Stable and qualitative software can only be achieved with dedicated tests for covering the nonfunctional requirements of IT applications. An efficient and successful software development process
integrates security and load assessments in its early phases, independently of the underlined methodology (e.g. waterfall or agile).

Web applications are a widely spread instrument for offering products and services in a flexible and global manner. Despite of their sound development technologies, these applications often suffer under performance and stability problems. This is the case for security too. Hacking attacks from the internet are daily phenomena, and in the case of an effective exploiting of a security issue, the internal systems and eventually the business processes can be jeopardized.

This paper describes our experience by setting up a methodological framework, which combines load and security tests as a mandatory quality gate and by running load and security tests of several IT-systems at AOL Germany over a period of 3 years. In 2004 AOL decided to extend the QA policies for supporting an emerging multi-product strategy being offered especially over web applications and to provide new QA services in an internal organizational level agreement.

Extracting adequate test cases from business processes aiming at validating against non-functional requirements need powerful techniques: one of them is “threat modelling”. Starting from the business processes the potential security risks are extracted and documented in test cases. From a load test perspective, the expected performance behaviour is highly dependent from the business processes too. Embedding these steps in the software development process over several systems offered us several experiences and gave guidance for project managers and architects / software developers as
well as quality engineers for system development and test.