In part 4 of this series we have seen how to avoid performance issues when testing is performed on production instances. In this part we will see how security issues can be avoided.
Testers are given user name and password to access the SaaS application production instances so that they can login into the system and do their testing work. Testers not only do testing manually but they also write test scripts to do testing work automatically. In these scripts they put the username and passwords so that when they run these scripts, the script can login into the system and can automatic testing can be performed. So we can see that the system access information is available both with the testers as well as in the test scripts.
This system access information can be misused by somebody if they get access to this information. So how we can ensure that this vital information never reaches to any unscrupulous hands!
First of all, in the production database, some roles and users accounts should be created which will be used only for testing purpose by the system administrator. These user accounts should not have access to actual user data. Well, this is possible in systems where master data is linked to user accounts. For other kinds of simpler systems, this is not possible. Now the testing team will create all the entities required for their testing. All these entities will be visible only to them and they will not be able to see entities and data which is available with actual users. This way, even if the tester access accounts go in wrong hands, actual user data will still be safe.
The testers should be taught and educated about security issues and they should be made accountable for loss or misuse of access information to the system. This will make sure that testers are careful about the access information they have.
The system access information written in automation scripts should be in encrypted form so that even when the script is hacked, the access information will be difficult to decode.
This series will continue with the next article. The next article will be on test automation.