TRENDING:

Practical Combinational Tutorial

NIST Publication Aims to Improve, Lower costs of Software Testing GovInfoSecurity.comOctober 28, 2010     The National Institute of Standards and Technology issued on Thursday NIST Special Publication 800-142: Practical Combinatorial Testing, a method aimed at cutting cost and increasing the effectiveness of software testing for many applications.

What follows is from the executive summary of the publication:

Software implementation errors are one of the most significant contributors to information system security vulnerabilities, making software testing an essential part of system assurance. In 2003, NIST published a widely cited report which estimated that inadequate software testing costs the American economy $59.5 billion a year, even though 50 percent to 80 percent of development budgets go toward testing.

Exhaustive testing - testing all possible combinations of inputs and execution paths - is impossible for real-world software, so high assurance software is tested using methods that require extensive staff time and thus have enormous cost. For less critical software, budget constraints often limit the amount of testing that can be accomplished, increasing the risk of residual errors that lead to system failures and security weaknesses.

Combinatorial testing is a method that can reduce cost and increase the effectiveness of software testing for many applications. The key insight underlying this form of testing is that not every parameter contributes to every failure and most failures are caused by interactions between relatively few parameters.

Empirical data gathered by NIST and others suggest that software failures are triggered by only a few variables interacting (six or fewer). This finding has important implications for testing because it suggests that testing combinations of parameters can provide highly effective fault detection. Pairwise (two-way combinations) testing is sometimes used to obtain reasonably good results at low cost, but pairwise testing may miss 10 percent to 40 percent or more of system bugs, and is thus not sufficient for mission-critical software. Combinatorial testing beyond two-way has been limited, primarily due to a lack of good algorithms for higher interaction levels such as four-way to six-way testing. New algorithms, however, have made combinatorial testing beyond pairwise practical for industrial use.

This publication provides a self-contained tutorial on using combinatorial testing for real-world software. It introduces the key concepts and methods, explains use of software tools for generating combinatorial tests - freely available on the NIST website -- and discusses advanced topics such as the use of formal models of software to determine the expected results for each set of test inputs.

With each topic, a section on costs and practical considerations explains tradeoffs and limitations that may impact resources or funding. The material is accessible to an undergraduate student of computer science or engineering, and includes an extensive set of references to papers that provide more depth on each topic.

Previous
Gates Reaffirms Takai as Next DoD CIO
Next
Human Quarantines Seen as Model In Cyberworld

About the Author



Around the Network

How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Why Health Firms Struggle with Cybersecurity Frameworks
Why Health Firms Struggle with Cybersecurity Frameworks

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.