|
| 1 | +## Quality Criteria |
| 2 | + |
| 3 | +The following sections describe the quality conventions and best |
| 4 | +practices that apply to the development, operation and integration |
| 5 | +phases of a **Service** with a production infrastructure for research, |
| 6 | +such as the EOSC ecosystem. These guidelines rule the **Service** development |
| 7 | +and operation process within the framework of the EOSC-Synergy project. |
| 8 | + |
| 9 | +Some of the criteria in this document is similar or based on the |
| 10 | +document "Software Quality Assurance baseline2 [5], for such cases the |
| 11 | +following tag is added to the criteria: [Ref.5-QC.XyNN] where QC.XyNN is |
| 12 | +the codename of the criteria in that document. |
| 13 | + |
| 14 | +### Integration Testing [SvcQC.Int] |
| 15 | + |
| 16 | +Integration testing refers to the evaluation of the interactions among |
| 17 | +coupled **Service** or parts of a system that cooperate to achieve a given |
| 18 | +functionality. |
| 19 | + |
| 20 | +* **[SvcQC.Int01]** Integration testing outcome MUST guarantee the overall |
| 21 | +operation of the **Service** whenever new functionality is involved. [Ref.5-QC.Int01]. |
| 22 | + |
| 23 | +* **[SvcQC.Int02]** Integration testing SHOULD be automated. |
| 24 | + |
| 25 | +* **[SvcQC.Int03]** Ad-hoc pilot **Service** infrastructures and/or local |
| 26 | +testbeds MAY be used to cope with the integration testing requirements. [Ref.5-QC.Int04]. |
| 27 | + |
| 28 | +### Scalability tests [SvcQC.Sca] |
| 29 | + |
| 30 | +Scalability Testing is a non-functional test methodology in which an |
| 31 | +application’s performance is measured in terms of its ability to scale |
| 32 | +up or scale down the number of user requests or other such performance |
| 33 | +measure attributes [9]. |
| 34 | + |
| 35 | +* **[SvcQC.Sca01]** |
| 36 | + |
| 37 | +### Elasticity tests [SvcQC.Ela] |
| 38 | + |
| 39 | +* **[SvcQC.Ela01]** |
| 40 | + |
| 41 | +### Acceptance and System tests [SvcQC.Acc] |
| 42 | + |
| 43 | +Test of functionality of the **Service**, tests done before the **Service** |
| 44 | +enters into production. Tests for the public API. |
| 45 | + |
| 46 | +* **[SvcQC.Acc01]** |
| 47 | + |
| 48 | +### Documentation [SvcQC.Doc] |
| 49 | + |
| 50 | +* **[SvcQC.Doc01]** Documentation MUST be available online, easily |
| 51 | +findable and accessible. [Ref.5-QC.Doc03]. |
| 52 | + |
| 53 | +* **[SvcQC.Doc02]** Documentation SHOULD have a Persistent Identifier (PID). |
| 54 | + |
| 55 | +* **[SvcQC.Doc03]** Documentation MUST be version controlled. [Ref.5-QC.Doc01.1]. |
| 56 | + |
| 57 | +* **[SvcQC.Doc04]** Documentation MUST be updated on new **Service** versions |
| 58 | +involving any change in the installation, configuration or behaviour of |
| 59 | +the **Service**. [Ref.5-QC.Doc04]. |
| 60 | + |
| 61 | +* **[SvcQC.Doc05]** Documentation MUST be updated whenever reported |
| 62 | +as inaccurate or unclear. [Ref.5-QC.Doc05]. |
| 63 | + |
| 64 | +* **[SvcQC.Doc06]** Documentation MUST have a non-software license. |
| 65 | + |
| 66 | +* **[SvcQC.Doc07]** Documentation MUST be produced according to the |
| 67 | +target audience, varying according to the **Service** specification. |
| 68 | +The identified types of documentation and their RECOMMENDED content are: |
| 69 | + |
| 70 | + * **[SvcQC.Doc07.2]** Deployment and Administration. [Ref.5-QC.Doc06.3]: |
| 71 | + * Installation and configuration guides. |
| 72 | + * Service Reference Card, with the following RECOMMENDED content: |
| 73 | + * Brief functional description. |
| 74 | + * List of processes or daemons. |
| 75 | + * Init scripts and options. |
| 76 | + * List of configuration files, location and example or template. |
| 77 | + * Log files location and other useful audit information. |
| 78 | + * List of ports. |
| 79 | + * Service state information. |
| 80 | + * List of cron jobs. |
| 81 | + * Security information. |
| 82 | + * FAQs and troubleshooting. |
| 83 | + * **[SvcQC.Doc07.3]** User. [Ref.5-QC.Doc06.4]: |
| 84 | + * Detailed User Guide for the **Service**. |
| 85 | + * Public API documentation (if applicable). |
| 86 | + * Command-line (CLI) reference (if applicable). |
| 87 | + |
| 88 | +### Policies [SvcQC.Pol] |
| 89 | + |
| 90 | +* **[SvcQC.Pol01]** The **Service** MUST include the following policy documents: |
| 91 | + * **[SvcQC.Pol01.1]** Acceptable Usage Policy (AUP). |
| 92 | + * **[SvcQC.Pol01.2]** Access policy. |
| 93 | + * **[SvcQC.Pol01.3]** Privacy policy. |
| 94 | + |
| 95 | +### Security [SvcQC.Sec] |
| 96 | + |
| 97 | +* **[SvcQC.Sec01]** The **Service** public endpoints and APIs MUST be secured |
| 98 | +with encryption. |
| 99 | + |
| 100 | +* **[SvcQC.Sec02]** Dynamic application security testing (DAST) [6] |
| 101 | +SHALL be performed from the outside, to the **Service** in an operation |
| 102 | +state, to look for security vulnerabilities (e.g. SQL injection, |
| 103 | +cross-site scripting, DDOS). [Ref.5-QC.Sec03]. |
| 104 | + |
| 105 | +* **[SvcQC.Sec03]** Manual penetration testing MAY be part of the |
| 106 | +application security verification effort. [Ref.5-QC.Sec04]. |
| 107 | + |
| 108 | +* **[SvcQC.Sec04]** The **Service** SHOULD have an Authentication mechanism. |
| 109 | + |
| 110 | +* **[SvcQC.Sec05]** The **Service** MUST use strong ciphers for encryption. |
| 111 | + |
| 112 | +* **[SvcQC.Sec06]** Credentials used in the **Service** MUST be signed by |
| 113 | +a recognized certification authority. |
| 114 | + |
| 115 | +* **[SvcQC.Sec07]** The **Service** MUST validate the credentials and signatures. |
| 116 | + |
| 117 | +### Automated Deployment [SvcQC.Aud] |
| 118 | + |
| 119 | +* **[SvcQC.Aud01]** Production-ready **Service** SHALL be deployed as |
| 120 | +a workable system with the minimal user or system administrator interaction |
| 121 | +leveraging Infrastructure as Code (IaC) tools. |
| 122 | + |
| 123 | +### Support [SvcQC.Sup] |
| 124 | + |
| 125 | +* **[SvcQC.Sup01]** The **Service** MUST have a tracker or helpdesk |
| 126 | +for operational and users issues. |
| 127 | + |
| 128 | +* **[SvcQC.Sup02]** The **Service** SHOULD have a tracker for the |
| 129 | +underlying software issues. [Ref.5-QC.Man01]. |
| 130 | + |
| 131 | +* **[SvcQC.Sup03]** The **Service** SHOULD include an Operational |
| 132 | +Level Agreement (OLA) with the infrastructure where it is integrated. |
| 133 | + |
| 134 | +* **[SvcQC.Sup04]** The **Service** MAY include Service Level |
| 135 | +Agreement (SLA) with user communities. |
| 136 | + |
| 137 | +### Monitoring, Alerts, Metrics [SvcQC.MAM] |
| 138 | + |
| 139 | +* **[SvcQC.MAM01]** The **Service** in an operational production state SHOULD be monitored. |
| 140 | + * **[SvcQC.MAM01.1]** The **Service** public endpoints SHOULD be monitored. |
| 141 | + * **[SvcQC.MAM01.2]** The **Service** public APIs SHOULD be monitored. |
| 142 | + * **[SvcQC.MAM01.3]** The **Service** SHOULD for security related criteria (DAST). |
| 143 | + |
| 144 | +* **[SvcQC.MAM02]** The **Service** SHOULD have alerts. |
| 145 | + |
| 146 | +* **[SvcQC.MAM03]** The **Service** SHOULD have metrics. |
0 commit comments