Now, continuing on talking about our test program implementation and the various types of tests we want to use, let's talk about scalability testing. Now this is an augmentation of performance testing. Its main objectives are to identify the loads which can be obtained from load testing and to mitigate any bottlenecks that will hinder the ability of the software to scale, to handle more load or changes in the business processes or the technology.

Performance test baseline results are usually used in testing for the effectiveness of scalability. Degraded performance upon scaling implies the presence of some bottleneck that will need to be addressed either tuned or eliminated or possibly marked as an exception and thus committed to a corrective action plan.

Our next form of testing is usability testing. Now this is a general testing approach that examines user ergonomics or as we say, user friendliness. This tends to be a very subjective test, but can play an important role in terms of gauging user acceptance likelihood or concerns. Now, as we move further through our test program implementation, we come to the alpha test. Now, this is a type of acceptance testing. It is performed to identify all probable issues and bugs before releasing the final product to the end users.

Alpha testing is carried out by the testers who typically are internal employees of the organization. Now the main goal here is to identify the tasks that a typical user might perform and test those. Although it is not as common as its brother method, alpha testing is still an important part of easing the product into the real world of use. This sort of testing is typically done by end users and others but definitely not by the programmers or tactical testers. This testing takes place when a product is nearing delivery.

It is understood that minor design changes will still be made as a result of alpha testing. Thus, the product is not widely circulated during an alpha test. Now, some specifics about alpha testing include that reliability and security testing are not typically part of an in-depth alpha test. Alpha will typically involve both white box and black box techniques. Sometimes it is a typical experience that alpha testing will involve a fairly long execution cycle.

Now as mentioned, critical issues or fixes can be addressed by developers immediately in alpha testing. And it's meant to ensure that the quality of the product is there before it moves on to beta testing. Now, beta testing is by far the most common method of pre-release testing for any new product in the real world. Beta testing takes place when development and testing are essentially completed and final bugs and problems need to be found out before the final release. It is typically done by end users or others, but again, not by the programmers or testers themselves.

To be maximally effective though, there has to be a direct reporting link that hooks the testers to the people who are responsible for the final polishing prior to release. Now, throughout all of this testing, there are of course tools that must be used to do various things in the way of exercising the program, it's code and it's functions.

Now, as mentioned before, it is not important for the CSSLP to have a thorough understanding of how each security tool is used. That is there is no need for them to show that they have expertise in all the tools that are possible. This is the case at least with regard to the examination itself. But they must show that they are familiar with what the tool can be used for and how they can impact the overall state of the software's security.

Now, knowing the specifics of a tool's operation is of course important if the tester is to be successful in performance and attain the results that are accurate and reflective of the target's state of readiness. No tools should therefore be used by a novice without training and the supervision of someone who is experienced in its use. Now here we see a list of the types of tools that are typically used. Some are used for reconnaissance, that is information gathering, and then a fairly typical array, vulnerability scanners, fingerprinting tools, sniffers or protocol analyzers, password crackers, various forms of web security tools, wireless, if that's part of the program, reverse engineering tools, including assemblers, disassemblers, buggers, decompilers and the rest, source code analyzers, vulnerability exploitation tools, such as Metasploit, security-oriented operating systems in the environment and whether there are any vulnerabilities there that interact with the program itself and privacy tools.