development team will use the reference architecture to code the needed services. For a testing professional, having a general understanding of the reference architecture used to code the web services can provide a great deal of information. For example, you will learn implementation attributes about the services that you will be testing, which will be a critical input for both test-planning activities and test tool configuration.
Ensure SOA Performance, Security, Environment, and Tool Readiness
Some other critically important testing activities include both performance testing and security testing of web services. There are a number of open source and commercial tools available for performance testing. A main concern with performance-testing services is that you must ensure that your simulated workload models account for the interoperability of your service model under test, including the various data models that you need to test. For example, a web service may access a particular data repository and model to satisfy one of its service components, but the very same web service could then access a completely different data store for another component of its functionality. You should be aware of variations in both the service control flow and the data that it uses so that you can properly plan load-testing workload models.
Security testing has become an important part of SOA and web services certification. This is due to the reusable nature of services that pass sensitive data across corporate infrastructures and ultimately to external organizations and end-users. A comprehensive certification must include testing efforts that ensure the data remains safe and is not vulnerable to hackers. Security testing can be a difficult challenge due to the number of vulnerabilities that may need to be checked in a given web-services implementation. This effort can be partly automated with various scanning tools that are designed to interrogate web services for vulnerabilities. The Open Web Application Security Project is a nonprofit organization that provides some very valuable resources for testing web-service security. It offers standards for testing some of the most common vulnerabilities that web services expose, such as XML structural testing, WSDL testing, and testing SOAP attachments. In addition, there are concerns about data-related trust, integrity, privacy, and access control that will need to be tested. Because security testing covers such a broad spectrum, it is best to bring in specialists who can help define a comprehensive security-testing strategy.
The testing environments needed for SOA must simulate the production environment dependencies, including all of the downstream and upstream connectivity points that web services communicate with across the infrastructure. During the development phase, a common challenge that testing professionals encounter is limited testing environment connectivity. One way of addressing this is to write stubs that can simulate the dependent systems needed to communicate with the web services under test. Some of the tools available for web-services testing support this concept of stub creation. Another way to address this is to use one of the SOA virtualization tools that have been created specifically to virtualize an SOA environment so that testing can take place very early in the SDLC. There are benefits and drawbacks to both methods, so be sure to research them thoroughly for your particular environment.
Ultimately, your effectiveness at developing a holistic testing strategy for SOA and web services will be determined by how successfully you have planned for and adopted many of the testing considerations covered in this article. Given the importance placed on SOA to serve the needs of so many business-driven IT projects, your ability to use this information to ensure the highest possible quality products is crucial.