TrainingConferencesAbout UsContact UsAdvertiseSQE.comRSS Feed
StickyMinds.com: brain food for building better software

Log In

Search For:
 Clarify Your Search Criteria

Tips on Using Our Search Feature(s)
 
StickyMinds.com Home
ResourcesTopicsCommunityPowerPassBlogs
Home  >  Detail: Testing COTS: When, How, and How Much?



A StickyMinds.com Original
Article Picture
Testing COTS: When, How, and How Much?

By Linda Hayes

Send This Content to a FriendGet a Short Link to This ContentPrint This ContentSee User Comments About This Content

Summary: Testing processes and practices are well defined and generally understood for internally developed applications, but what about those that are licensed from third parties? Granted, the vendor has responsibility for testing its own products, but the possibility of the software failing still exists and can be costly, even devastating; blaming others offers little consolation. If you rely on a commercial off-the-shelf (COTS) application, where does your trust in the vendor end?


Sonata Software
While there are no hard and fast answers to how much trust you should instill in commercial, off-the-shelf applications, there are some basic guidelines that can help. Start by asking yourself these questions:
  1. What is the risk that the application has defects?
  2. What is the risk that your use of the application could cause errors?
  3. What is the potential cost of a defect or an error?
  4. If you do test, what type of testing should you do?
Depending on the answers, you may find that your COTS application-testing needs and approach will vary widely.

Application Risk
The risk inherent in the application itself is a function of its scope of functionality, its breadth of users, and its maturity. For example, most would agree that mass-market utilities such as word processors, spreadsheet programs, slide presentation programs, and graphics tools pose little inherent risk. Their scope is narrow, they have millions of users, and most are highly mature.

Then there are more specialized applications, such as accounting systems, that are still somewhat narrow in scope but whose maturity and customer base may vary widely. Consider that there are mass-market accounting systems, niche products that address smaller segments such as non-profit accounting, and even custom solutions for highly differentiated customers. These products may also have wide variations in maturity. A new product for a small market with few customers poses inherent risk.

And then there are massive applications, such as enterprise resource planning systems (ERP), that encompass multiple departments across many industries and support complex, critical business processes. These have a wide scope of functionality, may have many users, and may or may not be mature. Due to their scope and complexity, there is inherent risk in these systems. These risks may be greater for newer products with fewer customers or for customers in a new industry or using a new component.

Usage Risk
The way you use an application can also change the picture. Consider a spreadsheet used by a construction company to manage multimillion-dollar bids. In this case, the software itself may have low inherent risk, but if the template contains complex formulas and is tweaked often, the risk of errors rises.

Many desktop utilities also can be programmatically integrated with other software. For example, an internal stock trading application might integrate a spreadsheet for its graphing capabilities. In this case, the risk of the spreadsheet malfunctioning might be low, but the potential that the integration has errors is higher. The wrong data might be mapped to the formulas, for example.

The usage of enterprise applications is usually controlled by configuration settings and master data. However, the rules that govern a business process can vary significantly from one company to another, and the sheer complexity of these applications with their multiple points of integration raises the risk of error dramatically.

In other cases the user might actually modify an application to accommodate unique requirements. Clearly this type of usage poses the greatest risk, regardless of the stability of the original state of the software.

Potential Cost
An essential part of any risk assessment includes the cost of failure. A garbled word processing document or scrambled slide presentation might be embarrassing, but a spreadsheet with template errors might cost millions if a bid is incorrect or if an improperly integrated graphing capability of a spreadsheet triggers the wrong buy or sell order.

Similarly, a poorly-functioning accounting system for your checking account might make it hard for you to balance your checkbook, but if used by a public company, it could create massive liability for inaccurate financial disclosures. Or, an ERP application that controls the manufacturing floor could literally shut down production if a business process goes awry.

Thus, the potential cost of a failure must be balanced against the cost of testing.

Type of Testing
Once you determine that some testing is needed, the next step is to decide what type to conduct. Unless you make modifications directly to the software, unit testing should not be needed. In fact, in most cases you won't even have access to the underlying source code.

But in those cases where you are integrating a purchased application with other systems, whether developed or purchased, integration testing of the seams is clearly required. The goal of this type of testing is not to verify the functionality of each application, but to assure that the information shared between them is correctly sent and received.

And in virtually all cases where substantial risk is identified, whether risk of inherent defects or those arising from usage, the most common form of testing is acceptance testing--that is, to test the software from a user's point of view to assure that it meets its critical requirements. This does not necessarily mean that you exercise all positive and negative cases or that you execute every possible path, but that you verify the functions with the highest risk.

As tempting as it is to dismiss the need for testing COTS applications, it's just not that simple. Take the time to analyze the application so you can balance the cost of testing against the potential risk and cost of failure. And then, after you test, all there's left to do is hope that it works.

Have you been burned by a COTS application? Let us know what you learned by posting your story below.

About the Author
Linda G. Hayes is a founder of Worksoft, Inc., developer of next-generation test automation solutions. Linda is a frequent industry speaker and award-winning author on software quality. She has been named as one of Fortune magazine's People to Watch and one of the Top 40 Under 40 by Dallas Business Journal. She is a regular columnist and contributor to StickyMinds.com and Better Software magazine, as well as a columnist for Computerworld and Datamation, author of the Automated Testing Handbook and co-editor Dare To Be Excellent with Alka Jarvis on best practices in the software industry. You can contact Linda at lhayes@worksoft.com.

Back to Top 
 

Member Comments
Add Your CommentExpand Comments
 
Comment:    
by Wayne Mack 3/21/2008

It's amazing what a simple word change will do. If we called this "Evaluating COTS...", then the response would be overwhelmingly, "Yes, we must do it." Many companies will not even do an upgrade of a COTS product, much less a replacement of a COTS product with a different brand without some level of testing. Now a couple of horror stories.

Performance Testing: In the late 1990s, an organization had an application consisting of a COTS product by a major vendor coupled with custom software running on Windows95. The version of the COTS product was being obosoleted, so the next release of software was coupled with a COTS update. ...Read On

Author's Response: 3/21/2008    
Thanks for throwing some cold reality water on the discussion, Wayne. Your stories underscore the earlier points made about testing the delivery platform, which is a risk factor even for supposedly off the shelf applications.

 
 
Comment:    
by Ipsita Chatterjee 3/21/2008

To address the business risk, it is best to treat COTS as black box and test the business processes using it. Also most COTS don’t work very well with against stringent non-functional requirements. Although the application may seem to comply with the business processes, aspects like security, user response times, maintainability, supportability and last but not the least to be able to recover from a disaster or complete system crash should also be covered in the test coverage

Author's Response: 3/21/2008    
Good points, Ipsita. Both you and Keith (see below) bring out an area that I omitted, which the operability of the COTS within the company's overall infrastructure. Function is important of course but can be academic if the application isnt available.

 
 
Comment:    
by Srinivasan Desikan 3/18/2008

The reason why companies go for COTS is to miimize the cost and time involved. If we have to do testing before deploying COTS, it defeats the whole purpose. Automobile industry (eg. Toyota) have procedures to invest time/effort with their vendors and review the product at different stages of development. It is still not a practice in software industry. It is time big companies invest their time and effort in small companies and implement the best practices and processes sothat we get good quality COTS out. It is a two-way learning process. It is also a perception that big companies have better processes and quality. By working closely with...Read On

Author's Response: 3/21/2008    
I like your concept of partnering with the vendor, Srinivasan. I agree that companies buy COTS to save time, but that strategy backfires if the implementation introduces issues.

 
 
Comment:    
by Keith Johnson 3/18/2008

Deploying, configuring and integrating an off-the-shelf application into an Enterprise is a difficult venture. Testing should be performed on all aspects of the new platform, including the hardware and network infrastructure. It's also a good idea to develop and test a failover/backout plan for such a deployment.

Author's Response: 3/18/2008    
Thanks, Keith, for pointing out something I missed - the infrastructure! Of course it is essential to be sure the software operates on the platforms you are deploying it on, whether internally developed or not.

 
 
Comment:    
by Thomas Wilson 3/18/2008

Hi,
The range of test types or techniques that one could apply is huge so to me the real challenge is to narrow your testing to only what is needed. When testing a COTS software application that will be used to support the core business function(s) the initial focus should be on the business risk and it should be determined if testing can in some way mitigate the identified risk. After addressing the business risks then one can move on to other testing techniques to more completely check out the COTS product.

Author's Response: 3/18/2008    
I agree, Thomas, that business risk should predominate in assessing any test effort since we will never have time to test everything. Since COTS are usually a black box it may be the only technique that makes sense.

 
 
Comment:    
by Peter Hawkins 3/18/2008

Hi,
It is of interest that you did not mention one critical feature about COTS that testers in Australia and some other places are very well aware of.. There is a practice to use a Country like Australia as an unofficial beta-ware tester for COTS software before launching it on the North American and other more lucrative markets. I have been testing on the first launch of many COTS applications where we have found numerous defects that should have been discovered prior to going live. Just as we will very often launch in-house code in Tasmania first to minimise impact, So will many organisations launch COTS in other than the USA for...Read On

Author's Response: 3/18/2008    
How interesting, Peter! I was not aware of that practice. At first I assumed you were going to say that companies may skimp on internationalization testing and that is why they use countries outside the US, but I suppose they may be trying to contain any damage by trying in smaller markets.

 
Back to Top



 
Ads By Google
What's This?
 
 

Home   |   Resources   |   Topics   |   Community   |   PowerPass



© 2010 StickyMinds.com. All rights reserved.
StickyMinds.com is a division of Software Quality Engineering.
Privacy Policy    Terms & Conditions    Link to StickyMinds.com    Feedback
Rally Software

HP Software




STAREAST 2010 


Better Software Conference