Case Study: Scorpion Software Corp.

Scorpion Software Corp. a leading provider of security analytic tools for small businesses, describes how they use TestComplete to move their company forward in software development.

About Scorpion Software Corp.

Scorpion Software, a leading provider of security analytic tools for small business, helps organizations proactively identify and remediate network and server vulnerabilities by getting relevant computer security intelligence information to business owners. In business since the beginning of 2003, Scorpion Software helps small businesses manage online risk while offering unprecedented automated audit reporting and analysis.


Scorpion Software uses TestComplete on two primary projects: Carina Intrusion Prevention System and Firewall Dashboard.
Carina Intrusion Prevention System is a host-based intrusion prevention system that provides a mandatory access control system that can be deployed into Microsoft Windows environments to drastically reduce, and in many cases completely remove many security related risks that are exposed to vulnerable servers and workstations.
Firewall Dashboard is a firewall analytics tool that proactively identifies threats before they become problems for businesses. It changes raw firewall logs into meaningful and interpretable threat assessments.

As a very small ISV, Scorpion Software wanted to ensure that they maximized every resource possible to meet the challenge of competing with other larger security vendors. "I began looking at automated testing when I realized that I was overwhelming the limited staff I have with monotonous manual testing to meet our quality control standards when shipping software" says Dana Epp, President and Computer Security Software Architect at Scorpion Software Corp. "Repeating the same tests over and over manually seemed to be a huge investment of time and money, and prone to human failure. Moving to automated testing freed the company from these shackles and let us focus on other areas where staff contributions could help move the company forward towards other business objectives."

One of the weaknesses in their old manual test process was that it was prone to break when staff would rush to get things fixed and shipped. Although they were never negligent in their duties, it was far too easy to miss steps in the testing process when normal business interruptions took place. Further more, there was a large disconnect between development and testing, where it was far too easy to miscommunicate what defects existed in their products. "Moving to automated testing allowed QA to be able to build tests that could be given to a developer to reproduce defect conditions in our software. This overcame the burden of the ‘show me’ attitude most developers have in the industry, as the test does just that before their very eyes. And of course, it immediately gives the developers a baseline to test against. Now developers cannot even check in a fix until it passes the QA test script."

"And finally, I was tired of seeing the same defect types creeping into our software. When we come across a type of defect (an input validation failure for example) we want to be able to reproduce those conditions from that point forward in any software that we write that might use that codebase. Although it’s easy enough for a person to do manually, computers are much better suited to run the gambit of all possible inputs that could be provided. We use this to be able to perform such actions as fuzz testing and fault injection, where we can now literally fire thousands of possible pseudo-random inputs at our applications in an effort to judge our software resiliency and maintain application reliability."

"Being that I recommend TestComplete to other software CEOs on a pretty regular basis, I often tell them how much test surface we now have on our products. Not only do I recommend that they look into buying the product, I suggest they seriously look into the efficiencies they are missing by NOT taking advantage of automated testing. It’s well worth the investment, especially if you are a smaller ISV and have to compete with the big boys."
Dana Epp, President and Computer Security Software Architect at Scorpion Software Corp.


Dana originally heard about TestComplete while reading an article by Joel Spolsky on Joel on Software. "The timing was impeccable as I had just finished evaluating WinRunner from Mercury Interactive just days before, and was already getting phone calls from their sales team. As a very small business that is funded from my own pockets, I just couldn’t afford the huge investment that WinRunner required. I knew that the ROI was there for the investment into automated testing, but I also knew that the state of the company's cash flow wouldn’t allow me to outlay the costs just yet. Believing there was little hope for me to add automated testing to our software development lifecycle any time soon, I was ecstatic to learn about TestComplete. It offered many of the features I needed from WinRunner without a lot of the other complexity burdens I didn’t care for, and at a price I could afford."

One of the immediate challenges that TestComplete helped Scorpion Software overcome was functional testing of their kernel mode security driver for the Windows Server platform. "We have so many test conditions in which the security driver could function, and the nature of the scripting engine in TestComplete allowed us to build automated test scripts to test every code path in the security driver, on every single kernel that Microsoft provides to us. Through the use of TestExecute and some custom tools that can check out the tests from our source control server, we can automate the testing of different security policy enforcement rule sets on different operating systems in different VMWare images without human interaction. Since all access control policies are stored securely on the file system, we were able to leverage the scripting in TestComplete to automatically alter the policy files and test that the security driver met all policy enforcement conditions. This set up has already helped pay for TestComplete ten-fold when a critical defect was found in our software; a unique test case exposed us to an issue which would have caused many customers to BSOD if we had ever merged that code into the production codebase."

Unexpected Advantages

"What surprised me about TestComplete was some of the unexpected advantages we never thought about before, but became apparent when using the software." Dana expressed that one of the primary examples is how their software development's lifecycle has changed as it relates to defects:

  • New bugs immediately get assigned to QA when reported. QA then builds an automated test script to reproduce the bug, attaching it to the Case and reassigning it to the developer who needs to work on it. This test is then used by the developer to not only reproduce the issue, but to ensure that the fix passes the test. Only after it passes the test can the code be checked into the source control server, and the case be resolved.
  • The tests are then immediately added to their automated testing framework once the Case is resolved. In this way this bug should NEVER reappear in the future. If it does, they will immediately catch it before we ship it out. This is regression testing at its finest.
  • All new features must have a set of tests completed before it can be added to the production codebase. This new workflow process helps them to think more objectively of what the feature does, and how it will interact with the rest of the system.
  • Some of these tests are what they call "public facing" tests. In other words, in the future they can ship an executable test harness to customers to run specific tests on their own systems. This will allow people to not only evaluate their products, but expose problems that may exist on the specific platform being tested. This will let their Customer Service reps get an immediate indication of what is going on without burdening the end user with tons of questions.

Other Benefits

"Other benefits include the fact that we are now able to add a lot of security testing without having to invest in new tools and technologies, and the education/learning curve that comes with it. We also have a better understanding of the quality of our software at any given time due to the confidence we have in our tests."

"It’s weird, but we routinely find new ways to use TestComplete to automate some new task as part of our development process."

Dana states that, "primarily TestComplete has freed up staff to work on more important things that require their critical thinking, rather than focusing on the tedious repetition of mundane tasks. I enjoy watching staff spending hours developing a new automated test script that will literally save them days or months of man hours that can be performed on a daily basis."

"TestComplete has caught critical defects before they got into the mainstream production codebase. Traditional defect cost analysis shows the difference in monetary value in fixing bugs before they are shipped verses when you fix them in the field. On top of that, the money saved in staffing requirements has been very beneficial to the company. Although our pool of tests continues to grow along side of our products, we haven’t had to hire additional staff to work in QA yet. We can do more with less! That’s something extremely critical for many small software businesses like my own."

Higher Confidence and Reduced Defects

Dana explained that they have increased the time it takes to release a product because they have mandated new workflow processes that take more time to build tests. "However, in doing so, we have benefited from a higher level of confidence in the product at time of release than ever before. And it has reduced the defects that we are seeing in the production software. In the end, the extra time spent SAVES the company a lot in future customer service and support costs."

While Dana stated that he has lost count of how many tests Scorpion Software has, he stated; "We literally have hundreds of test conditions that are tested in various TestComplete projects. As we learn how to optimize tests more we routinely deprecate old tests in favor of new streamlined tests. We don’t follow a traditional documented test case process in favor of automated scripts being tagged to functionality within the product. However, I can tell you that in some cases, some tests take over 24 hours to run on a P4 3GHz machine with 2GB of ram. That’s a lot of different scenarios being tested!"

"We run regression testing daily at noon with TestExecute on a dedicated build and test system. This allows developers to check in work before noon and know before the end of the day if their submissions for fixed defects or new feature have been accepted against the entire product codebase. We also run fault injection, fuzz testing and security testing once a week over the weekend, where the test system can run for 24 to 48 hours straight without worrying about new test cases being introduced."

"Before TestComplete, we would run through all tests manually, if we were lucky, before shipping a new version, which would take weeks of man hours to complete. As such, we only did it on a limited basis, as we simply couldn’t afford the investment in time to perform all manual testing."

Dana explains, "TestComplete's best quality is the simple recording of pre-defined actions that can be augmented with simple but powerful scripts. The test accuracy that is afforded to my company through the use of TestComplete has eliminated manual testing that was prone to human failure and which was expensive to the business."

"Further more, It is my opinion that quality assurance test specialists have traditionally had to be better programmers than the developers of the original codebase to properly build the test harnesses needed to build quality software. With TestComplete, this no longer has to be the case. However, if they are proficient in programming, you benefit immensely with in depth testing that can rival any testing team from big software companies."

All company names and/or products referenced herein are either registered trademarks or trademarks of their respective trademark holders.