A Glimpse into the World of Tool-assisted Testing: Not Just For the Records

by Dmitry Kirsanov 22. November 2023 04:00

If you are a software tester, you would agree with me on this - the use of tools is inevitable, even if code and you share a love-hate relationship. And why would it not be so? The digital toolbox has instruments powerful enough to scrutinize systems faster and more precisely than a human brain could ever manage. They join hands with strategists, facilitating system investigation, monitoring its performance, and conducting specialized testing. And they do so while retaining impeccable standards. Let's discuss some of these tools and how they fit into the grand scheme of things.

Interactive Investigative Tools: The Silent Sherlocks

Databases, the Pandora's box of information, can perfectly play the role of an interlocutor to a tester's queries. Wondering about the storage protocol for a piece of information? Keen to know the format used for storing currency values? Just ask your friendly neighbourhood database. Plus, with a host of database query tools and languages, you can directly view and verify the database without making small talk with others. Relational or document databases - take your pick and start conversing.

But what if the software has erred, and as smooth operators, it doesn’t reveal the misstep to the user interface? Enter system log files. They have been meticulously recording the performance of the system, documenting every glitch in the matrix. But here's the irony - finding and searching through these log files is much like navigating through a labyrinth. But don't lose hope yet – tools like Splunk can come to your rescue. Splunk can even set up automated alerts for specific string patterns in logs, so it's a bit like a guard dog for your codes.

Testing All Layers: Can't Miss the Subtext

Databases and log files are not just the memory keepers in a software system - they form valid testing surfaces. They can be interacted with, inspected (just don't overdo it, nobody likes a nosy parker), and used to gauge the system's performance. It's here where digital tools come in handy, helping you inspect these layers meticulously.

Static Analysis Tools: The Code Inspectors

We've got tools that have got a knack for inspecting - the static analysis tools. These inspect the code base and configuration of an application before it heads off to conquer the world. They play detective, searching for quality issues, sniffing out bug code patterns, and identifying code likely to cause security vulnerabilities. Added as part of the build, they run automatically, which is rather like having a butler for your code.

In the vast universe of Visual Studio and the Windows environment, there are a myriad of these code inspectors or static analysis tools designed to save you from a coding catastrophe. Let's delve into a few noteworthy ones.

FxCop

Funded and developed by Microsoft, FxCop is a static analysis tool designed to assess .NET managed code assemblies. Known for its wide reach, it scrutinizes your code for more than 200 possible defects, especially those related to the design, localization, performance, and security. With FxCop, you'll also find it easier to ensure conformity to Microsoft's .NET Framework Design Guidelines.

NDepend

NDepend isn't your ordinary code inspector. It offers a more visual way of understanding your code base with dependency graphs and matrix. This feature allows developers to see the high-level architecture, while also being aware of the nitty-gritty. NDepend also offers rules that check for code smells, code coverage from tests, and technical debt estimation.

PVS-Studio

PVS-Studio is a titan in the static analysis tool department. Its focus? C, C++, C# and Java. It packs a punch with its capability to detect errors and potential vulnerabilities in the source code of programs. With PVS-Studio, your code will have a staunch defender against the silent errors waiting to disrupt the peace.

SonarLint

A member of the SonarQube family, SonarLint works within your IDE, adding an extra layer of protection as you write code. It pings you with notifications about bugs, security vulnerabilities, and code quality issues in real time, thus aiding seamless correction. SonarLint presents developers with the unique advantage of issue detection during coding - before the code even gets to the version control system.

Resharper

You probably know the Resharper – a tool that produces a code analysis that developers get when they are using this heavyweight in their Visual Studio. It has a free to use command-line sibling, which is used in automated code analysis. Simply run this tool against project or solution file, and it will produce a large XML file with the full list of code issues, that you can inspect, analyse and report on.

All these tools exemplify the sophistication and utility of static analysis tools in today's software development landscape. Employing these tools is akin to retaining the services of an ever-vigilant, exceptionally detailed and cost-effective digital detective for your code. They are the 'code inspectors' offering valuable help in ensuring clean, secure, and high-performing applications that transform ideas into reality.

The Bannermen for Security: Shields Up

In the realm of security testing, we have tools that probe systems, seeking vulnerabilities like a bloodhound on the scent. Component analysis tools, for instance, sniff out the open source libraries used within the system and report on any known security vulnerabilities in these libraries. And considering some of the most notorious security breaches in recent times have been due to the use of outdated open source libraries with known vulnerabilities, these tools aren’t just valuable, they are indispensable.

Deployed systems aren't spared either. We have penetration testing tools that probe a running system for security holes, while fuzz testing tools bombard the system with malformed, garbage data to reveal bugs and vulnerabilities. Such measures may appear overly cautious or excessive but remember - the digital realm can be a battlefield and it's always better to be safe than sorry.

From the treasure trove of Microsoft, we have some fantastic tools to ensure our software projects' security. These tools offer a deeper level of introspection, allowing us to closely evaluate every line of code and its potential security implications.

Static Code Analysis

One of the prime tools that Visual Studio offers is Static Code Analysis. It's an advantageous method to forestall security breaches by identifying vulnerabilities at the initial stage of your development cycle. As the name suggests, Static Code Analysis examines the source code without actually executing it - a 'static' inspection if you will. This tool checks for common security errors like SQL injection, buffer overflows and cross-site scripting (XSS), amongst others.

FxCop

Another robust tool at your disposal is FxCop, a static code analyzer provided by Microsoft. FxCop checks .NET managed code assemblies for conformance to Microsoft's .NET Framework Design Guidelines. Its modus operandi involves inspecting the compiled object code and not the source code, highlighting any violations of the prescribed design guidelines.

Puma Scan

Puma Scan, a .NET C# static source code analyser, offers real-time feedback to developers in the IDE, flagging up potential vulnerabilities as the code is written. Harnessing the power of Roslyn, Puma Scan provides software developers with real-time, instantaneous feedback about potential security flaws in their code, thus enabling a truly rapid response to emerging threats.

SonarQube

While SonarQube isn't specifically a Microsoft tool, it's undoubtedly worth mentioning as it integrates seamlessly with Visual Studio and TFS. This open-source platform measures and analyses the quality of source code and detects bugs, code smells, and security vulnerabilities. Not only does it ensure the integrity of your code, but it encourages good development practices too.

All these tools have a common goal - to make your software projects as fort Knox-like as possible. Each in its unique way repels the constant threats software faces - from injection, broken authentication, sensitive data exposure, to XML external entities (XXE), etc. The value they bring to the table is immense, and integrating these tools into your software development process ensures that when you raise your shields, they hold.

The Concluding Bit: Not Just For the Records

While database and log inspection and monitoring remain a constant in this digital dance, implementing static analysis tools can be akin to teaching a stubborn old mule new tricks, especially if the system has already had a head start on its build journey. Furthermore, they tend to generate a lot of noise, making the enforcement of new standards on new code a tricky business.

However, if your system has security risks lurking in the shadows, it's worth making the effort to bring in security static analysis tools and penetration-type tools to shoo away potential threats. Yes, there is a learning curve involved for software testers to make a successful foray into security testing. But then again, what's a journey without a few twists and turns?

Tags:

QA

blog comments powered by Disqus