Quo pertentas, OSS? How Open Source can benefit from well-crafted Tests

Similar documents
3 Continuous Integration 3. Automated system finding bugs is better than people

N different strategies to automate OWASP ZAP

Lessons Learned from a Web Application Penetration Tester. David Caissy ISSA Los Angeles July 2017

Information Security Keeping Up With DevOps

Lab Exercise Test First using JUnit

Static Code Analysis to Find Bugs. Wright.edu CS7140 Spring 2013 (Slides collected from many sources)

Security DevOps. Automation von Security-Checks in der Build-Kette. Christian

Inverting the Pyramid

Sicherheit beim Build

Secure Development Processes

Introduction to Computer Science I

Case study on PhoneGap / Apache Cordova

GNOME 3.0 Accessibility: State of the Union. Alejandro Piñeiro

Utilizing Fast Testing to Transform Java Development into an Agile, Quick Release, Low Risk Process

Open Source Development from the trenches (Jajuk) Bertrand Florat

Think like an Elm developer

9 th CA 2E/CA Plex Worldwide Developer Conference 1

Being a Good OSS Contributor. Jeremy Mikola

Chapter01.fm Page 1 Monday, August 23, :52 PM. Part I of Change. The Mechanics. of Change

Software Engineering Testing and Debugging Testing

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

Robots with Pentest Recipes:

Software Engineering

Automated Testing of Tableau Dashboards

Maja Schreiner. 9th Lean, Agile & Scrum Conference 2017

Human-Computer Interaction: An Overview. CS2190 Spring 2010

ZAP Innovations. OWASP Zed Attack Proxy. Simon Bennetts. OWASP AppSec EU Hamburg The OWASP Foundation

Analysis of the Test Driven Development by Example

Commits and Commit Messages

Client Code - the code that uses the classes under discussion. Coupling - code in one module depends on code in another module

Software Design COSC 4353/6353 D R. R A J S I N G H

classjs Documentation

EMF Compare Ganymede Simultaneous Release

No Source Code. EEC 521: Software Engineering. Specification-Based Testing. Advantages

How technical excellence helps in LeSS adoption. Anton Bevzuk Dodo Pizza Chief Agile Officer

Principles of Software Construction: Testing: One, Two, Three

18-642: Security Mitigation & Validation

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

Test Driven Development (TDD)

Man in the Middle Attacks and Secured Communications

[ANALYSIS ASSIGNMENT 10]

Test Automation Strategies in Continuous Delivery. Nandan Shinde Test Automation Architect (Tech CoE) Cognizant Technology Solutions

Docker Universal Control Plane Deploy and Manage On-Premises, Your Dockerized Distributed Applications

Low Latency Java in the Real World

Black Box Testing. EEC 521: Software Engineering. Specification-Based Testing. No Source Code. Software Testing

Learner User Interface (LUI): Developing Themed Graphics to Enhance Your e-learning. Kevin Thorn, AutoZone

Liquibase Version Control For Your Schema. Nathan Voxland April 3,

Building world-class security response and secure development processes

Is Your Web Application Really Secure? Ken Graf, Watchfire

Static Analysis of C++ Projects with CodeSonar

Overview of Web Application Security and Setup

EMF Compare Galileo Simultaneous Release

Visualizing Git Workflows. A visual guide to 539 workflows

Nodes Tech Slides - Progressive Web Apps, 2018

Being Mean To Your Code: Integrating Security Tools into Your DevOps Pipeline

Introduction to Problem Solving and Programming in Python.

Version Control. Second level Third level Fourth level Fifth level. - Software Development Project. January 17, 2018

De-risk Your Applications. SUBSCRIBE TO EVRY S SECURITY TESTING AS A SERVICE (STaaS) TODAY!

Shift Left, Automation, and Other Smart Strategies for Getting Ahead in QA

Lecture 15 Software Testing

The Power of Unit Testing and it s impact on your business. Ashish Kumar Vice President, Engineering

Systems software design. Software build configurations; Debugging, profiling & Quality Assurance tools

Twitter4J, Jenkins and Regression

Introduction CHAPTER. Review Questions

The Joy of Software Development

To be Technical Or not to be THAT is the question!

Testing. Prof. Clarkson Fall Today s music: Wrecking Ball by Miley Cyrus

Shift Left and Friends And What They Mean for Testers

Holistic Database Security

FPLLL. Contributing. Martin R. Albrecht 2017/07/06

Git and Gerrit Workflows. Enforcing Manual & Automated Review

KTH Royal Institute of Technology SEMINAR 2-29 March Simone Stefani -

CSE 403 Lecture 13. Black/White-Box Testing. Reading: Software Testing: Principles and Practices, Ch. 3-4 (Desikan, Ramesh)

Continuous Integration & Code Quality MINDS-ON NUNO 11 APRIL 2017

A Tale of Continuous Testing

Achieving Java Application Security With Parasoft Jtest

Automated Security Scanning in Payment Industry

c. Typically results in an intractably large set of test cases even for small programs

Analysis Tool Project

Porting applications to Qt. Kevin Funk, Software Engineer KDAB

Test-driven development

The Changing DNS Market: A Technical Perspective

Scratcher Party Published by: Ibrahim Eminovic iphone United States / English (US)

Getting Ready. I have copies on flash drives Uncompress the VM. Mandiant Corporation. All rights reserved.

Automated Unit Testing A Practitioner's and Teacher's Perspective

Version Control Systems

Version Control. Second level Third level Fourth level Fifth level. - Software Development Project. January 11, 2017

SECTION 1: CODE REASONING + VERSION CONTROL

Application Development at

SECTION 1: CODE REASONING + VERSION CONTROL

DMA safety in buffers for Linux Kernel device drivers

Java 9: Tips on MigraDon and Upgradability

Tango - Icalepcs 2009 ESRF

Why Deprecating async() is the Worst of all Options

CAPABILITY. Managed testing services. Strong test managers experienced in working with business and technology stakeholders

Learn how to get started with Dropbox: Take your stuff anywhere. Send large files. Keep your files safe. Work on files together. Welcome to Dropbox!

Test Driven Development. Software Engineering, DVGC18 Faculty of Economic Sciences, Communication and IT Tobias Pulls and Eivind Nordby

DISQUS. Continuous Deployment Everything. David

Happy Birthday, Ajax4jsf! A Progress Report

Transcription:

Quo pertentas, OSS? How Open Source can benefit from well-crafted Tests Björn Kimminich Web: http://kimminich.de Twitter: @bkimminich v1.0

Let s start with some code

and a corresponding unit test!

It passes with flying colors

and achieves 100% code coverage!

Nothing could possibly go wrong!

How about adding another test?

Oops!

Finding Bugs in Open Source Software

Pair Programming Peer Review Committer Review Code Reviews Infeasible with remote development Developers review each other Not everyone has commit rights Occasionally during Hackathons Hard to organize properly Senior developers review contributions before merge into master Cartoon: Geek & Poke

Static Code Analysis Popular Open Source Tools FindBugs CheckStyle PMD Sonar Find code smells and potential programming errors but miss a lot as well or produce false positives Some commercial Tools might be more powerful but are typically not affordable for OSS projects Cartoon: Geek & Poke

Testing Unit Tests Penetration Tests Integration Tests Test Types Load/Stress Tests GUI Tests Manual Tests Cartoon: Geek & Poke

Best vs. Bad Practices for Testing

Test Pyramid Manual Tests GUI Tests Integration Tests Unit Tests Source: WatirMelon

Test Ice-Cream Cone Manual Tests GUI Tests Integratio n Tests Unit Tests Source: WatirMelon

Happy Path Testing Photo: Tortured Mind Photography

Testing Border & Exceptional Cases

No Assertions

API Tests

Scenario Tests with BDD

Benefits of well-crafted Tests for OSS

Maintainability++ A suite of automated regression tests helps finding defects resulting from code changes New contributors do not have to fear touching old code neither do long-time committers after a longer vacation! Cartoon: Geek & Poke

Documentation++ External and Javadoc documentation tends to rot quickly and becomes obsolete or even misleading Tests that get outdated tend to break, so they have to be fixed resulting in updated documentation Well-written tests document the intended behavior of a class or component Even if the production code is hard to understand, a good test can help to fill this gap Cartoon: Geek & Poke

Specification++ Writing tests before the production code is even better than just documenting existing code Consequent TDD / BDD will let the Tests become the actual specification of the program's intended behavior Failing tests indicate that the specification is not met yet (or any more) Cartoon: Geek & Poke

Contribution++ Well maintained, documented and tested projects are safer and more fun to contribute to Nobody likes working on an untested piece of unreadable code (especially in their free time) Cartoon: Geek & Poke

Truck Factor++ How many project contributors could be fatally hit by a truck before the project perishes? The lower the number, the more volatile the project as it relies on individual experts The number can be increased by spreading knowledge and lowering entry barriers Cartoon: Geek & Poke

Introducing Unit Tests to OWASP ZAP

OWASP Zed Attack Proxy (ZAP) Easy-to-use integrated penetrationtesting tool Locates vulnerabilities in web applications Helps building secure apps OWASP Flagship Project Programmed in Java with javax.swing UI

How to contribute to ZAP? Develop core features https://code.google.com/p/zaproxy/ Develop addons https://code.google.com/p/zap-extensions/ Help with translation https://crowdin.net/project/owasp-zap Promote ZAP https://code.google.com/p/zaproxy/wiki/zapevangelists

ZAP Truck Factor 2 Source: Ohloh

Starting from zero Unit Tests Some JUnitbased Integration tests No Unit Tests

Separate Test Project

ZAPs first Unit Test

Adding some more Show Cases

Separation into Test Suites

Providing Test Guidelines Code Quality Code Coverage Test Libraries Naming Conventions Behavior Driven Development Test Suites Types of Tests

Pull vs. Push Pull Push Photos: One Man Think Tank

Measure Code Coverage

Move Tests close to Production Code

Instant execution from IDE

Run all Tests during Continuous Build...

...and let it fail when any tests fail!

Future: Adding a GUI Testing Framework ZAP is very UI heavy which makes a lot of the code hard or impossible to unit test Right now there are no GUI Tests in place for ZAP Several free UI Testing Frameworks exist for Java Swing unfortunately none is actively maintained any more

Testing is a crucial part of Software Development Conclusion Good Tests are the better documentation Tests can make a difference between a prospering and a dead-end OSS project

Thank you! Björn Kimminich Web: http://kimminich.de Twitter: @bkimminich Background Image: Eikira

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback