[ ← Back to Sequenxa Intelligence ]

Sequenxa Intelligence

[ Intelligence ]

Verification and Validation in Software Testing Explained

Verification checks whether software is built correctly. Validation checks whether the right software was built. Here's what the difference means for organizations

August 8, 20257 min read
Verification and Validation in Software Testing Explained

In 1999, NASA lost the Mars Climate Orbiter, a $327 million spacecraft, because one engineering team used metric units and another used imperial units. The software passed every internal review. It verified correctly against its own specifications. What it never confirmed was whether those specifications reflected what the mission actually required. The spacecraft was built right. It was not built for the right conditions. That is the difference between verification and validation, and it is a distinction that costs organizations far more than they expect when it is treated as a technicality rather than a risk control.


For organizations building, procuring, or operating software, verification and validation are not interchangeable quality assurance steps. They are independent processes that answer different questions at different stages of the development lifecycle. Getting both right is the baseline for defensible software assurance.


What Verification and Validation Mean


The IEEE definition provides the clearest foundation. Verification asks: are we building the product right? Validation asks: are we building the right product? Both questions must be answered, independently, at defined stages, for an organization to have defensible confidence that its software is correct, secure, and fit for purpose.


The Boehm formulation, now standard in software engineering practice, captures the distinction precisely: verification confirms that the product conforms to its specifications; validation confirms that the specifications reflected what the product actually needed to do. A system can pass verification completely and fail validation entirely, as the Mars Orbiter did.


Verification and validation definition in regulatory and safety-critical contexts carries additional weight. FDA software guidance, IEC 62304 (medical device software), and DO-178C (aviation software) all require documented V&V processes as independent activities with separate deliverables. In those contexts, conflating verification and validation is not a methodology debate, it is a compliance failure.


"Verification and validation are not sequential phases. They are parallel, complementary processes that together provide evidence that a system is both correctly constructed and fit for its intended purpose."- IEEE Standard 1012, Software Verification and Validation


The Core Difference, Verification vs. Validation





Verification is a static process, it examines documentation, design artifacts, and code without executing the product. Reviews, inspections, walkthroughs, and static code analysis are all verification activities. The question is always whether the work product matches what the specification requires.


Validation is a dynamic process, it executes the product against real-world use cases, user requirements, and stakeholder expectations. System testing, user acceptance testing, and performance testing are validation activities. The question is always whether the product does what users and stakeholders actually need it to do.


The practical difference: a code review that confirms a payment processing function implements the specification correctly is verification. A user acceptance test that confirms the payment function handles real transaction volumes, edge cases, and failure conditions correctly is validation. Both are necessary. Neither substitutes for the other.


Verification and Validation in Software Testing Workflows


In a structured SDLC, verification and validation testing run at distinct stages with distinct objectives:




Verification activities by stage:


• Requirements stage: requirements reviews and traceability analysis


• Design stage: architecture reviews, design inspections, and threat modeling


• Code stage: code walkthroughs, peer review, and static analysis tools


• Build stage: build verification testing confirming no regression in specified behavior


Validation activities by stage:


• Integration stage: integration testing confirming component behavior in combination


• System stage: end-to-end system testing against full requirements


• Acceptance stage: user acceptance testing (UAT) confirming fitness for purpose


• Security stage: dynamic application security testing (DAST) and penetration testing


In CI/CD pipelines, automated static analysis and code quality gates handle verification continuously. Automated functional, regression, and security testing handle validation at build and deployment stages. The pipeline does not eliminate the distinction, it automates both processes in parallel rather than treating them as sequential gates.


Independent Verification and Validation (IV&V) applies when internal teams are structurally unable to review their own work objectively. IV&V uses a third-party organization to conduct both processes independently, most common in safety-critical systems, regulated industries, government programs, and high-assurance software where confirmation bias in internal review is an identified risk.


Verification and Validation Testing Methods


Verification testing methods do not execute the code:


• Requirements inspection and traceability matrix review


• Design and architecture walkthroughs


• Static code analysis (Semgrep, SonarQube, CodeQL)


• Formal specification proofs


• Configuration and documentation audits


Validation testing methods execute the product:


• Unit testing (functional behavior at module level)


• Integration testing (behavior across component boundaries)


• System testing (end-to-end behavior against requirements)


• User acceptance testing (stakeholder confirmation of fitness for purpose)


• Performance and load testing (behavior under production-representative conditions)


• Penetration testing (adversarial validation of security properties)


Security testing spans both processes, static code analysis is verification; penetration testing is validation. Organizations that run static analysis but skip penetration testing have verified their code against known patterns. They have not validated whether those patterns hold against real adversarial conditions. Both are required for a complete security assurance position.


Examples


Financial services: Verification = reviewing the trading system's order routing logic against documented specifications. Validation = executing the system under live market conditions with real order volumes to confirm behavior at scale.


Healthcare software: Verification = confirming the patient record module meets HL7 FHIR specification requirements. Validation = confirming the module performs correctly in a clinical workflow with real patient data scenarios. The FDA requires both as separate documented activities.


Security application:
Verification = static code analysis confirming the authentication module implements password hashing correctly per specification. Validation = penetration testing confirming the authentication module resists credential stuffing, session hijacking, and brute force attacks in a running environment.


Third-party vendor code: Verification = reviewing vendor-supplied code against agreed specifications and security standards. Validation = executing the vendor code in an isolated test environment under adversarial conditions before production deployment.


The vendor scenario is the one most frequently skipped, and the one that most reliably produces the surprise. Organizations verify vendor code against contracts and specifications. They do not validate that the code performs securely under conditions the vendor did not anticipate.


Where V&V Gaps Become Security Incidents


Static code analysis and design review are verification. They confirm that code is written to specification. They do not confirm that the specification was complete, that edge cases were covered, that adversarial inputs were anticipated, or that the production environment behaves as the test environment assumed.


Validation gaps are where most production security incidents originate. A system that passed internal review and static analysis, deployed into a production environment with configurations, integrations, and user behaviors that were not part of the validation test plan, fails in ways that no amount of verification activity would have caught. The code was built right. It was not validated for the conditions it actually encountered.


The three validation failures that most reliably create organizational security incidents

1. No adversarial validation. Penetration testing is validation, confirming that security properties hold under real attack conditions. Organizations that treat security as a verification activity (does the code implement the security spec?) without validation (can an attacker defeat it?) ship exploitable systems with confidence.


2. No production-representative testing. Validation against development or staging environments with sanitized data, simplified configurations, and reduced load does not validate production behavior. The gap between test environment and production environment is where vulnerabilities live.


3. No third-party validation. Internal teams validating their own work carry confirmation bias. Independent validation by a third party eliminates the structural conflict between the team that built the system and the team assessing whether it works.


Offensive security services provide the adversarial validation that internal testing cannot deliver, penetration testing, red team exercises, and application security testing that confirm security properties hold under real attack conditions, not just against internal test plans. When production incidents occur and root cause analysis requires code-level investigation, digital forensics provides the forensic methodology to trace failures back to their V&V origins.


If your organization's software assurance program has verification without adversarial validation, or validation without independent review, contact us for a confidential assessment.


Frequently Asked Questions


What is the difference between verification and validation?


Verification confirms the product is built correctly against its specifications. Validation confirms the specifications reflect what the product needs to do in real-world use. One is static process review; the other is dynamic product testing.


What is verification and validation in software testing?


Verification uses static methods (reviews, inspections, static analysis) throughout development. Validation uses dynamic methods (system testing, UAT, penetration testing) after the product is executable.


What is validation testing?


Validation testing executes the software against real-world use cases and stakeholder requirements to confirm fitness for purpose, includes system testing, UAT, performance testing, and security testing.


What is verification testing?


Verification testing uses static methods, code reviews, design inspections, walkthroughs, and static analysis, to confirm the product conforms to its specifications without executing the code.


What does verify and validate mean?


To verify is to confirm correctness against a specification. To validate is to confirm fitness for actual intended use. Both are required, one without the other leaves a material gap in software assurance.


What is an example of verification and validation?


Verification: static analysis confirming authentication code implements password hashing per specification. Validation: penetration testing confirming the authentication system resists real attack techniques in a running environment.


What is independent V&V?


Independent Verification and Validation (IV&V) uses a third-party organization to conduct both processes independently, eliminating the confirmation bias that internal teams bring to reviewing their own work.


What is the difference between verify and validate?


Verify confirms technical correctness against a defined specification. Validate confirms that the specification was correct and the product meets real user and stakeholder needs.


References


IEEE Standard 1012. Software Verification and Validation.


Wikipedia. Verification and Validation. https://en.wikipedia.org


Wikipedia. Software Verification and Validation. https://en.wikipedia.org


GeeksforGeeks. Differences Between Verification and Validation. https://www.geeksforgeeks.org


BrowserStack. Verification and Validation in Testing. https://www.browserstack.com


BairesDev. Verification vs Validation. https://www.bairesdev.com


Parasoft. Verification vs Validation in Embedded Software. https://www.parasoft.com


Verification and Validation in Software Testing Explained