If you think compliance is expensive, try non-compliance.

Paul McNulty

What is compliance testing?

Compliance testing, also known as conformance testing, determines whether a software system or a process complies with a given set of internal or external standards.

The organization sets internal standards. For example, a website development company might mandate that all websites must be responsive.

Industry standards or rules set outside an organization are external standards. For example, a health care company may require that all software it develops must be HIPPA compliant.

Compliance testing is a type of non-functional testing.

Compliance testing includes:

  • Determining whether the process of development and maintenance follows the methodology prescribed
  • Ensuring that each development phase's deliverables comply with the set standards, procedures, and guidelines, and
  • Evaluating the project documentation to verify completeness and reasonableness

When to perform Compliance Testing?

It is exclusively the management's call to decide the internal and external standards the software developed should comply with. The standards are usually chosen based on best practices to increase software quality or external security standards to reduce legal liability.

For example, if your company decides to comply with the OWASP Application Security Verification Standard (ASVS), the security risk in your applications will be considerably mitigated.

However, the intention to comply does not mean compliance. Your developers may think that the application is OWASP ASVS compliant, but it may not. More often than not, it results from gaps in understanding as standards are notoriously hard to follow. You can fill these holes with adequate training.

It is necessary to carry out a compliance review right from the start of the project rather than later as the cost of fixing it rises exponentially with every stage in the SDLC.

How to perform compliance testing?

The compliance testing is like an audit. There is no specific method to do it. However, we recommend the following steps:

  • First, gather all the detailed rules, regulations, standards, and norms that your team needs to comply with.
  • Secondly, record all the collected data in the first step accurately.
  • Prepare a verification checklist for all developmental stages and modules. Make it available to the developers so that they know it before they begin development.
  • After each development stage, verify the checklist and prepare a report. Ensure that there is no conflict of interest during the verification process.
  • After your developers correct the errors, re-verify them to validate the affected areas.
  • If possible, apply for a compliance certificate.

Advantages of Compliance Testing

Compliance testing is not a mandatory part of SDLC. However, adherence to standards and validation improves software quality in terms of correctness, portability, interoperability, performance, or security.

Disadvantages of Compliance Testing

The critical problem in compliance testing is interpreting the standards, especially external standards, and communicating them to developers and testers in a way they understand. Developers need precise rules while coding, while testers need clear guidelines during audits. Compliance testing is not easy and could become very challenging and time-consuming. If an external agency is required for compliance certification, it is usually costly.