Functional testing validates that the software is executing actions as it should.
Let’s imagine the first wireless phone for example. What were its main functions? Definitely, the ability to dial a subscriber number, accept and reject a call, and, of course, talk with another person remotely. In order to make sure that these functions fulfill requirement specifications, testers check device operability while performing the functional testing of the phone – does everything work as intended and are we satisfied with the overall quality?
Why is quality so important?
Back in the days when consumers had a limited choice of cell phones, no matter how poorly they may have worked, phone users had to make do. But those days are long past. The market is now saturated with countless smartphone models and applications from manufacturers around the world– so there are many mobile devices and OS combinations to test.
This is where product quality becomes the true differentiator – it affects customers’ purchasing decisions and business profitability. No one wants to use a product that works poorly or breaks down. According to CISQ, poor quality software cost an estimated $2.84 trillion in the US alone in 2018.
How does functional testing work?
In short, we need to identify all the functions the product is expected to perform. Next, we need to determine which specific result is expected at each stage, for each function. Based on this information, we can now define a set of test cases to execute. After that, the quality of the product can be judged by the number of successfully passed test cases.
Can functional testing be automated?
In a nutshell, yes, functional testing can be automated. But with automated tests, it’s better to cover the functions that do not change often in order to avoid flaky tests or miss issues that a human would spot during manual testing. Executing functional test cases manually is important because it allows for testing the product through the eyes of the customer.
Does software quality equal software security?
If quality is key to differentiate a good product from bad, security is vital to ensure product integrity. It’s absolutely possible to create a well-performing, stable product that is vulnerable to security risks. Furthermore, what may seem like a simple bug to a software tester while performing functional testing, could mean something more to a qualified penetration tester (or attacker!).
What basic security checks can be done during functional testing?
Here are two practical tips and real-world examples of security checks that can be implemented with functional testing, and that don’t require any background in security testing.
1) Think about what might happen with the server-side data – try providing some unexpected characters to the application (single quote, double quote, semicolon, etc.). If the data is expected to be parsed and processed on the server-side, you may be able to violate the syntax or run database queries (SQL, NoSQL, LDAP, etc.) if user input validation mechanisms are not working properly. This is not always an edge-case either.
Simple SQL injection example that required adding a single quote during the search request.
2) Think about the text data that a user can enter on an input field (full name, description, comment, etc.) – try to input it as plain text and encoded text. Sometimes a web app will accept URI-encoded values such as %3C and render their decoded values, in this case, <.
This can lead to HTML injection or even to XSS (Cross-Site Scripting) attacks.
Simple HTML injection example, that required adding the following text to the description: %3Ch1%3E“><script>alert%3C%2Fh1%3E . The symbols %3Ch1%3E decoded as <h1> and %3C%2Fh1%3E decode as </h1> as well.
To wrap it up, it’s safe to say that functional testing is an important element of quality control and it can sometimes also identify issues related to security.
This post by Yevhenii is part of our article series written by our community of testers. Yevhenii is a Cybersecurity researcher and QA engineer from Kyiv, Ukraine.