Acceptance testing – Best practice

User acceptance testing (UAT) is the last phase of the software testing process. Actual software users test the software to make sure it can handle required tasks in real-world scenarios, according to specifications.  UAT is one of the final and critical software project procedures that must occur before newly developed software is rolled out to the market and operation (go-life). Objective of acceptance testing is to ensure that newly developed systems function as intended and do not compromise information security.

1. Acceptance tests should be carried out for all new systems, in an environment that is separate from both the development and live environments and performed independently of system development staff.

2. Acceptance testing environments should be protected by:

a) restricting access to authorised users;
b) applying change management practices.

3. Acceptance tests should:

a) involve business users;

b) simulate the live environment;

c) involve running the full suite of system components (including application functionality, database management utilities and the underlying operating system);

d) feature full integration testing, to ensure there will be no adverse effects on existing systems;

e) involve independent security assessments of critical code, to detect vulnerabilities (eg ‘back doors’ or ‘time bombs’) and insecure use of programming features;

f) include attempts to compromise the security of the system (eg by performing penetration tests).

4.Systems under development should be subject to:

a) penetration testing;

b) access control testing;

c) performance testing (ie under normal loads);

d) stress testing / volume testing (ie subjecting the system to large volumes of data to assess the performance under abnormal loads);

e) failure testing (eg to determine what happens if all or part of the system fails) recovery testing;

f) testing of manual fall-back or other contingency procedures.

5. Test data specifically designed to identify system faults or system weaknesses should be used during testing.

6. Business information copied from the live environment for the purposes of conducting acceptance tests should be protected by:

a) prohibiting the use of personally identifiable information (ie information that can be used to identify an individual person) in the testing process;

b) requiring separate authorisation each time business information is copied from the live into the testing environment;

c) restricting access to business information in the testing environment;

d) logging the use of business information;

e) erasing copies of business information once testing is complete.