6

I'm preparing for the CCSP examine and am trying to wrap my mind around the concepts of "load testing" and "stress testing" within the context of security.

I think the difference here is that:

  • Load Testing is a measure of capacity, pure and simple. It focuses on the "A" (availability) and isn't concerned about the security implications of a failed state.

  • Stress Testing is focused on how the system system behaves after reaching a point of load saturation. For example, does the software/service fail in spectacular ways? Does it reveal sensitive errors (software versions, back-end infrastructure details, etc)?

Am I on the right track here?

Improve this question

2 Answers 2

Reset to default
4

There's a few different definitions, however the one I go with is that Load Testing is taking an application up to its expected maximum load level to make sure it performs. Stress testing is deliberately taking an application past its normal parameters to see how it tolerates a greater than expected load. It's sometimes called torture testing, seeing how an application breaks.

From a security perspective you should always care about the security implications. No matter how much load an application is exposed to it should always follow its security parameters, or if it is going to fail, fail safe.

Improve this answer
0

Load testing and stress testing are two different types of tests, but which fall under the scope of performance testing.

Here, though the two terms sound very much similar, their meanings are very different.

In load testing, you test to see if a specific page within your application loads within a set time even though subject to high loads. Load in this sense refers to the number of users. Certain applications might have high loading times when the number of users become higher. Load tests can identify this issue, and help developers use lighter APIs or use less code to do the same task which they wish to do within that specific page. Some service level agreements demand that specific pages within applications open within certain time. Load tests can also help in this situation.

In stress testing, instead of some known number of users, you incrementally increase the users and see at what point the applications starts to fail. Outputs of stress tests at the failing point, when captured on wireshark could show up an Internal server error code. But here as well, you will have developers work on code that is much more optimized, or probably use other security mechanisms to safeguard the application.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .