• FL-3.1.1 Recognize types of software work product that can be examined by the different static testing techniques. (K1)

• FL-3.1.2 Use examples to describe the value of static testing.

• FL-3.1.3 Explain the difference between static and dynamic techniques, considering objectives, types of defects to be identified, and the role of these techniques within the software lifecycle.

• FL-3.2.1 Summarize the activities of the work product review process.

• FL-3.2.2 Recognize the different roles and responsibilities in a formal review. (K1)

• FL-3.2.3 Explain the differences between different review types: informal review, walkthrough technical review, and inspection. (K2)

• FL-3.2.4 Apply a review technique to a work product to find defects. (K3)

• FL-3.2.5 Explain the factors that contribute to a successful review. (K2)

a. Ensures the effective running of the review meetings, where it is decided that a meeting is required.

b. Allocates time in the plan, decides which reviews will take place and ensures that the benefits are delivered.

c. Writes the document to be reviewed, agrees that the document can be reviewed and updates the document with any changes.

d. Documents all issues raised in the review meeting, records problems and open points.

i. Often led by the author.

ii. Documented and defined results.

iii. All participants have defined roles.

iv. Used to aid learning.

v. Main purpose is to find defects.

a. i, ii and v are correct.

b. ii, iii and iv are correct.

c. i, iv and v are correct.

d. iii, iv and v are correct.

a. Design of the document.

b. Booking meeting rooms.

c. Writing program code.

d. Fixing and reporting.

• specifications such as business requirements, functional requirements, security requirements and non-functional requirements;

• epics, user stories and acceptance criteria;

• architecture and design specifications;

• code;

• testware such as test plans and test cases;

• user guides;

• web pages;

• contracts, plans, schedules and budgets;

• design models.

• detecting and correcting defects more efficiently, and prior to test execution;

• identification of defects not easily found by dynamic testing;

• preventing defects in design or coding by uncovering inconsistencies, ambiguities, contradictions, omissions, inaccuracies and redundancies in requirements;

• increasing development productivity;

• reducing development cost and time;

• reducing dynamic testing cost and time;

• reducing total cost of quality over the software’s lifetime, due to fewer failures later in the life cycle or after delivery into live operation;

• improving communication between team members in the course of participating in reviews.

• requirements defects (e.g. inconsistencies, ambiguities, contradictions, omissions, inaccuracies and redundancies);

• design defects (inefficient algorithms or database structures, high coupling (the lack of interdependence between software modules) and low cohesion (associated with undesirable traits such as being difficult to maintain, test, reuse or even understand));

• coding defects (e.g. variables with undefined values, variables that are declared but never used, unreachable code and duplicate code);

• deviations from standards (e.g. lack of adherence to coding standards);

• incorrect interface specifications (e.g. different units of measurement used by the calling system than by the called system);

• security vulnerabilities (e.g. susceptibility to buffer overflows);

• gaps or inaccuracies in test basis traceability or coverage (e.g. missing tests for an acceptance criterion).

• The type of Software Development Life Cycle (there are different approaches to reviews in an Agile project compared to a waterfall project.

• The maturity of the development process. The more mature the process is, the more formal reviews tend to be.

• The complexity of the work product.

• Legal or regulatory requirements. These are used to govern the software development activities in certain industries, notably in safety-critical areas such as railway signalling, and determine what kinds of review should take place.

• The need for an audit trail. Formal review processes ensure that it is possible to trace backwards throughout the Software Development Life Cycle. The level of formality in the types of review used can help to increase how much is contained within the audit trail.

• finding defects;

• gaining understanding;

• generating discussion;

• education;

• decision making by consensus.

• The document under review is studied by the reviewers.

• Reviewers identify issues or problems and inform the author either verbally or in a documented form, which might be as formal as raising a defect report or as informal as annotating the document under review.

• The author decides on any action to take in response to the comments, and updates the document accordingly.

• Defining the scope – this includes the purpose of the review; for example finding defects, what documents or parts of documents are to be reviewed and the quality characteristics.

• Estimating the effort required and the time frame that the review will be undertaken in – much like the estimating required to fund the test activity, reviews need to be estimated so they can be costed in a project budget.

• Identifying the review characteristics such as review type, roles, activities and checklists – as described above, there are many factors that help the decision; for example, what type of review characteristics will be used.

• Selecting the people to undertake the review – ensuring that those selected can and will add value to the process. There is little point in selecting a reviewer who will agree with everything written by the author without question. As a rule of thumb, it is best to include some reviewers who are from a different part of the organisation, who are known to be ‘picky’ and known to be dissenters. Reviews, like weddings, are enhanced by including ‘something old, something new, something borrowed, something blue’. In this case ‘something old’ would be an experienced practitioner; ‘something new’ would be a new or inexperienced team member; ‘something borrowed’ would be someone from a different team; and ‘something blue’ would be the dissenter who is hard to please. At the earliest stage of the process, a moderator (review leader) must be identified. This is the person who will coordinate all of the review activity. This also includes allocating roles.

• Allocating roles – each reviewer is given a role to provide them with a unique focus on the document under review. Someone in a tester role might be checking for testability and clarity of definition, while someone in a user role might look for simplicity and a clear link to business values. This approach ensures that, although all reviewers are working on the same document, each individual is looking at it from a different perspective.

• Defining the entry and exit criteria, especially for the most formal review types (e.g. inspections) – before a review can start certain criteria have to be met. These are defined by the moderator, and could include: all reviewers must have received the review papers; all reviewers have a kick-off meeting booked in their diaries; any training of reviewers has been completed.

• Checking entry criteria (mainly used for more formal review types such as inspections) – this stage is where the entry criteria agreed earlier are checked to ensure that they have been met so that the review can continue.

• Distributing the work products – the facilitator distributes all of the required documents to all reviewers.

• Explaining the scope, objectives, process, roles and work products to the participants – this can be run as a meeting or simply by sending out the details to the reviewers. The method used will depend on timescales and the volume of information to pass on. A lot of information can be disseminated better by a meeting rather than expecting reviewers to read pages of text.

• Answering any questions raised by the review team.

• Reviewing all parts of the work product including the source documents.

• Noting potential defects, questions and comments – in this stage the potential defects, questions and comments found during individual preparation are logged.

• Communicating potential defects either in a review meeting or via a defect log.

• Analysing potential defects; if agreed that there is a defect, assigning ownership of the repair work.

• Evaluating and documenting the required quality criteria, identifying whether they have been met or not.

• Evaluating the review results against the review exit criteria to decide whether the work product is to be rejected for major change or simply updated with minor changes.

• Creating defect reports for those findings that require changes, which may include making recommendations regarding handling the defects, making decisions about the defects and so on.

• Fixing defects found – here, typically, the author will be fixing defects that were found and agreed as requiring a fix.

• Communicating defects to the appropriate person or team.

• Recording updated status of defects (in formal reviews) – always done during more formal review techniques; optional for others.

• Gathering metrics, such as how much time was spent on the review and how many defects were found, to show notionally how the quality of the reviewed item has increased, but also the value added by the review to later stages of the life cycle; for example, how much the defect would have cost if it hadn’t been found until user acceptance testing.

• Checking on exit criteria – the moderator will also check the exit criteria (for more formal review types such as inspections) to ensure that they have been met so that the review can be officially closed.

• Accepting the work product when the exit criteria has been met.

• Author: the author is the writer or person with chief responsibility for the development of the document(s) to be reviewed. The author will in most instances also take responsibility for fixing any agreed defects.

• Manager: the manager decides on what is to be reviewed (if not already defined), assigns staff, ensures that there is sufficient time allocated in the project plan for all of the required review activities, monitors ongoing cost-effectiveness of the review, determines if the review objectives have been met, and executes control decisions if objectives are not met. Managers do not normally get involved in the actual review process unless they can add real value; for example, they have technical knowledge key to the review.

• Facilitator (often called a moderator): ensures effective running of the review. The moderator may mediate between the various points of view and is often the person on whom the success of the review rests. The facilitator will also make the final decision as to whether to release an updated document.

• Review leader: the review leader is the person who leads the review of the document or set of documents, including planning the review, running the meeting, and follow-ups after the meeting.

• Reviewers: these are individuals with a specific technical or business background (also called subject matter experts, checkers or inspectors) who, after the necessary preparation, identify and describe findings (e.g. defects) in the product under review. As discussed above, reviewers should be chosen to represent different perspectives and roles in the review process and take part in any review meetings.

• Scribe (or recorder): the scribe attends the review meeting and documents all of the issues and defects, problems and open points that were identified during the meeting.

1. Informal review (least formal) (e.g. buddy check, pairing, pair review). Key characteristics:

2. Walkthrough. Key characteristics:

3. Technical review. Key characteristics:

4. Inspection (most formal). Key characteristics:

1. organisational;

2. people related.

• Each review should have a clearly predefined and agreed objective and the right people should be involved to ensure that the measurable outcome is met. For example, in an inspection, if the objective is technically based, each reviewer will have a defined role and have the experience to complete the technical review; this should include testers as valued reviewers. Any defects found are welcomed and expressed objectively.

• Review techniques (both formal and informal) that are suitable to the type and level of software work products and reviewers (this is especially important in inspections).

• Review techniques like checklist-based or role-based reviewing provide effective defect identification of the work product being reviewed.

• Checklists are used to ensure focus on areas of main risk and are up to date.

• Reviewing large documents in small chunks, providing frequent feedback on defects as early as possible to the author.

• Review participants have sufficient time to prepare, which may include reading all supporting work products.

• Reviews are scheduled with adequate notice.

• Management support is essential for a good review process (e.g. by incorporating adequate time for review activities in project schedules).

• The right people are involved to ensure that the objectives are met; for example, people with different skill sets from the relevant user community.

• The use of testers as valued reviewers so that they can learn about the work product, enabling the development of better and more effective tests, and to be able to develop those tests early.

• Adequate time is allocated to each participant.

• Chunking of the work product into smaller sections enables the reviewer to focus and not lose attention during the actual review meeting.

• Defects found should be acknowledged, appreciated as helping the author and handled objectively.

• The review meeting is well managed, so that it is seen as a valuable use of time.

• There is an atmosphere of trust during the review; there is no evaluation of the person, just the work product.

• The use of negative body language can show boredom, exasperation or hostility and should be avoided.

• Ensuring that adequate training is provided, especially for the formal review processes such as inspections.

• The culture of review is all about learning and process improvement and is promoted.

a. User guides.

b. Defect reports.

c. Test logs.

d. Attendance reports.

a. Kick-off, initiate, review meeting, planning, follow-up.

b. Kick-off, planning, review meeting, issue communications and analysis, rework.

c. Planning, initiate, individual review, issue communications and analysis, fixing and reporting.

d. Planning, individual preparation, initiate, individual review, follow-up, fixing and reporting.

i. Defects are likely to be found earlier in the development process by using reviews.

ii. Walkthroughs require code but static analysis does not require code.

iii. Informal reviews are used to detect potential defects.

iv. Ad hoc techniques need lots of preparation time.

v. Dynamic testing occurs after reviews have been used to find defects.

a. i, ii, iv.

b. ii, iii, v.

c. i, iv, v.

d. i, iii, v.

a. Execution defects, coding defects and security vulnerabilities.

b. Coding defects, requirements defects and security vulnerabilities.

c. Security vulnerabilities, test basis issues and environment defects.

d. Design defects, user defects and test basis issues.

a. Champion.

b. Author.

c. Project sponsor.

d. Custodian.

a. The total count of lines of code.

b. Walkthrough of a requirements document.

c. Large documents reviewed as a whole.

d. Each review has clear objectives.

ii. Walkthroughs do not require code and static analysis does require code.

iv. Ad hoc reviews need little preparation.