The client is a well-known financial institution that offers numerous banking solutions — from issuing credit cards and providing mortgage loans to diverse money transfer opportunities and mobile banking.
To establish QA processes on several projects and ensure high reliability and security of delivered software, the client reached out to a1qa.
To help the client reach business objectives, a1qa joined two subprojects.
In terms of the first one, the QA team set up testing processes from scratch and performed functional, cybersecurity, and compatibility testing.
As for the second subproject, a1qa was to establish QA activities and manage the client’s and vendor’s squads.
The first subproject is a startup focused on the development of two solutions:
First, the QA team designed a testing strategy and a QA plan, established the processes of test documentation creation and defect description, implemented several improvements for JIRA project management tool. Next, the engineers proceeded with the set of QA activities described below.
To ensure high quality of APIs, the QA engineers tested 14 high-priority operations (e.g., card creation, activation, blocking, depositing, setting limits). For that, the team created test models and approved them with business analysts and developers, wrote test documentation for smoke, positive, and negative tests, described defects and validated them.
The engineers also processed incoming tickets aimed at fixing issues and extending current functionality (e.g., adding the possibility to search for cards using tokens, activating cards applying 4 last figures).
What concerns testing the Developer portal, a1qa verified every aspect of created software — from switching between color themes to using an emulator for interacting with APIs and receiving a virtual card.
The team performed new feature testing to ensure novel functionality didn’t impact solution logic, regression testing to confirm the faultless operation of introduced improvements, and defect validation to guarantee that spotted issues were fixed.
As for the system of APIs, the team performed a vulnerability assessment based on OWASP API Security Top 10 project that contains the list of the most recent severe vulnerabilities. Thus, the groups of verifications were focused on injection, broken authentication, security misconfiguration, excessive data exposure, and many other aspects.
Each time a new vulnerability was detected, the QA team created a ticket, passed it over to the developers, and later performed defect validation to ensure it was eliminated.
During testing, the engineers discovered several vulnerabilities — most of them were related to the lack of anti-automation mechanisms. These vulnerabilities made it possible to carry out brute force attacks and, if successful, steal access tokens that were used to access the API. Also, it was possible to perform denial-of-service attacks using several API methods and specially crafted HTTP requests.
The engineers estimated the system level as medium because of the range of other cybersecurity flaws (there were several system information leaks on error pages and Git repositories).
As regards testing the web portal, the QA team followed OWASP Web Security Testing Guide. The scope of checks included configuration and deployment management testing, identity testing, authorization and authentication testing, session management testing, input validation testing, and many more.
The same vulnerabilities prevailed in the web portal — malicious intruders could obtain a list of users in the system and guess their passwords. In addition, the engineers detected one more vulnerability connected with OTP codes. Because of a breach during a two-factor authentication, frauds were able to get full access to user accounts.
Further, the QA team plans to implement tools for performing automated code analysis and vulnerability scanning in terms of all system components.
The next goal was to deliver consistent user experience across diverse browsers while interacting with the Developer portal. Thus, the engineers gathered statistics from a target region for desktops, tablets, and mobile devices, built a compatibility matrix, and performed tests. The most high-priority directions included tests for desktops on Google Chrome, Mozilla Firefox, and Safari browsers.
To streamline QA activities, a software development vendor assigned one test automation engineer. a1qa supported the specialist’s performance by choosing the scope for automated testing, writing test cases, and sharing test automation expertise.
The bank is a massive ecosystem that unites multiple components and third-party systems that ensure smooth functioning of numerous services like card issuance, loan applications, salary payments, and more.
To provide unhindered functioning of these elements and combine all banking operations, the client uses a single integration platform.
It’s directly linked to a core banking system. Each time an operation is performed (for instance, a bank employee wants to edit data in a user account), it accesses the core system, transfers requests, and receives data back.
Providing QA support on this subproject was a challenging task for various reasons:
To help the client increase the quality of banking software, a1qa was responsible for establishing QA processes from scratch and team management.
Firstly, a1qa’s engineers helped configure bug- and test-tracking systems and educated project members to write test documentation and describe defects. For that, they delivered a process overview, created templates, and reviewed results.
Secondly, the engineers initiated an update of release and task life cycles.
Release life cycle improvement was of critical importance as night releases were frequently rolled back, which caused financial damage. Therefore, the team organized a cross-review of all test cases while writing test documentation to analyze the depth of test coverage and check their compliance with a set of formal criteria — the presence of positive and negative tests, verifications that check basic security.
This approach increased process transparency and quality of releases. Moreover, the team offered a way to organize releases in daytime without risks to affect users’ routine actions.
Task life cycle included release life cycle. Thus, a1qa separated them to simplify processes and increase testing efficiency.
Finally, a1qa will help the client implement test automation to cover large smoke and regression test scope as well as streamline testing during sprints. Support will include test automation framework selection, setup of the integration with CI/CD pipelines, writing test cases, launching tests, and analyzing results.
a1qa was to oversee the workflow of three engineers from the client’s side and two — from the vendor’s. It was important to guarantee smooth processes and increase transparency of QA activities.
The manager was assigning tasks and reviewing results, tracing metrics on the quality of performed activities and providing feedback to the team members, organizing daily standup meetings to make sure everyone was following the same pace.
Thus, a1qa’s involvement helped the client build transparent and effective QA processes, increase the quality of delivered software, and avoid financial losses that were observed because of rolling releases back.