Regression Testing: We Advanced But Did We Also Regress?

Age regression is when a person reverts to a less mature and consequently more sophomoric state of congnitive ability resulting in childlike behavior (allegedly). This is (allegedly) a fairly common condition experienced by humans that are experiencing particular stimuli to include stress and life threatening situations among others. This presents a number of risks and vulnerabilities specifically in the social engineering discipline but this post will concentrate on software regression testing.

Much like the regression in humans, software can regress to a less mature, less predictable, and more vulnerable state when presented with certain stimuli. Let’s focus our attention on patching and software updates. There have been a number of times when a vulnerability in software has been discovered and ‘patched’ in a way which introduced a previously ‘patched’ vulnerability. Essentially, software developers have changed a flat tire using the damaged tire rim that was replaced last month. The tire isn’t flat anymore but it is still dammaged and causing problems. To solve this issue the idea of’ regression testing’ was developed (it was developed quite some time ago when greybeards were bright-eyed optimists). Despite regression testing being a best practice it is not always performed. This is the reason it is so important to validate patches. They must be validated against the vulnerability and/or feature they are supposed to update as well as explicitly against all previously known vulnerabilities that were previously parched.
In addition, as software developers ‘fix bugs’ a special emphasis needs to be placed on testing and validation with explicit testing for the precense of previously discovered vulnerabilities. If a previously discovered vulnerability is reintroduced into the software the consequence should be an automatic overage of the bug bar. Put consisely, a single reintroduction of a previously discovered and patched vulnerability should prevent the software from being released into production until that vulnerability is remediated.

Regression is dangerous when experienced by both humans and software but in software there are clear, predictable, and repeatable steps that can be taken to mitigate the risks. Regression testing is not child’s play.