Introduction

Moderation factors can be seen as “one that actively contributes to the production of a result.” This post presents eight moderation factors regarding security and performance verification of software systems. In other words, they are Eight attention points a software development organizations should take into account aiming to perform the activities of security and performance verification successfully.

You can contribute to the evolution of these moderation factors providing your opinion about them.

Software Verification

Software development is an activity fundamentally developed by humans. So, of course, mistakes will be made. These mistakes result in the insertion of defects in the software. When the users use the software such defects can be instantiated in the form of failures.

In the software development world, there is a family of activities named Software Verification that aims to identify software defects before the software release. Software verification encompasses testing and reviews.

The activities of software verification may target functional requirements or non-functional requirements, such as usability, portability, reliability, security, performance, etc.

Besides, the way such activities are conducted can influence their effectiveness (number of identified defects) and efficiency (number of identified defectsconcerning the used resources).

In this way, it is crucial to identify some influence points of verification activities aiming to improve the effectiveness of them and mitigate the resources waste (e.g., work hours). Such influence points can be seen as Moderation Factors. For instance, configuring an Adequate Verification Environment to perform the activities of software verification is an important point. Therefore, an Adequate Verification Environment is a Moderation Factor.

It is important to note that the lack of an adequate verification environment does not prevent verification. The moderation factor is not a deterrent, but it amplifies or decreases the success of verification activities. For example, if there isn’t a testing environment, then testing activities can be performed in the production environment. Thus, the moderation factor Adequate Verification Environment did not prevent the testing activity to be performed. However, performing the testing in the production environment will decrease the rate of detected defects, and it can still hurt the data of real users.

Therefore, if you want to successfully implement activities of security and performance verification in your organization, you should consider the eight moderation factors presented here.

It is important to note that the moderation factors presented here are specifically related to security and performance verification.

Moderation Factors of Security and Performance Verification

The general idea is that acting to promote the Moderation Factors in your organization makes the activities of security and performance verification more successful.

1 Promote organizational awareness of the importance of security and performance

Security and performance verification should not be the responsibility of a separate organization department. The global organizational perception of the importance of the security and performance of software systems affects verification activities. Thus, security and performance verification activities require the support of every stakeholder.

2 Plan security and performance verification activities

Security and performance verification should not be performed in insolation by only one team. They require interaction between different teams as well as various skills.

3 Encourage reuse practices

The requirements are the oracle for security and performance verification. Therefore, the lack of requirements prevents the team from a judge if the verification results are correct. Moreover, inaccurate requirements overload other groups (e.g., analysts, architects, and developers) because the verification team must continuously contact them. There are a set of issues brought by the lack of suitable requirements.

4 Use a systematic verification methodology

The use of suitable support tools is essential in security and performance verification activities because it can decrease the effort of manual activities. Free tools are advisable because the acquisition process is faster, as it involves the technical team only. In the case of adopting proprietary tools, it is necessary to ask the managers for permission, and the price may hinder or impede the buying process.

5 Configure an adequate verification environment

A suitable environment is essential for security and performance verification. It should encompass both the configurations of the infrastructure responsible for system operation (e.g., application server and database parameters) and the configuration of the system itself (e.g., the data stored on the database while verification activities start).

6 Select suitable support tools

A methodology supports the verification team knows what should be done at each phase of the verification process. If an adequate methodology is available, the security and performance verification practices can be systematically performed; therefore, they become more efficient. Furthermore, there are some attributes for a proper methodology and elements a methodology should include.

7 Produce clear requirements

Planning is vital to define what should be done, to know the available resources (e.g., human resources, time, tools) and then establish the way the activities should be performed. However, usually, the security and performance verification is not well planned, leading to the need to reprioritize the verification activities, and consequently to the reduction of their coverage.

8 Keep a cross-functional team

The reuse of knowledge and artifacts, such as functional test cases, brings a set of benefits to security and performance verification. Besides, it also brings benefits to functional verification activities.

Conclusion

The moderation factors of security and performance verification presented here are the findings of a researching encompassing a set of software development organizations. For more details, you can access our technical report or contact me by email vidigal@cos.ufrj.br