Documenting and testing software errors after validation

Hi all,

i’m pondering how to approach this type of situation (sorry for being
wordy, but this actually happened):

i’m sure everyone tests this type of requirement: “3 incorrect number
of login attempts results in user lockout.”

there was one application where we tested this requirement, and it
worked, and the system was put in production. however, what we
didn’t catch until it was in production was that really the software
was counting any 3 consequitive incorrect logins into the database,
and would lock out that last user (i.e. user 1 logs in incorrecty,
user 2 incorrectly, user 3 incorrectly…but user 3 would be locked
out even though user 3 only tried logging in one time).

during validation testing we only tested the ‘normal’ situation where
the same user tried to login with 3 incorrect passwords (i know i
know, improper risk assessment bla bla…we took a risk based
approach and this didn’t come up…regardless, it’s caught now). now
we’re in production and found this glitch. there was no vendor fix
until the next upgrade.

so the question: do you need to formally test this glitch in order
to have a corrective action?
would you formally test this scenario in order to fail the user
requirement, thus justifying a corrective action. or since we caught
this in production, and we have a problem reporting/change control
mechanism in place, we have a formal report and can give a corrective
action and move on. any thoughts???



Did you actually specify in your URS that afer 3 consecutive failed loggins from the same user that the account will get locked out?

If you did then I would open a change request to get the issue sorted get the upgrade when available and do some re-validation.

Also if the vendor signed up to teh URS and were there during validation some responsibility lies with them also.


This is a nuisance but not really a failure of the validation. The requirement is probably unauthorized users cannot access the application, which you demonstrated. So a failure of the validation would be when an unauthorized user gains access. This is just a change control to fix the nuisance.