Software quality assurance ( SQA ) is a means and practice of monitoring all software engineering processes , methods, and work products to ensure compliance against defined standards. It may include ensuring conformance to standards or models, such as ISO/IEC 9126 (now superseded by ISO 25010), SPICE or CMMI .
57-485: It includes standards and procedures that managers, administrators or developers may use to review and audit software products and activities to verify that the software meets quality criteria which link to standards. SQA encompasses the entire software development process, including requirements engineering , software design , coding , code reviews , source code control , software configuration management , testing , release management and software integration . It
114-577: A database. These systems can find some known vulnerabilities and advise fixes, such as a patch. However, they have limitations including false positives . Vulnerabilities can only be exploited when they are active-the software in which they are embedded is actively running on the system. Before the code containing the vulnerability is configured to run on the system, it is considered a carrier. Dormant vulnerabilities can run, but are not currently running. Software containing dormant and carrier vulnerabilities can sometimes be uninstalled or disabled, removing
171-412: A deadline. Software analysis begins with a requirements analysis to capture the business needs of the software. Challenges for the identification of needs are that current or potential users may have different and incompatible needs, may not understand their own needs, and change their needs during the process of software development. Ultimately, the result of analysis is a detailed specification for
228-406: A disgruntled employee selling access to hackers, to sophisticated state-sponsored schemes to introduce vulnerabilities to software. Inadequate code reviews can lead to missed bugs, but there are also static code analysis tools that can be used as part of code reviews and may find some vulnerabilities. DevOps , a development workflow that emphasizes automated testing and deployment to speed up
285-524: A freely accessible source code and allow anyone to contribute, which could enable the introduction of vulnerabilities. However, the same vulnerabilities also occur in proprietary operating systems such as Microsoft Windows and Apple operating systems . All reputable vendors of operating systems provide patches regularly. Client–server applications are downloaded onto the end user's computers and are typically updated less frequently than web applications. Unlike web applications, they interact directly with
342-445: A product that works entirely as intended, virtually all software and hardware contains bugs. If a bug creates a security risk, it is called a vulnerability. Software patches are often released to fix identified vulnerabilities, but those that remain unknown ( zero days ) as well as those that have not been patched are still liable for exploitation. Vulnerabilities vary in their ability to be exploited by malicious actors, and
399-500: A user's operating system . Common vulnerabilities in these applications include: Web applications run on many websites. Because they are inherently less secure than other applications, they are a leading source of data breaches and other security incidents. They can include: Attacks used against vulnerabilities in web applications include: There is little evidence about the effectiveness and cost-effectiveness of different cyberattack prevention measures. Although estimating
456-783: Is a common strategy for reducing the harm that a cyberattack can cause. If a patch for third-party software is unavailable, it may be possible to temporarily disable the software. A penetration test attempts to enter the system via an exploit to see if the system is insecure. If a penetration test fails, it does not necessarily mean that the system is secure. Some penetration tests can be conducted with automated software that tests against existing exploits for known vulnerabilities. Other penetration tests are conducted by trained hackers. Many companies prefer to contract out this work as it simulates an outsider attack. The vulnerability lifecycle begins when vulnerabilities are introduced into hardware or software. Detection of vulnerabilities can be by
513-511: Is a framework that provides the viewpoints on the system and its environment , to be used in the software development process . It is a graphical representation of the underlying semantics of a view. The purpose of viewpoints and views is to enable human engineers to comprehend very complex systems and to organize the elements of the problem around domains of expertise . In the engineering of physically intensive systems, viewpoints often correspond to capabilities and responsibilities within
570-408: Is a popular way of managing changes made to the software. Whenever a new version is checked in, the software saves a backup of all modified files. If multiple programmers are working on the software simultaneously, it manages the merging of their code changes. The software highlights cases where there is a conflict between two sets of changes and allows programmers to fix the conflict. A view model
627-452: Is a process that includes identifying systems and prioritizing which are most important, scanning for vulnerabilities, and taking action to secure the system. Vulnerability management typically is a combination of remediation (fixing the vulnerability), mitigation (increasing the difficulty or reducing the danger of exploits), and accepting risks that are not economical or practical to eliminate. Vulnerabilities can be scored for risk according to
SECTION 10
#1732791774337684-449: Is correctly incorporated with the newer software. Design involves choices about the implementation of the software, such as which programming languages and database software to use, or how the hardware and network communications will be organized. Design may be iterative with users consulted about their needs in a process of trial and error . Design often involves people expert in aspect such as database design , screen architecture, and
741-833: Is essential to success. This is more easily achieved if the team is small, used to working together, and located near each other. Communications also help identify problems at an earlier state of development and avoid duplicated effort. Many development projects avoid the risk of losing essential knowledge held by only one employee by ensuring that multiple workers are familiar with each component. Software development involves professionals from various fields, not just software programmers but also individuals specialized in testing, documentation writing, graphic design , user support, marketing , and fundraising. Although workers for proprietary software are paid, most contributors to open-source software are volunteers. Alternately, they may be paid by companies whose business model does not involve selling
798-399: Is helpful for new developers to understand the project when they begin working on it. In agile development, the documentation is often written at the same time as the code. User documentation is more frequently written by technical writers . Accurate estimation is crucial at the feasibility stage and in delivering the product on time and within budget. The process of generating estimations
855-422: Is inefficient, difficult to understand, or lacking documentation on its functionality. These standards are especially likely to break down in the presence of deadlines. As a result, testing, debugging, and revising the code becomes much more difficult. Code refactoring , for example adding more comments to the code, is a solution to improve the understandability of code. Testing is the process of ensuring that
912-436: Is necessary for more severe attacks. Without a vulnerability, the exploit cannot gain access. It is also possible for malware to be installed directly, without an exploit, if the attacker uses social engineering or implants the malware in legitimate software that is downloaded deliberately. Fundamental design factors that can increase the burden of vulnerabilities include: Some software development practices can affect
969-469: Is no law requiring disclosure of vulnerabilities. If a vulnerability is discovered by a third party that does not disclose to the vendor or the public, it is called a zero-day vulnerability , often considered the most dangerous type because fewer defenses exist. The most commonly used vulnerability dataset is Common Vulnerabilities and Exposures (CVE), maintained by Mitre Corporation . As of November 2024 , it has over 240,000 entries This information
1026-440: Is often delegated by the project manager . Because the effort estimation is directly related to the size of the complete application, it is strongly influenced by addition of features in the requirements—the more requirements, the higher the development cost. Aspects not related to functionality, such as the experience of the software developers and code reusability, are also essential to consider in estimation. As of 2019 , most of
1083-432: Is often used to break down the customer's requirements into pieces that can be implemented by software programmers. The underlying logic of the program may be represented in data-flow diagrams , data dictionaries , pseudocode , state transition diagrams , and/or entity relationship diagrams . If the project incorporates a piece of legacy software that has not been modeled, this software may be modeled to help ensure it
1140-1312: Is organized into goals, commitments, abilities, activities, measurements, verification and validation . SQA involves a three-pronged approach: Guidelines for the application of ISO 9001:2015 to computer software are described in ISO/IEC/IEEE 90003:2018. External entities can be contracted as part of process assessments to verify that projects are standard-compliant. More specifically in case of software, ISO/IEC 9126 (now superseded by ISO 25010) should be considered and applied for software quality. Quality assurance activities take place at each phase of development. Analysts use application technology and techniques to achieve high-quality specifications and designs, such as model-driven design . Engineers and technicians find bugs and problems with related software quality through testing activities. Standards and process deviations are identified and addressed throughout development by project managers or quality managers, who also ensure that changes to functionality, performance, features, architecture and component ( in general: changes to product or service scope ) are made only after appropriate review, e.g. as part of change control boards . Software development Software development
1197-509: Is quite difficult due to limited time and the complexity of twenty-first century chips, while the globalization of design and manufacturing has increased the opportunity for these bugs to be introduced by malicious actors. Although operating system vulnerabilities vary depending on the operating system in use, a common problem is privilege escalation bugs that enable the attacker to gain more access than they should be allowed. Open-source operating systems such as Linux and Android have
SECTION 20
#17327917743371254-401: Is robust to heavy levels of input or usage), integration testing (to ensure that the software is adequately integrated with other software), and compatibility testing (measuring the software's performance across different operating systems or browsers). When tests are written before the code, this is called test-driven development . Production is the phase in which software is deployed to
1311-465: Is running. The vulnerability may be discovered by the vendor or a third party. Disclosing the vulnerability (as a patch or otherwise) is associated with an increased risk of compromise because attackers often move faster than patches are rolled out. Regardless of whether a patch is ever released to remediate the vulnerability, its lifecycle will eventually end when the system, or older versions of it, fall out of use. Despite developers' goal of delivering
1368-499: Is shared into other databases, including the United States' National Vulnerability Database , where each vulnerability is given a risk score using Common Vulnerability Scoring System (CVSS), Common Platform Enumeration (CPE) scheme, and Common Weakness Enumeration . CVE and other databases typically do not track vulnerabilities in software as a service products. Submitting a CVE is voluntary for companies that discovered
1425-850: Is the process of designing and implementing a software solution to satisfy a user . The process is more encompassing than programming , writing code , in that it includes conceiving the goal, evaluating feasibility, analyzing requirements , design , testing and release . The process is part of software engineering which also includes organizational management , project management , configuration management and other aspects. Software development involves many skills and job specializations including programming , testing , documentation , graphic design , user support , marketing , and fundraising . Software development involves many tools including: compiler , integrated development environment (IDE), version control , computer-aided software engineering , and word processor . The details of
1482-580: The Common Vulnerability Scoring System or other systems, and added to vulnerability databases. As of November 2024 , there are more than 240,000 vulnerabilities catalogued in the Common Vulnerabilities and Exposures (CVE) database. A vulnerability is initiated when it is introduced into hardware or software. It becomes active and exploitable when the software or hardware containing the vulnerability
1539-471: The programming language ). Documentation comes in two forms that are usually kept separate—that intended for software developers, and that made available to the end user to help them use the software. Most developer documentation is in the form of code comments for each file, class , and method that cover the application programming interface (API)—how the piece of software can be accessed by another—and often implementation details. This documentation
1596-399: The actual risk is dependent on the nature of the vulnerability as well as the value of the surrounding system. Although some vulnerabilities can only be used for denial of service attacks, more dangerous ones allow the attacker to inject and run their own code (called malware ), without the user being aware of it. Only a minority of vulnerabilities allow for privilege escalation , which
1653-489: The available methodologies are best suited to specific kinds of projects, based on various technical, organizational, project, and team considerations. Another focus in many programming methodologies is the idea of trying to catch issues such as security vulnerabilities and bugs as early as possible ( shift-left testing ) to reduce the cost of tracking and fixing them. In 2009, it was estimated that 32 percent of software projects were delivered on time and budget, and with
1710-422: The bug could enable an attacker to compromise the confidentiality, integrity, or availability of system resources, it is called a vulnerability. Insecure software development practices as well as design factors such as complexity can increase the burden of vulnerabilities. There are different types most common in different components such as hardware, operating systems, and applications. Vulnerability management
1767-423: The code executes correctly and without errors. Debugging is performed by each software developer on their own code to confirm that the code does what it is intended to. In particular, it is crucial that the software executes on all inputs, even if the result is incorrect. Code reviews by other developers are often used to scrutinize new code added to the project, and according to some estimates dramatically reduce
Software quality assurance - Misplaced Pages Continue
1824-435: The complexity and functionality of the system is effective at reducing the attack surface . Successful vulnerability management usually involves a combination of remediation (closing a vulnerability), mitigation (increasing the difficulty, and reducing the consequences, of exploits), and accepting some residual risk. Often a defense in depth strategy is used for multiple barriers to attack. Some organizations scan for only
1881-442: The deployment of new features, often requires that many developers be granted access to change configurations, which can lead to deliberate or inadvertent inclusion of vulnerabilities. Compartmentalizing dependencies, which is often part of DevOps workflows, can reduce the attack surface by paring down dependencies to only what is necessary. If software as a service is used, rather than the organization's own hardware and software,
1938-408: The end user. During production, the developer may create technical support resources for users or a process for fixing bugs and errors that were not caught earlier. There might also be a return to earlier development phases if user needs changed or were misunderstood. Software development is performed by software developers , usually working on a team. Efficient communications between team members
1995-430: The engineering organization. Fitness functions are automated and objective tests to ensure that the new developments don't deviate from the established constraints, checks and compliance controls. Intellectual property can be an issue when developers integrate open-source code or libraries into a proprietary product, because most open-source licenses used for software require that modifications be released under
2052-477: The full functionality. An additional 44 percent were delivered, but missing at least one of these features. The remaining 24 percent were cancelled prior to release. Software development life cycle refers to the systematic process of developing applications . The sources of ideas for software products are plentiful. These ideas can come from market research including the demographics of potential new customers, existing customers, sales prospects who rejected
2109-414: The functionality of software and users may need to test the patch to confirm functionality and compatibility. Larger organizations may fail to identify and patch all dependencies, while smaller enterprises and personal users may not install patches. Research suggests that risk of cyberattack increases if the vulnerability is made publicly known or a patch is released. Cybercriminals can reverse engineer
2166-437: The highest-risk vulnerabilities as this enables prioritization in the context of lacking the resources to fix every vulnerability. Increasing expenses is likely to have diminishing returns . Remediation fixes vulnerabilities, for example by downloading a software patch . Software vulnerability scanners are typically unable to detect zero-day vulnerabilities, but are more effective at finding known vulnerabilities based on
2223-407: The number of bugs persisting after testing is complete. Once the code has been submitted, quality assurance —a separate department of non-programmers for most large companies—test the accuracy of the entire software product. Acceptance tests derived from the original software requirements are a popular tool for this. Quality testing also often includes stress and load checking (whether the software
2280-428: The organization is dependent on the cloud services provider to prevent vulnerabilities. The National Vulnerability Database classifies vulnerabilities into eight root causes that may be overlapping, including: Deliberate security bugs can be introduced during or after manufacturing and cause the integrated circuit not to behave as expected under certain specific circumstances. Testing for security bugs in hardware
2337-570: The overall score. Someone who discovers a vulnerability may disclose it immediately ( full disclosure ) or wait until a patch has been developed ( responsible disclosure , or coordinated disclosure). The former approach is praised for its transparency, but the drawback is that the risk of attack is likely to be increased after disclosure with no patch available. Some vendors pay bug bounties to those who report vulnerabilities to them. Not all companies respond positively to disclosures, as they can cause legal liability and operational overhead. There
Software quality assurance - Misplaced Pages Continue
2394-401: The patch to find the underlying vulnerability and develop exploits, often faster than users install the patch. Vulnerabilities become deprecated when the software or vulnerable versions fall out of use. This can take an extended period of time; in particular, industrial software may not be feasible to replace even if the manufacturer stops supporting it. A commonly used scale for assessing
2451-403: The performance of servers and other hardware. Designers often attempt to find patterns in the software's functionality to spin off distinct modules that can be reused with object-oriented programming . An example of this is the model–view–controller , an interface between a graphical user interface and the backend . The central feature of software development is creating and understanding
2508-456: The plurality of the market and other significant purchasers included Russia, India, Brazil, Malaysia, Singapore, North Korea, and Iran. Organized criminal groups also buy vulnerabilities, although they typically prefer exploit kits . Even vulnerabilities that are publicly known or patched are often exploitable for an extended period. Security patches can take months to develop, or may never be developed. A patch can have negative effects on
2565-463: The process used for a development effort varies. The process may be confined to a formal, documented standard , or it can be customized and emergent for the development effort. The process may be sequential, in which each major phase (i.e. design, implement and test) is completed before the next begins, but an iterative approach – where small aspects are separately designed, implemented and tested – can reduce risk and cost and increase quality. Each of
2622-424: The product that developers can work from. Software analysts often decompose the project into smaller objects, components that can be reused for increased cost-effectiveness, efficiency, and reliability. Decomposing the project may enable a multi-threaded implementation that runs significantly faster on multiprocessor computers. During the analysis and design phases of software development, structured analysis
2679-466: The product, other internal software development staff, or a creative third party. Ideas for software products are usually first evaluated by marketing personnel for economic feasibility, fit with existing channels of distribution, possible effects on existing product lines, required features , and fit with the company's marketing objectives. In the marketing evaluation phase, the cost and time assumptions become evaluated. The feasibility analysis estimates
2736-503: The project's return on investment , its development cost and timeframe. Based on this analysis, the company can make a business decision to invest in further development. After deciding to develop the software, the company is focused on delivering the product at or below the estimated cost and time, and with a high standard of quality (i.e., lack of bugs) and the desired functionality. Nevertheless, most software projects run late and sometimes compromises are made in features or quality to meet
2793-455: The risk of an attack is not straightforward, the mean time to breach and expected cost can be considered to determine the priority for remediating or mitigating an identified vulnerability and whether it is cost effective to do so. Although attention to security can reduce the risk of attack, achieving perfect security for a complex system is impossible, and many security measures have unacceptable cost or usability downsides. For example, reducing
2850-509: The risk of vulnerabilities being introduced to a code base. Lack of knowledge about secure software development or excessive pressure to deliver features quickly can lead to avoidable vulnerabilities to enter production code, especially if security is not prioritized by the company culture . This can lead to unintended vulnerabilities. The more complex the system is, the easier it is for vulnerabilities to go undetected. Some vulnerabilities are deliberately planted, which could be for any reason from
2907-447: The risk. Active vulnerabilities, if distinguished from the other types, can be prioritized for patching. Vulnerability mitigation is measures that do not close the vulnerability, but make it more difficult to exploit or reduce the consequences of an attack. Reducing the attack surface , particularly for parts of the system with root (administrator) access, and closing off opportunities for exploits to engage in privilege exploitation
SECTION 50
#17327917743372964-408: The same license. As an alternative, developers may choose a proprietary alternative or write their own software module. Security vulnerabilities Vulnerabilities are flaws in a computer system that weaken the overall security of the system. Despite intentions to achieve complete correctness, virtually all hardware and software contains bugs where the system does not behave as expected. If
3021-461: The severity of vulnerabilities is the open-source specification Common Vulnerability Scoring System (CVSS). CVSS evaluates the possibility to exploit the vulnerability and compromise data confidentiality, availability, and integrity. It also considers how the vulnerability could be used and how complex an exploit would need to be. The amount of access needed for exploitation and whether it could take place without user interaction are also factored in to
3078-427: The software that implements the desired functionality. There are various strategies for writing the code. Cohesive software has various components that are independent from each other. Coupling is the interrelation of different software components, which is viewed as undesirable because it increases the difficulty of maintenance . Often, software programmers do not follow industry best practices, resulting in code that
3135-493: The software vendor, or by a third party. In the latter case, it is considered most ethical to immediately disclose the vulnerability to the vendor so it can be fixed. Government or intelligence agencies buy vulnerabilities that have not been publicly disclosed and may use them in an attack, stockpile them, or notify the vendor. As of 2013, the Five Eyes (United States, United Kingdom, Canada, Australia, and New Zealand) captured
3192-403: The software, but something else—such as services and modifications to open source software. Computer-aided software engineering (CASE) is tools for the partial automation of software development. CASE enables designers to sketch out the logic of a program, whether one to be written, or an already existing one to help integrate it with new code or reverse engineer it (for example, to change
3249-520: The tools for estimating the amount of time and resources for software development were designed for conventional applications and are not applicable to web applications or mobile applications . An integrated development environment (IDE) supports software development with enhanced features compared to a simple text editor . IDEs often include automated compiling , syntax highlighting of errors, debugging assistance, integration with version control , and semi-automation of tests. Version control
#336663