Developers & QA: Are You Accidentally Breaking the Law by Load Testing Your Website?
If you’re anything like me, you probably have a set of questions that run through your head whenever you run a performance test on your website or app. These may include:
Will my site be able to take 50,000 concurrent users?
How should I set the ramp up?
What tools should I use to pinpoint the bottleneck?
Did I remember to feed the cat before leaving the house?
You probably never ask yourself this one:
Did I break any laws today?
But perhaps you should.
Just last week I was called onto a call with a QA team from a leading financial institution.
For some time they had been running website tests on their servers in the development environment. This didn’t involve real data - all ok so far!
They came to me because they were scaling their website testing and they wanted to do it with BlazeMeter. Their large-scale environment is on a production system and, as such, they were using real data. They asked us if we were certified to host all the production data (credentials, user data, logs etc.)
Suddenly I saw a big red flag.
The very fact that they were asking this question told me that we were dealing with sensitive data. Whenever a security related question arises, it’s important for me to talk to the team and understand the risks before providing them with a solution. So I got on a call with the QA team and their internal security expert to get more details and figure out the right way to store their data. The security expert had no idea that QA had access to this data and, upon hearing the situation, he immediately froze the project. The data that they were testing was extremely sensitive - with real user data and logins to financial information.
How to Run Large-Scale Load Tests on Sensitive Data...Legally
The most interesting thing about this whole story is that it’s not that unusual. Every so often, we get companies come to us who are already testing sensitive data on their environments. And they have no idea that they are doing anything wrong. The consequences of such a mistake are severe. In the worst case scenario it could lead to a class action lawsuit - which could potentially tumble a company.
If you’re in a development or QA team at a large organization in the financial, legal or healthcare sectors, you probably still need to run large-scale load tests in your production environment. But, due to legislation like the Financial Modernization Act and HIPPA, it is illegal for you to view the data.
So what can you do?
Fortunately, there’s a pretty simple solution. Your company just needs to find a way to scramble the data before you start working with it.
And that’s exactly what we did with our client. They took their real data and scrambled it - complying with all legal privacy requirements and not exposing sensitive customer information to security threats. Their security expert unfroze the project and they now use BlazeMeter’s cloud to run load tests for hundreds of thousands of concurrent users from all over the globe.
Even better, they are doing it securely and legally.
Want to learn more about running website load tests at scale? Watch our ‘on-demand’ webinar JMeter Load Testing at Scale.