i’m pondering how to approach this type of situation (sorry for being
wordy, but this actually happened):
i’m sure everyone tests this type of requirement: “3 incorrect number
of login attempts results in user lockout.”
there was one application where we tested this requirement, and it
worked, and the system was put in production. however, what we
didn’t catch until it was in production was that really the software
was counting any 3 consequitive incorrect logins into the database,
and would lock out that last user (i.e. user 1 logs in incorrecty,
user 2 incorrectly, user 3 incorrectly…but user 3 would be locked
out even though user 3 only tried logging in one time).
during validation testing we only tested the ‘normal’ situation where
the same user tried to login with 3 incorrect passwords (i know i
know, improper risk assessment bla bla…we took a risk based
approach and this didn’t come up…regardless, it’s caught now). now
we’re in production and found this glitch. there was no vendor fix
until the next upgrade.
so the question: do you need to formally test this glitch in order
to have a corrective action?
would you formally test this scenario in order to fail the user
requirement, thus justifying a corrective action. or since we caught
this in production, and we have a problem reporting/change control
mechanism in place, we have a formal report and can give a corrective
action and move on. any thoughts???