Section 7

Phase 5: Testing & Quality Assurance

18 sub-sections in this chapter

Phase 5: Testing & Quality Assurance

Modernization Overlay: Apply the 2026 Modernization Addendum controls (AI assist + RTG linkage) before phase exit.

Purpose

Validate that the product works as specified, meets performance requirements, and is ready for production.

Duration

3 weeks (parallel with late-stage development)

Key Activities

5.1 Test Planning

Lead: QA Lead
Document: [ProjectCode]-040-Test-Plan-v1.0.docx

Test Plan Contents:

1. Testing Scope

├─ In Scope: All P0 & P1 features ├─ Out of Scope: Mobile app (future)
└─ Excluded: 3rd party integrations (Stripe handles testing)

2. Test Strategy

├─ Functional Testing (does it work?) ├─ Integration Testing (components work together?) ├─ Performance Testing (fast enough?) ├─ Security Testing (vulnerabilities?) ├─ Usability Testing (easy to use?)

└─ Compliance Testing (meets regulations?)

3. Test Levels

Level 1: Unit Tests (Developers) ├─ Each function tested in isolation ├─ >80% code coverage requirement

└─ Run automatically on every commit

Level 2: Integration Tests (Dev + QA) ├─ Multiple components together ├─ Database + API + Cache ├─ Runs on staging environment └─ ~50 test scenarios

Level 3: System Tests (QA) ├─ Complete user workflows ├─ End-to-end scenarios

├─ Manual + automated
└─ ~30 test scenarios

Level 4: UAT (Client/Business) ├─ Real users testing in staging

├─ Business-facing features
└─ Sign-off required before launch

4. Test Environment

├─ Staging: Mirrors production, limited data
├─ Preprod: Exact replica of production, large dataset └─ Production: Real users, real data

5. Test Data Requirements

├─ Test users: 100 accounts with various states

├─ Test payment methods: Valid + invalid test cards ├─ Historical data: 1 year of transaction history └─ Edge cases: Negative amounts, currency conversions

6. Testing Tools

├─ Playwright: Automated browser testing ├─ Jest: Unit test framework ├─ Postman: API testing ├─ JMeter: Load testing ├─ OWASP ZAP: Security scanning └─ Manual testing: QA team with test cases

7. Defect Management

├─ Severity levels: │├─ Critical: Blocks usage (P0) │├─ High: Major feature broken (P1) │├─ Medium: Feature works but with issues (P2) │└─ Low: Minor issues (P3) ├─ Resolution targets: │├─ Critical: Fixed within 4 hours │├─ High: Fixed within 24 hours │├─ Medium: Fixed within 1 week │└─ Low: Fixed in next release └─ Tools: Jira for bug tracking

8. Quality Metrics

├─ Code coverage: >80% ├─ Test pass rate: >95% ├─ Bug escape rate: <1 bug per 1000 lines of code ├─ Performance: All APIs <200ms response time ├─ Uptime: No crashes in 24-hour soak test └─ Security: 0 critical/high vulnerabilities

5.2 Test Case Development

Lead: QA Lead + Test Engineers
Tool: Jira with test case management
AI Workflow: Generate initial test skeletons from approved acceptance criteria before implementation closes

Test Case Format:

Test Case ID: PAYAPP-TC-001 Title: Valid User Login Precondition: User account exists with email test@example.com Steps:

Navigate to https://staging.paymentapp.com
Click "Login"
Enter email: test@example.com
Enter password: Secure123!
Click "Sign In" Expected Result: User redirected to dashboard ✓ User name displayed in top-right ✓ Recent transactions visible ✓ Actual Result: As expected ✓ Status: PASS Executed By: Sarah QA Date: 2025-12-15 Notes: Performance acceptable, <2 second login

Test Case ID: PAYAPP-TC-002 Title: Invalid Password Login Precondition: User account exists with email test@example.com Steps: 1. Navigate to https://staging.paymentapp.com

Click "Login"
Enter email: test@example.com
Enter password: WrongPassword123!
Click "Sign In" Expected Result: Error message displayed ✓ Message: "Invalid email or password" ✓ User remains on login page ✓ ✓ Password field cleared Actual Result: Error message not displayed, page refreshes ✗ Status: FAIL Severity: HIGH Bug ID: PAYAPP-BUG-045 Executed By: Sarah QA Date: 2025-12-15 Notes: Reports issue to dev team, assigned to John Doe

5.3 Test Execution & Defect Tracking

Lead: QA Team
Tool: Jira + TestRail (optional for large teams)

Weekly Testing Cycle:

Monday-Wednesday: Test Execution

├─ Run regression tests on new build
├─ Test new features
├─ Document results
└─ Report defects

Example daily standup:

QA Lead: "We found 3 bugs yesterday:

Login error not showing (HIGH)
Payment history pagination broken (MEDIUM)
Typo in email template (LOW)

We're targeting 95% test pass rate by Friday."

Wednesday: Defect Triage

├─ Review all bugs reported
├─ Assign severity
├─ Assign to developer
└─ Agree on resolution target

Thursday-Friday: Verification

├─ Retest fixed bugs
├─ Run regression on fixes
├─ Verify no new issues
└─ Sign off on build quality

Status Report (Friday): Total Tests: 250 Passed: 240 (96%) Failed: 10 (4%) Bugs Fixed: 8 Outstanding: 2 (assigned, in progress) Ready for UAT: YES

5.4 Automated Testing

Framework: Jest (unit), Playwright/Cypress (E2E; AI-generated starter suites permitted)
Coverage Target: >80%

Test Suite Structure:

/tests

├─ unit/
│├─ auth.test.js (Login, signup, password reset)
│├─ payment.test.js (Payment processing)

│└─ wallet.test.js (Wallet management) ├─ integration/ │├─ auth-flow.test.js (Register → Login → Dashboard) │├─ payment-flow.test.js (Add card → Payment → Email) │└─ api-integration.test.js (API endpoints) ├─ e2e/ │├─ login-flow.test.js (Full user login journey) │├─ payment-journey.test.js (Complete payment) │└─ error-scenarios.test.js (Error handling) └─ performance/ ├─ load-test.js (1000 concurrent users) └─ stress-test.js (Spike to 5000 users)

Example test (Jest): describe('Payment Processing', () => { test('should process valid payment', async () => { const paymentData = { amount: 99.99, paymentMethodId: 'pm_test_valid', currency: 'USD' }; const result = await paymentService.process(paymentData); expect(result.status).toBe('completed'); expect(result.transactionId).toBeDefined(); }); test('should reject invalid amount', async () => { const paymentData = { amount: -10, paymentMethodId: 'pm_test_valid' }; await expect(paymentService.process(paymentData)) .rejects .toThrow('Amount must be positive'); }); });

5.5 Performance Testing

Tool: Apache JMeter or Load.io
Targets:
- API response time: <200ms (95th percentile)
- Page load: <3 seconds
- Concurrent users: 1000+

– Transactions: 500/second

Performance Test Scenario:

Test: Login spike during marketing campaign

├─ Baseline: 100 users/sec (constant)
├─ Spike: Increase to 500 users/sec over 5 minutes
├─ Sustain: 500 users/sec for 30 minutes
└─ Cool down: Return to 100 users/sec

Metrics to Monitor:

├─ Response time: Should stay <200ms
├─ Error rate: Should stay <0.1%
├─ CPU usage: Should stay <80%
├─ Memory: Should stay <75%
├─ Database connections: Should stay <80% max

Result: PASS

├─ Peak response time: 185ms
├─ Error rate: 0.05%
├─ No timeout errors
└─ System recovered cleanly after spike

5.6 Security Testing

Lead: Security Engineer / QA
Tools: OWASP ZAP, Burp Suite
Focus Areas:
- SQL injection prevention
- XSS (cross-site scripting) protection
- CSRF (cross-site request forgery) tokens
- Authentication bypass attempts
- Authorization enforcement
- Data encryption (in transit & at rest)
- Sensitive data exposure
- Known vulnerabilities (dependency scan)

Security Test Report:

Test: SQL Injection in login form

└─ Input: ' OR '1'='1' -- Expected: Login fails Result: PASS (parameterized query used) ✓

Test: XSS in payment description

└─ Input: <script>alert('XSS')</script>

Expected: Rendered as text, not executed Result: PASS (output escaped) ✓

Test: Unauthenticated access to dashboard

└─ Request: GET /dashboard (no auth token) Expected: 401 Unauthorized

Result: PASS (redirects to login) ✓

Test: Privilege escalation

└─ Admin: Can admin delete user Regular User: Can NOT delete user Result: PASS (authorization enforced) ✓

Summary: No critical vulnerabilities found ✓

5.7 User Acceptance Testing (UAT)

Lead: Business Analyst + Client
Duration: 1 week
Participants: 5-10 real users from client

UAT Process:

Day 1: Training & Environment Setup

├─ Client team trained on testing
├─ UAT credentials distributed
├─ Test scenarios reviewed
└─ Questions answered

Days 2-4: Test Execution

├─ Client tests using test cases
├─ Developers available for questions
├─ Defects logged in Jira with client notes
├─ Daily standup to discuss progress
└─ Critical bugs addressed same day

Day 5: Finalization

├─ All P0 bugs fixed & verified
├─ P1 bugs evaluated for launch
├─ Client sign-off obtained
├─ Launch approval granted
└─ Launch planning begins

UAT Sign-Off:

✓ I have tested the Payment App MVP
✓ All critical features work as expected
✓ Product meets our business requirements ✓ System is stable and ready for production

Approved by: [Client Name] Date: 2025-12-20 Signature: [Digital signature]

Issues found: 3 - 1 Critical (fixed, verified)
2 High (deferred to post-launch)

Notes: Product is production-ready with known issues documented for future sprints.

Testing Deliverables

Testng Deliverables
Document	Owner	Item Count	Status
Test Plan	QA Lead	1 doc	✓
Test Cases	QA Engineers	250+ cases	✓
Unit Test Suite	Dev Team	500+ tests	✓
Integration Tests	Dev + QA	50+ tests	✓
E2E Tests	QA	30+ tests	✓
Performance Results	QA	1 report	✓
SecurityReport	Security	1 report	✓
UAT Sign-Off	Client	Approval	✓
Defect Log	QA	Final report	✓

Success Criteria

✅ >95% test pass rate ✅ All P0 bugs fixed and verified ✅ <1 bug per 1000 LOC average ✅ Performance targets met (<200ms API response) ✅ Security scan: 0 critical vulnerabilities ✅ UAT sign-off obtained ✅ Production deployment checklist passed

Use in workspace Delivery cockpit