From the Back Cover
Practical, hands-on techniques for testing the design, globalization, performance, and security of Web applications
Whether you're a novice or experienced Web tester, this hands-on guide provides you with the practical steps you’ll need to follow to rigorously test across multiple platforms and browsers. Written by one of Microsoft's leading software testers, The Web Testing Companion offers a collection of testing techniques, experiences, anecdotes, and information that can be immediately applied to any Web-testing effort.
Lydia Ash starts at the ground level, helping you to become an effective tester. She then clearly shows you how to analyze different scenarios and determine which testing techniques you should use. These techniques will help identify crucial program bugs that lower the quality of a Web application so that you can realize its full potential.
The Web Testing Companion concentrates on proven solutions and helps you understand why, when, and how to perform Web testing. You'll learn how to:
- Analyze and properly test Web applications
- Perform tests from the perspective of the client accessing the Web application
- Plan and automate testing efforts effectively
- Check for HTML errors, determine overall accessibility, and critique the design
- Develop a professional skill set and improve your productivity
- Optimize an application in order to improve overall performance
- Test for security problems or privacy issues
The companion Web site contains dozens of templates and test patterns that you can use to conduct tests in multiple languages and against various browser and operating system combinations.
About the Author
LYDIA ASH is currently a test lead on the testing effort for Microsoft Corporation's Outlook Web Access team with a particular focus on performance and security. She has successfully directed test efforts at Microsoft for several years and worked with many teams and individuals to pass on the critical knowledge of Web testing. Ash has previously worked as a QA Engineer and in project management.
Most helpful customer reviews
12 of 13 people found the following review helpful.
The Web Testing Companion is a manual written for both beginners and experienced web designers, and the author herself is a testing director at Microsoft. If you've had a few years' experience as a designer, developer or webmaster, then the material is not new to you; i.e., optimizing bandwidth, etc.
Obviously, this is not the kind of book you read straight through from beginning to end, but rather a handbook that you can refer to as problems arise. For the most part, the book succeeds as that, and Ms. Ash has divided the book into four general sections: non-technical issues, technical issues, general advice for testers, and finally an excellent set of appendices on various aspects of Web testing.
I'm sure we all can recall incidents of working with defective software that nobody apparently had tested for bugs, sloppy coding, or slow operating time. This was because there was probably a deadline for the software release time, and the developer concluded that hiring testers would be an extra expense.
The first four chapters deal with non-technical issues, mostly related to the planning of the application.
Web site planning can involve a number for goals; for example, which is most important: minimal defects or time-to-market? Developing a medical web application to assist in diagnosing illnesses is different from developing an application that will be used to solicit funds. The medical app could be providing life-or-death information, whereas the solicitation site could need high visual appeal. In other words, the app must meet the customer's requirements and expectations, not yours. Most of us already know that, but in one of the book's appendices, the author has given us a checklist of several pages worth of questions to determine exactly what the customer's needs are. That's what I like about this book: It presents some very objective methods for answering subjective questions.
Server-Side and Client-Side Testing:
For server-side (as opposed to client-side) web apps, performance testing and security testing are the most important. Stability problems need to be identified prior to deployment. The tester, therefore, should create many user scenarios derived from the most common and most intensive user actions, and then analyze the performance statistics after the performance tests are completed.
The author recommends that all of your pages load in 15 seconds or less, but this rule really depends on your particular application and the expectations of the people using it. If your app requires large graphics and the users are architects, they will probably feel that waiting a few minutes is worth the effort.
The author recommends that you set up a test environment that is separate from your development and production environment. This can include a separate web server, database server, and application server if applicable. This is especially important in testing security features. (It should be noted, of course, that some application developers will not be able to afford the elaborate testing facilities of a large corporation.)
Ms. Ash advises, "One of the most common reasons that performance testing of an application is not successful is that the wrong scenarios were tested." Therefore, she recommends that: "Not every line of code or possible interaction needs to be benchmarked on every build. Identify the critical places, the most frequent code paths, and the most expensive ones, the ones that are most important to the user, and spend the precious test time here. If there is more test time left over, spend it on any code paths that have been added since the last release."
At this stage, the author explains numerous helpful methods for setting up baselines, benchmarks and other metrics to determine Web application performance and efficiency. These metrics also include the application's efficiency when interacting with various servers' processors, memory and disk drives.
The author provides a method for charting data flow, which is helpful in both performance and security testing.
Load and Stress Testing:
"Load testing is done to help identify what the load profile for the service is under a load. Knowing the server profile helps you identify when the server in a line production environment is about to break or crash."
Load testing should answer questions like: How many requests per second can the server take, how long does it take to service a request, and What is the uptime under real-world loads?
Finally, an entire chapter is devoted to automation methods. Automation is "an excellent way to ensure that the software of today is just as good as it was yesterday, but management incorrectly assumes that automation will solve all their problems."
The earlier you perform load testing the better. Most people hate to wait for a web page to load, so simple design changes can often make a significant impact on the performance and scalability of your web application. A good overview of how to perform load testing can be found on Microsoft's Developer Network (MSDN) website.
As with performance testing, the first steps of security testing need to be taken by the product designers to ensure that their code is safe by employing best practices when writing code.
A general rule to remember is that as your company gains more and more data that is desirable, it is also gathering attackers and gathering more that needs defending. On the other hand, the thought that a less important company or service will not be as interesting to an attacker can lull you into a false sense of security. You can still be attacked, for the same reason that small businesses and houses have been robbed; i.e., because they can be easy targets.
The author outlines various methods of testing your apps for a number of "popular" attack methods:
Denial of Service, in which a server can receive thousands of ICMP "ping" requests from hundreds of workstations;
Buffer Overflow, which is becoming a very common method for installing Trojan horses and back door software;
Cross-site scripting, in which an attacker gets his malicious code to run on someone else's Web site; and
SQL Injection, by which the attacker sends malicious code to an SQL database.
General Testing Advice:
The remainder of the book is concerned with various organizations, web sites and other resources open to testers.
Ms. Ash makes the point that many people enter the field of testing involuntarily, and that the testers should not develop an adversarial relationship with management and developers. (Obviously, hard-working developers don't want to be told how inefficient or unsafe their code is, and vice presidents don't want to be told that they have to postpone a release date because of "holes" in their latest product.) Because testers can wield considerable power, the author stresses diplomacy when notifying the developer team about their mistakes in coding. Additionally, the professional tester should communicate regularly with users by giving presentations and attending meetings with management. They should also become certified in relevant technologies.
Although the author could have provided a more readable index or table of contents, she has provided 200 pages of appendices, covering RFCs, error codes, ASCII character sets, and many helpful tables. The appendix material is also available at the author's companion site at [...]
18 of 19 people found the following review helpful.
Excellent intro and reference to beginner/imtermediate QA.
By Stephen E. Donner
As a Software QA Engineer with only 2 years experience (who's just recently been transitioned into web-based application testing from a web-client background) and, might I add, an employee of the largest competitor to Lydia's parent company, I was pleasantly surprised that she was non-biased and thorough in her comparison of different browsers (though a tad brief in other areas).
Okay, enough with the background. Things this book does effectively; begins to get you thinking about security testcases (via malformed CGI/http requests, extended-char inputs, etc), but also covers a great deal broadly on automation, performance, static/dynamic HTML, and a few scattered topics such as form controls. She does seem to go overboard on character sets (both in security sections and in testing sections), though perhaps my experience in the 'real-world' at my company hasn't touched on this enough, I don't know. She does great on helping you formulate the browser matrixes, with all their resolution types, and she even differentiates between screen resolution and what she calls 'canvas size' (I refer to this as the viewport, but they're identical). This book is a fabulous introduction to the metholodies, and what a beginner or intermediate tester would expect to find in the real world. Bug cycles, templates, project cycles, roles, best practices, scheduling, bug severities and the like are all described in sufficient detail.
Now for the single disappointment: her Test Planning and Design chapter is shy of 20 pages. This may or may not sound comprehensive enough, but to me it was terribly under-developed. She does break this chapter down and describe the different kinds of testcases/plans, but doesn't really show any templates, which I was expecting. To be fair, this is probably the hardest to encapsulate in a book, as each company (sometimes even each team) formats their test documentation differently (some to ISO standards, some in Word format, some in HTML, some in Excel spreadsheets, even).
Buy it for an excellent introduction to the subject, a good reference for HTTP error codes, characters sets, best practices, but for advanced security/performance/automation, I'd probably buy a book that specifices in those topics.
9 of 12 people found the following review helpful.
See all 7 customer reviews...
Take the title literally
By Mike Tarrani
This book is overshadowed by "Testing Applications on the Web: Test Planning for Mobile and Internet-Based Systems" ISBN 0471201006, which is one of the most highly regarded in the testing community. However, that does not mean this book is without merit. On the contrary, the rich content of the appendices, which comprise a significant portion of this work, make it an ideal companion to the aforementioned book.
Another point in this book's favor is that it is basic enough and structured to make it an ideal text for a course on web testing. The author did an excellent job of describing good practices in web testing and covering the basics. She also provides a good deal of sage advice on careen matters, which a more technical book will overlook.
I found the chapters on server-side testing accurate and clear enough for new test professionals to completely follow. The chapters on performance and security testing were reasonably complete, and the chapters on client side were as well and clearly written. I also like the author's objectivity - she works for Microsoft, but did not emphasize that company's technologies or processes over standard industry practices.
As a supplement to a more technical book, such as the one I cited above, or as a text in a basic web testing course this book shines. It is not the definitive reference, but is worth reading if for no other reason than to have the appendices nearby as a ready reference during test cycles.