版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/seagal890/article/details/84946177
基于风险的测试方法(RBT)
基于风险的测试是根据影响的大小和失败的可能性,对被测应用程序的特性、模块和功能进行优先级排序。它涉及基于复杂性、业务关键性、使用频率、可见区域、缺陷易发区域等来评估风险。
风险是对项目的可测量的成功标准有积极或消极影响的不确定事件的发生。可能是过去发生的事件,也可能是现在的事件,或者是将来可能发生的事情。
这些不确定事件会对项目的成本、业务、技术和质量目标产生影响。
风险可以是积极的,也可以是消极的。
积极的风险被称为机会和帮助商业可持续性。比如投资一个新项目,改变业务流程,开发新产品。
负面风险被称作威胁和建议,为了项目成功,必须实现最小化或消除这些威胁和建议。
RBT可以适用于以下场景:
- 项目有时间、资源、预算限制等。
- 基于风险分析的项目可以用来检测SQL注入攻击的漏洞。
- 云计算环境中的安全测试。
- 具有高风险因素的新项目,如缺乏使用技术的经验、缺乏业务领域知识。
- 增量模型和迭代模型等。
基于风险的测试(RBT)方法
- Analyze the requirements.
- Documents (SRS, FRS, Usecases) are reviewed. This activity is done to find and eliminate errors & ambiguities.
- Requirements sign-off's is one of the risk-reduction technique for avoiding the introduction of late changes into the projects. Any changes to requirements after the document are baselined would involve a change control process and subsequent approvals.
- Assess the risks by calculating the likelihood and impact each requirement could have on the project taking the defined criteria's like cost, schedule, resources, scope, technical performance safety, reliability, complexity, etc. into consideration.
- Identify the probability of failure and high-risk areas. This can be done using risk assessment matrix.
- Use a risk register to list the set of identified risks. Update, monitor and track the risks periodically at regular intervals.
- Risk profiling needs to be done at this stage to understand the risk capacity and risk tolerance levels.
- Prioritize the requirements based on the rating.
- Risk-based test process is defined
- Highly critical and medium risks can be considered for mitigation planning, implementation, progress monitoring. Low risks can be considered on a watch list.
- Risk data quality assessment is done to analyze the quality of the data.
- Plan and define test according to the rating
- Apply appropriate testing approach and test design techniques to design the test cases in a way that the highest risks items are tested first. High-risk items can be tested by the resource with good domain knowledge experience.
- Different test design techniques can be used for e.g. using the decision table technique on high-risk test items and using 'only' equivalence partitioning for low-risk test items.
- Test cases are also designed to cover multiple functionalities and end to end business scenarios.
- Prepare test data and test conditions and test bed.
- Review the Test plans, Test Strategy, Test cases, Test reports or any other document created by the testing team.
- Peer review is an important step in defect identification and risk reduction.
- Perform dry runs and quality checks on the results
- Test cases are executed according to the priority of the risk item.
- Maintain traceability between risk items, tests that cover them, results of those tests, and defects found during testing. All testing strategies executed properly will reduce quality risks.
- Risk-based testing can be used at every level of testing, e.g. component, integration, system, and acceptance testing
- At the system level, we need to focus on what is most important in the application. This can be determined by looking at the visibility of functions, at frequency of use and at the possible cost of failure.
- Evaluation of exit criteria. All high-risk areas fully tested, with only minor residual risks left outstanding.
- Risk-based Test Results reporting and metrics analysis.
- Reassess existing risk events and new risk events based on Key Risk Indicators.
- Risk register updation.
- Contingency plans- This works as a fallback plan/emergency plans for the high exposure risks.
- Defect analysis and defect prevention to eliminate the defects.
- Retesting and Regression testing to validate the defect fixes based on pre-calculated risk analysis and
high-risk areas should be most intensively covered.
- Risk-based automation testing(if feasible)
- Residual Risk calculation
- Risk Monitoring and Control
- Exit Criteria or completion criteria can be used for different risk levels. All key risks have been addressed with appropriate actions or contingency plans. Risk exposure is at or below the level agreed to as acceptable for the project.
- Risk profiling reassessment and customer feedback.