to

identify performance degradations at

the time theyre introduced.

With service interaction tests, youll

extend the test infrastructure to better

reflect the target system and extend the

workload patterns to more realistic sce-

narios (Figure 9). Also, your test scripts

will need to reflect that theyre testingthe integration aspect and not the isola-

tion aspect of the services.

System Load Test:End-to-End TestLoosely coupled architectural implemen-

tations such as those of an SOA create

additional complexities with end-to-end

load testing (Figure 10). Services that

share common a infrastructure or plat-

form require coordinated load testing to

truly replicate production-like states.

Providing the test infrastructure, cre-

ating and setting up these tests, identi-

fying production-like workloads, analyz-

ing results and finding the root cause

for performance problems is even moredifficult when compared with more tra-

ditional n-tier systems.

Everything that can be done to iden-

tify possible performance problems

before you actually perform your system

load test helps to lower the cost of fixing

performance problems and mitigate

the risk of project failure due to wrong

architectural decisions you cant redo at

the end.

Regression Load TestEvery change in a system might not onlyintroduce regressions in terms of func-

tionality, but also in terms of perform-

ance, scalability and stability. Focusing

only on functional test automation to

address regressions leaves performance

problems undetected until final system-

load tests.

Integrating load tests as part of

your regression test suite avoids the

danger of detecting performance

problems too long after they are intro-

duced. Because its expensive to set upand integrate load testing into a test

automation process, not all types of

load tests are suited for regression

load tests. Some good candidates for

regression load testing are:

Isolation load tests. Such load tests can

Consumers

Services

Providers

Services Framework

Simulator

App 1

Service A

App 2

App 2

Mock

Service B

App 3

FIG. 8:TESTING SERVICE A IN SERVICE FRAMEWORK

Simulator

App 1

Simulator

App 2

Service A Service B

App 2 App 3

Consumers

Services

Providers

Services Framework

FIG. 9: SERVICE A AND B TESTING IN SERVICES FRAMEWORK

WEB-APP LOAD TESTING

7/27/2019 stp-2008-03

23/40MARCH 2008 www.stpmag.com 23

be done on a regular basis (ranging

from tests per check-in to nightly sched-

uled builds).

Services framework integration tests.

Isolation load tests also should be exe-

cuted regularly in the target services

framework.

Functional tests have simple success

conditions (usually pass/fail per test

case based on assertions in your testscript that make it easy to automate

your tests results analysis). This isnt

the case for load tests, which usually

require analysis of multiple metrics to

determine a pass or fail status. To auto-

mate that process and flag failed

load tests, you can use the following

methods:

Compare performance-relevant

metrics such as response times,

throughput rates and resource

consumption to defined baselines(static thresholds) that youve set

up for each individual load test.

Compare the change/delta of per-

formance-relevant metrics to his-

toric measurements of the same

test. In this case, you dont need to

set up thresholds for each test. Both methods have their advan-

tages and disadvantages. Decide

case-by-case which one best suits

your requirements.

Testing in Production:Application MonitoringLoad testing SOA applications under

real-life conditions is extremely com-

plex (Figure 11). Its therefore valu-

able to extend your testing approach

to the production phase of your appli-

cation to gather feedback for your test-ing.

Two techniques extend testing into

production and

both provide valu-

able feedback

about the accuracy

of your load testing:

Act ive service

monitors. By reusing

existing load-test-

ing scripts and exe-

cuting them on thelive system, you get

an accurate picture

of how the per-

formance of the

system under test

and the live system

compares. Leading

load-testing tools

have integrations

with application

performance monitoring frameworks,

which makes it easy to reuse your loadtesting assets for active monitors.

System and in-depth monitors. By using

system monitoring techniques, you can

keep track of services usage patterns.

Input/output data can be monitored with

in-depth monitoring techniques. Results

for service execution counts and inputcan be fed back into the testing process to

create more accurate workloads.

Early and IntegratedLoad testing can be done in early

stages of development and applied to

various components of an application

before the final end-to-end load test.

Early infrastructure load tests can mit-

igate the risk of investing in a specific

infrastructure that doesnt scale or

perform as needed.

By using prototypes of the applica-tion for load testing, you can proof

architectural concepts before you base

your whole application code on these

concepts. Component load tests helpto isolate performance problems

earlybefore they become difficult to

find and expensive to fix.

The integration of load testing

throughout the development process

has never been more important as,

due to increasing complexity, we face

less predictability of usage and more

dynamic changes in applications.

Because of SOAs loosely coupled

nature, unit and component testing

approaches can be adopted for load

testing, delivering early results aboutthe performance and scalability of

your services-based components.

Integrating load tests into your regu-

lar regression testing suite will help you

to detect performance regressions as

soon as theyre introduced. You can

extend your testing approach to the pro-

duction phase of your application by

reusing load testing assets for application

monitoring to gather feedback about

real usage and real performance.

For optimal success, load testingshould be conducted throughout the

project life cycle, started soon after an

application is conceived and continued

until its retired.

REFERENCES

What Is Service-Oriented Architecture?

Hao He,Sept. 30, 2003, OReilly xml.com,www.xml.com/pub/a/ws/2003/09/30/soa.html

W3.org, Web Services Glossaryhttp://dev.w3.org/2002/ws/arch/glossary/wsa

-glossary.html

Best Practices for Web Application Deploymentkeynote, Ernst Ambichl,Segue Software,Total

Performance Management Symposium,Mar. 18,

2004

Choosing a Load Testing Strategy Whitepaper,Ernst Embichl, Segue Software, 2005

Adjusting Testing for SOA, David S. Linthicum,SD Times,Aug. 15, 2007

App 1 App 2

Service A Service B

App 2 App 3

Consumers

Services

Services Framework

Real Users Real Users

Active MonitorApp 1

Providers

SystemMonitor

Service Performance Metrics(e.g. service response time)

Active MonitorApp 2

Service System Metrics(e.g. service execution count)

Service In-DepthMetrics(e.g. service input data)

In-depth Monitoring

FIG. 11:TESTING IN PRODUCTION

WEB-APP LOAD TESTING

Simulator

App 1

Simulator

App 2

Service A Service B

App 2 App 3

Consumers

Services

Providers

Services Framework

Simulator

App 1

Simulator

App 2

FIG. 10: END-TO-END TESTING

http://xml.com/http://w3.org/http://dev.w3.org/20002/ws/arch/glossary/wsa-glossary.htmlhttp://dev.w3.org/20002/ws/arch/glossary/wsa-glossary.htmlhttp://dev.w3.org/20002/ws/arch/glossary/wsa-glossary.htmlhttp://w3.org/http://xml.com/

7/27/2019 stp-2008-03

24/40

than in-house development or

enhancement of software. In effect,

these two approaches constitute direct

or indirect outsourcing of some or all

of the development work for a system,

respectively.

While some project managers see

such outsourcing of development as

reducingthe overall risk, each integrat-

ed component can bring with it signif-

icantlyincreasedrisks to system quality.If your organization does or is plan-

ning to outsource, youll need to

understand the factors that lead to

these risks, and some strategies you

can use to manage them.

Ill illustrate the factors and the

strategies with a hypothetical project.

In this project, assume youre the proj-

ect manager for a bank that is creating

a Web application that allows home-

owners to apply for a home equity

loan.Youve purchased components

from two suppliers, including a COTSdatabase management system from

one of them. Youll hire an outsourced

custom development organization to

develop the Web pages, the business

logic on the servers, and the database

schemas and commands to manage

the data.

First, lets analyze how to recognize

the factors that create quality risks,

and identify strategies you can use to

manage those risks.

24 Software Test & Performance MARCH 2008

PhotographbyDavidFranklin

Rex Black is president of RBCS, a software,hardware and systems testing consultancy.

By Rex Black

More and more projects involve integration of custom-developedor commercial-off-the-shelf (COTS) components, rather

7/27/2019 stp-2008-03

25/40MARCH 2008 www.stpmag.com 25

Quality Risk Factors in IntegrationFigure 1 (page 27) shows four factorsthat lead to increased quality risk for a

system. Lets take a look at each, one at

a time.

One factor that increases quality

risk is component coupling, which creates

a strong interaction with the system

or consequence to the systemwhen

the component fails.

For example, suppose the customer

table on the Web application database

becomes locked and inaccessible

under normal load. In such a case,most of the other components of the

system, being unable toaccess customer information, also

would fail. The database is strongly

coupled to the rest of the system.

Another factor that increases risk isirreplaceability. This occurs when few

similar components are available or

the replacement is costly or requires a

long lead time.

If such a component creates quality

problems for your system, youre stuck

with them. For example, the database

package you choose might be replace-

able, provided that you dont do any-thing non-standard with it.

However, the development organi-zation will want to be paid for the cus-

tom-developed Web application. And

should you choose to try to replace it,

off-the-shelf products might not exist.

Yet another factor that increases

risk is essentiality, where some key fea-

ture or features of the system will be

unavailable if a certain component

doesnt work properly.

For example, suppose you planned

to include a pop-up loan planner on

the first page of your application to

allow customers to evaluate variouspayment scenarios. If that component

When You

Must Buy

Versus Build,

There Are

Ways To

Help You

Avoid Any

Slip-ups

7/27/2019 stp-2008-03

26/4026 Software Test & Performance MARCH 2008

failed, you could still deliver most

of your applications major features,

since the planner is notessential to the

system.

But if the subsystem that accesses a

credit bureau to check customer cred-

it scores doesnt work, you cant

process loan applica-

tions. Checking credit

scores is essential to theapplication.

The final factor that

increases risk entails ven-

dor quality problems. This

factor can be compound-

ed if its accompanied by

slow turnaround on bug

fixes when problems are

reported.

If theres a high likeli-

hood of the vendor send-

ing you a bad compo-nent, the level of risk to

the quality of the entire

system is higher.

For example, if you

buy a commercial data-

base from a reputable,

established vendor, or if

you select a custom

development organiza-

tion with a proven track

record, then youll prob-

ably have fewer prob-

lems.If you use a new open

source database that has

never been used in

commercial applications

before, or if you use a

newly open custom devel-

opment organization, youll probably

have more problems, particularly if

there is poor technical support or if

its absent altogether.

Its obvious how these factors could

affect a typical data center application.Imagine a weapons system for which

defense contractors intend to develop

software to run on COTS platforms.

Here the situation is similar, though

the replaceability and vendor quality

problems could be exacerbated by

limited choices for components and

vendors.

How might these risks be mitigat-

ed? In my experience, Ive seen and

used four effective strategies.

Trust Your VendorOne strategy is simply to trust the ven-

dors component quality and testing,

and assume theyll deliver a sufficient-

ly good, more-or-less working compo-

nent to you. This approach may sound

nave on its face, but project teams do

it all the time. If you choose this

course, I suggest you do so with your

eyes open. Understand the risks youre

accepting. Allocate time

and finances as a contin-

gency for poor compo-nent quality. The more

coupled, essential and

irreplaceable the compo-

nent, the greater the

impact of such a situa-

tion.

To continue with our

example, you might

choose to trust both the

custom development

organization and the

database vendor. Youcould make such a deci-

sion rationally by check-

ing the development

organizations refer-

ences, assuming they can

provide references for

customers who used

them for projects that are

very similar to yours in

design and scale.

The same is true for

the database vendor,

though you might have todo your own research if

their sales and marketing

staff cannot or will not

provide references.

Relying solely on an

acceptance test is practi-

cally the same as trusting your partners

in the custom development situation.

For the COTS database, you could run

an acceptance test at the beginning of

the project for the database, using sim-

ple models to evaluate database per-formance, reliability and data quality

under your intended load conditions.

However, for the custom-developed

component, youll have to wait until

you receive the component before you

can acceptance-test it. And if the com-

ponent fails, what options do you

have?

Even if the contract stipulates that

you dont have to pay under these cir-

cumstances, you face a good chance of

a lawsuit, and you also have the actual

(and opportunity) costs of startingover with a new custom development

organization.

Manage Your VendorAnother strategy is to integrate, track

and manage the vendor testing of their

component as part of an overall, distrib-

uted test effort for the system. This

involves up-front planning, along with

sufficient clout with the vendor to insist

that they consider their test teams and

test efforts subordinate to (and con-

tained within) yours.To continue with our hypothetical

project, imagine that youre working

at a large bank and that the custom

development organization is a small

firm. Theyll probably be motivated to

get and retain your business. Theyll

be especially flexible if they think that

you have particularly good testing

processes and that they can learn

something from you.

In exchange for the effort you

expend managing their testing, youllhave early warning should quality

problems emerge, and therefore more

options to deal with such an outcome.

Conversely, though, if youre buy-

ing the database from a large COTS

vendor, they probably see your busi-

ness as a small part of their larger

product sales picture. They have their

own test processes, product road map

and target release dates. Its highly

unlikely that theyll be receptive to

offersmuch less insistencethat you

manage their testing operation.Even smaller COTS vendors, when

selling a COTS component, want to

sell you what theyre offering. Theyll

likely be averse to the possibility of an

open-ended situation under which you

might redefine the components

requirements through expansive test-

ing and ambiguous or evolving

pass/fail criteria for the tests. Ive seen

more than one COTS vendor get

burned by customers when they

allowed this to happen.Smart COTS vendors (large or

small) would probably insist that this

management of their testing, and any

resulting bug fixes and change

requests, be considered a customiza-

tion of their component subject to

time-and-materials billing.

The only likely exceptions to such a

condition would arise when the COTS

vendor saw a strong possibility that

working with you to fix problems and

change the product would benefit

their current or future customerssufficiently to justify the risks theyd be

taking.

REDUCING RISK

Run an

acceptance test

at the beginning

of the project

for the database,

using simple

models

to evaluate

database

performance.

7/27/2019 stp-2008-03

27/40MARCH 2008 www.stpmag.com 27

Fix Your VendorAnother option is to fix the compo-

nent vendors testing or quality prob-

lems. In other words, you go into the

situation expecting to either revamp

the vendors processes or build new

processes for them from scratch. Both

sides must expect that substantial

effort, including product modifica-

tions, will result. Once again, a keyassumption is that you have the clout

to insist that you be allowed to go in

and straighten out whats broken in

their test and quality processes.

This might sound daunting, but on

one project the client hired me to do

exactly that, and it worked out well.

The vendor was compensated for their

part of the work, including the modifi-

cations. And my client felt that the

vendor brought enough technical

innovation and capability to the proj-ect to justify their management of the

quality and testing problems. With

expectations aligned from the start,

both sides were happy.

Going back to our example, sup-

pose you assess the outsource develop-

ment organization before the project

and find their testing and quality

processes lacking. They accept your

assessment. You offer to help them fix

the issues that were identified, and

they accept that offer. If your assess-

ment identified the major problems,and if you and the vendor can resolve

those problems with the scope, budget

and schedule for the project, and if

continuing to work with that vendor

makes sense for other reasons, this can

succeed.

However, its difficult to imagine

that the database vendor would accede

to the request for an assessment of

their testing to begin with, not to men-

tion allowing you to come in and

implement changes to it. The very factthat a COTS vendor might agree to

such a request should set off alarm

bells in your mind. You should then

ask yourself if they actually have a

COTS product to sell or if youre deal-

ing with a prototype masquerading as

a product.

Test Your Vendors ComponentA final option, especially if you have

proof of incompetent testing by the

vendor, is to disregard their testing,

assume that the component is comingto you untested, and retest the compo-

nent. Youll have to allocate time and

effort for this, and realize that the ven-

dor will likely push to have every bug

report you submit reclassified as a

change request except in the most

egregious cases. You also have to ask

yourself if the vendor might decide, at

some point, to cut their losses and dis-

engage from the project. Youll want

to make sure you have contingency

plans in place should that happen.Ive had to do this for clients on sys-

tem testing projects. On one notable

project, a vendor sold my client a mail

server component that was seriously

buggy. We became aware of the prob-

lems by a series of misadventures in

which promised deliverables contin-

ued to show up late and with substan-

tive bugs, as well as fit-and-finish prob-

lems that gradually eroded our confi-

dence in them.

Eventually, the component didwork and was included in the system,

but the entire process took a few

months, not the one-week deliver-and-

integrate that was in the project plan.

Fortunately, slack elsewhere in the

schedule prevented this from becom-

ing a project-endangering episode.

Returning once again to our exam-

ple, suppose that you become aware of

serious quality problems in the early

prototypes delivered by the custom

development organization. You can no

longer trust their testing. Theres not

much point in managing a test process

that is clearly broken. Theres no time

remaining in your schedule to go inand fix their testing process. So, if you

intend to stick with this vendor, youll

need to start a serious testing effort to

take over where theyve failed.

Suppose you become aware of simi-

lar problems with the database vendor.

You can confront the vendor with the

problems. But if they delivered some-

thing to you with the assertion it

would work, can you really trust them

to resolve the problems now? Would

they be likely to let you manage theirtesting? If you try to do the testing

yourself, do you think theyll fix the

problems you find? If the component

isnt essential, youre best off omitting

it, or if itisreplaceable, youre best off

replacing it.

Whether for a COTS component or

a custom-developed component, these

are clearly nasty scenarios, and at

some point youd have to ask yourself

how you managed to get into such

trouble. If you ran acceptance tests ona COTS component, why werent the

problems identified?

If you thoroughly vetted your cus-

tom developer, why did they prove

incompetent? How should your quali-

ty risk-mitigation strategy for out-

sourced components change for

future projects? These are good ques-

tions, and should be saved for the

project retrospective. During the proj-

ect, the focus must remain on achiev-

ing the best possible outcome.

Implications,ConsiderationsAnd Success

All of these options can carry seriouspolitical implications. Should prob-

lems arise, the vendor is unlikely to

REDUCING RISK

Increased Risk to System

Quality Posed by Component

Component

Coupling

Component

Irreplaceability

Component

Essentiality

Vendor Quality

Problems

FIG. 1:THE FOUR CORNERS OF QUALITY RISK

7/27/2019 stp-2008-03

28/4028 Software Test & Performance MARCH 2008

accept your assertion that their testing

staff is incompetent or their quality

unacceptable.

They might well attack your credi-

bility. If a senior manager made the

choice to use that vendorand

it might been an expensive

choicethat person might side

with the vendor against your

assertion.So, youll need to bring data

to the discussion about these

strategies if the triggering condi-

tions arise during the project.

Better yet, if youre dealing

with a custom-developed com-

ponent, see if you can influ-

ence the contract negotiations

up front to require the vendor

to submit their tests and their

test results, along with the offer

to let you perform acceptancetesting by your team prior to payment.

Build sufficient contingency plans

into your schedule, including an

allowance for replacement of the ven-

dor during the project if things start

looking bad. Make sure the vendor

understands that youre paying atten-

tion to quality and that payment

depends on delivery of a quality prod-

uct on time. Its amazing how motiva-

tional such clauses can be.

For COTS components, arrange a

careful component selection process,

including vendor research, talking to

references and acceptance-testing

using carefully designed tests. Identify

alternative sources if possible. Con-

sider the possibility and the conse-

quence of omitting the component if

it isnt essential.

Finally, DIYFinally, with the risks to system quality

managed at the component level, its

still possible to make a serious mistake

in the area of testing. Even the best-

tested and highest-quality components

might not work well in the particular

environment in which you

intend to use them. Plan on

integration-testing and system-

testing the integrated system

yourself.Integration of COTS and

outsourced custom-developed

software is a smart choice for

many organizations. Its a

trend that continues to grow

as organizations gain experi-

ence with it.

To ensure success on your

next integration project, con-

sider the factors that create

quality risk in such scenarios.

Select strategies that mitigatethose risks. Build risk mitigation and

contingency plans into your project

plan.

If you do these things and execute

the project carefully, with an eye on

testing and quality, you can control the

risks and reduce the likelihood and

impact of component quality prob-

lems.

REDUCING RISK

Plan on integration-testingand system-testing the integrated

system yourself.

http://www.checkpointech.com/BuildIT

7/27/2019 stp-2008-03

29/40

may not need to read this article.

However, if youre like most develop-

ment managers, your team has produc-

tivity highs and lows, feels down about

taking blame unfairly, or is frustrated by

any number of other problems common

to teams of all kinds.Developers come in all shapes and

sizes, ages and mentalities, and are

wrapped in many project experiences

and development methodologies. In my

years as a developer, Ive met a broad

range of interesting personalities

strong-willed and submissive alike. And

for as many types of developers, there

are probably as many specific tech-

niques for motivating them.

What f