Abstract
Software testing has often to be done under severe pressure due to limited resources and a challenging time schedule facing the demand to assure the fulfillment of the software requirements. In addition, testing should unveil those software defects that harm the mission-critical functions of the software. Risk-based testing uses risk (re-)assessments to steer all phases of the test process to optimize testing efforts and limit risks of the software-based system. Due to its importance and high practical relevance, several risk-based testing approaches were proposed in academia and industry. This paper presents a taxonomy of risk-based testing providing a framework to understand, categorize, assess, and compare risk-based testing approaches to support their selection and tailoring for specific purposes. The taxonomy is aligned with the consideration of risks in all phases of the test process and consists of the top-level classes risk drivers, risk assessment, and risk-based test process. The taxonomy of risk-based testing has been developed by analyzing the work presented in available publications on risk-based testing. Afterwards, it has been applied to the work on risk-based testing presented in this special section of the International Journal on Software Tools for Technology Transfer.
Similar content being viewed by others
Notes
The ALARP principle is typically used for safety-critical, but also for mission-critical systems. It says that the residual risk shall be as low as reasonably practical.
References
Amland, S.: Risk-based testing: Risk analysis fundamentals and metrics for software testing including a financial application case study. J. Syst. Softw. 53(3), 287–295 (2000)
Ammann, P., Offutt, J.: Introduction to Software Testing. Cambridge University Press, Cambridge (2008)
Bach, J.: Heuristic risk-based testing. Softw. Test. Qual. Eng. Mag. 11, 99 (1999)
Bai, X., Kenett, R.S.: Risk-based adaptive group testing of semantic web services. In: 33rd Annual IEEE international computer software and applications conference (COMPSAC’09). vol. 2, pp. 485–490. IEEE (2009)
Bai, X., Kenett, R.S., Yu, W.: Risk assessment and adaptive group testing of semantic web services. Int. J. Softw. Eng. Knowl. Eng. 22(05), 595–620 (2012)
Briand, L.C., Labiche, Y., He, S.: Automating regression test selection based on UML designs. Inf. Softw. Technol. 51(1), 16–30 (2009)
Carrozza, G., Pietrantuono, R., Russo, S.: Dynamic test planning: a study into an industrial context. STTT in this volume (2014)
Casado, R., Tuya, J., Younas, M.: Testing long-lived web services transactions using a risk-based approach. In: 10th international conference on quality software. pp. 337–340. IEEE (2010)
Chen, Y., Probert, R.L., Sims, D.P.: Specification-based regression test selection with risk analysis. In: proceedings of the 2002 conference of the Centre for Advanced Studies on Collaborative research. p. 1. IBM Press (2002)
Erdogan, G., Li, Y., Runde, R.K., Seehusen, F., Stølen, K.: Approaches for the combined use of risk analysis and testing: a systematic literature review. STTT in this volume (2014)
Felderer, M., Beer, A.: Using defect taxonomies to improve the maturity of the system test process: results from an industrial case study. In: software quality. Increasing value in software and systems development, pp. 125–146. Springer (2013)
Felderer, M., Haisjackl, C., Breu, R., Motz, J.: Integrating manual and automatic risk assessment for risk-based testing, pp. 159–180. Software quality. Process automation in software, development (2012)
Felderer, M., Haisjackl, C., Pekar, V., Breu, R.: A risk assessment framework for software testing. In: ISoLA 2014. Springer (2014)
Felderer, M., Ramler, R.: Experiences and challenges of introducing risk-based testing in an industrial project. In: Software quality. Increasing value in software and systems development, pp. 10–29. Springer (2013)
Felderer, M., Ramler, R.: Integrating risk-based testing in industrial test processes. Softw. Qual. J. 22(3), 543–575 (2014)
Felderer, M., Ramler, R.: A multiple case study on risk-based testing in industry. STTT in this volume (2014)
Fredriksen, R., Kristiansen, M., Gran, B.A., Stølen, K., Opperud, T.A., Dimitrakos, T.: The coras framework for a model-based risk management process. In: Anderson, S., Bologna, S., Felici, M. (eds.) SAFECOMP. Lecture Notes in Computer Science, vol. 2434, pp. 94–105. Springer (2002)
Gerrard, P., Thompson, N.: Risk-based e-business testing. Artech House Publishers, (2002)
Goel, A.L.: Software reliability models: assumptions, limitations, and applicability. IEEE Trans. Softw. Eng. 11(12), 1411–1423 (Dec 1985)
Graham, D., Fewster, M.: Experiences of test automation: case studies of software test automation. Addison-Wesley Professional, (2012)
Hosseingholizadeh, A.: A source-based risk analysis approach for software test optimization. In: Computer Engineering and Technology (ICCET), 2010 2nd international conference on. vol. 2, pp. V2601–V2604. IEEE (2010)
Huizinga, D., Kolawa, A.: Automated defect prevention: best practices in software management. Wiley (2007)
IEEE: IEEE Standard for Software and System Test Documentation. IEEE Std 829–2008 (2008)
ISO: ISO 14971: medical devices—application of risk management to medical devices. ISO (2000)
ISO: ISO/IEC/IEEE 29119 Software Testing. http://www.softwaretestingstandard.org/ (2013). Accessed 6 May 2014
ISTQB: Standard glossary of terms used in software testing. version 2.2. Tech. rep., ISTQB (2012)
Jorgensen, M., Boehm, B., Rifkin, S.: Software development effort estimation: formal models or expert judgment? IEEE Softw. 26(2), 14–19 (2009)
Kitchenham, B., Charters, S.: Guidelines for performing systematic literature reviews in software engineering. Tech. rep., Technical report, EBSE Technical Report EBSE-2007-01 (2007)
Kloos, J., Hussain, T., Eschbach, R.: Risk-based testing of safety-critical embedded systems driven by fault tree analysis. In: ICSTW 2011. pp. 26–33. IEEE (2011)
Kumar, N., Sosale, D., Konuganti, S.N., Rathi, A.: Enabling the adoption of aspects-testing aspects: a risk model, fault model and patterns. In: proceedings of the 8th ACM international conference on Aspect-oriented software development. pp. 197–206. ACM (2009)
Murthy, K.K., Thakkar, K.R., Laxminarayan, S.: Leveraging risk based testing in enterprise systems security validation. In: first international conference on emerging network intelligence. pp. 111–116. IEEE (2009)
Neubauer, J., Windmüller, S., Steffen, B.: Risk-based testing via active continuous quality control. STTT in this volume (2014)
Radatz, J., Geraci, A., Katki, F.: IEEE standard glossary of software engineering terminology. IEEE Std. 610121990, 121990 (1990)
Ray, M., Mohapatra, D.P.: Risk analysis: a guiding force in the improvement of testing. IET Softw. 7(1), 29–46 (2013)
Redmill, F.: Exploring risk-based testing and its implications. Softw. Test. Verif. Reliab. 14(1), 3–15 (2004)
Redmill, F.: Theory and practice of risk-based testing. Softw. Test. Verif. Reliab. 15(1), 3–20 (2005)
Rosenberg, L., Stapko, R., Gallo, A.: Risk-based object oriented testing. Proceedings of 13th international software/internet quality week-QW 2 (2000)
Schieferdecker, I., Grossmann, J., Schneider, M.: Model-based security testing. Proceedings 7th workshop on model-based testing (2012)
Souza, E., Gusmao, C., Alves, K., Venancio, J., Melo, R.: Measurement and control for risk-based test cases and activities. In: 10th Latin American test workshop. pp. 1–6. IEEE (2009)
Souza, E., Gusmão, C., Venâncio, J.: Risk-based testing: A case study. In: information technology: new generations (ITNG), 2010 seventh international conference on. pp. 1032–1037. IEEE (2010)
Stallbaum, H., Metzger, A.: Employing requirements metrics for automating early risk assessment. Proceedings of MeReP07, Palma de Mallorca, Spain. pp. 1–12 (2007)
Stallbaum, H., Metzger, A., Pohl, K.: An automated technique for risk-based test case generation and prioritization. In: Proceedings of the 3rd international workshop on Automation of software test. pp. 67–70. ACM (2008)
Stallbaum, H., Metzger, A., Pohl, K.: An automated technique for risk-based test case generation and prioritization. In: proceedings of the 3rd international workshop on automation of software test. pp. 67–70. AST ’08, ACM, New York, NY, USA (2008)
Standards Australia/New Zealand: risk management AS/NZS 4360:2004 (2004)
Tran, V., Liu, D.B.: A risk-mitigating model for the development of reliable and maintainable large-scale commercial-off-the-shelf integrated software systems. In: reliability and maintainability symposium. 1997 proceedings, annual. pp. 361–367 (1997)
van Veenendaal, E.: Practical risk-based testing—The PRISMA Approach. UTN Publishers (2012)
Wendland, M.F., Kranz, M., Schieferdecker, I.: A systematic approach to risk-based testing using risk-annotated requirements models. ICSEA 2012, 636–642 (2012)
Windmüller, S., Neubauer, J., Steffen, B., Howar, F., Bauer, O.: Active continuous quality control. In: proceedings of the 16th international ACM sigsoft symposium on component-based software engineering. pp. 111–120. ACM (2013)
Yoo, S., Harman, M.: Regression testing minimization, selection and prioritization: a survey. Softw. Test. Verif. Reliab. 22(2), 67–120 (Mar 2012)
Yoon, H., Choi, B.: A test case prioritization based on degree of risk exposure and its empirical study. Int. J. Softw. Eng. Know. Eng. 21(02), 191–209 (2011)
Zech, P.: Risk-based security testing in cloud computing environments. In: ICST 2011. pp. 411–414. IEEE (2011)
Zech, P., Felderer, M., Breu, R.: Towards risk-driven security testing of service centric systems. In: QSIC. pp. 140–143 (2012)
Zimmermann, F., Eschbach, R., Kloos, J., Bauer, T., et al.: Risk-based statistical testing: A refinement-based approach to the reliability analysis of safety-critical systems. In: EWDC 2009 (2009)
Acknowledgments
This research was partially funded by the research projects MOBSTECO (FWF P 26194-N15), QE LaB - Living Models for Open Systems (FFG 822740), ITEA2 DIAMONDS (Development and Industrial Application of Multi-Domain-Security Testing Technologies), and EU RASEN (Compositional Risk Assessment and Security Testing of Networked Systems).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Felderer, M., Schieferdecker, I. A taxonomy of risk-based testing. Int J Softw Tools Technol Transfer 16, 559–568 (2014). https://doi.org/10.1007/s10009-014-0332-3
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10009-014-0332-3