Integration and Testing

6.7. Integration and Testing#

After development, integration is when newly developed code is integrated with existing code or external services like databases.

6.7.1. Integration Activities#

Merging Code

As developers work they will develop their code locally, either separate from the main project or using a local development version of the app. Once complete developers then need to merge their code into the main codebase.

Database Integration

During development, developers might use a local database. As part of integration, you move everything to the production database.

6.7.2. Testing#

Testing ensures that your application meets the specifications and is free from vulnerabilities. This process typically includes code reviews, automated scans or tests and penetration testing.

Functional Testing#

Functional testing confirms that the code meets the functional requirements set out in your design and specs.

There are two main types of functional testing:

  • Unit Tests which check that individual functions or methods behave as expected for given inputs

  • Integration Tests which check that broader modules or functions that combine multiple sub-functions behave as expected.

Generally unit and integration tests are written in code using a testing library, which run the code with pre-set inputs.

There are many testing libraries for Python such as:

  • unittest - a built in library with Python

  • pytest - the most popular third party testing library

Code Review#

Code reviews are when peers or senior developers check your code for:

  • Logic Errors - does the code correctly implement what was intended?

  • Security Vulnerabilities - is user input handled safely to avoid vulnerabilities like injection attack?

  • Coding Standards - does the code follow established style guides or best practices?

Coding standards can be enforced by automatic linting and checking of code using libraries such as black.

Manual code review can be difficult to do thoroughly. It is best practice to make many small incremental updates to a code base rather than few large updates so that the changes are easier to understand and analyse.

Static Application Security Testing (SAST)#

SAST tools analyse code without running it, flagging potential security weaknesses such as:

  • Hardcoded credentials

  • Known insecure patterns

  • Possible SQL injection vulnerabilities (if raw string concatenation is detected)

Example

The bandit library scans Python code for common security mistakes.

To run bandit against a Python script you can use

bandit app.py

Dynamic Application Security Testing (DAST)#

DAST involves testing the running application just like an external attacker would. It is when we check runtime behavior rather than static code.

Most commonly, DAST is performed manually by software developers or QA teams because of the difficulty in automating these kinds of tests. For example for a web app these tests would involve inputting data into the app through a browser which is challenging to automate.

Penetration Testing#

Most testing done by software developers centers around making sure that best practices are followed and that the functionality is complete. Unfortunately even when this is done thoroughly and professionally there might still be unforeseen vulnerabilities.

Penetration testing is used to test for unforeseen vulnerabilities. Penetration testing is performed by security professionals or specialized testers. These professionals simulate real-world attacks by hackers and attempt to gain access or compromise the security of software by any means necessary - just like a hacker might.

Penetration testing can also involve social engineering which is when hackers attempt to influence other people into disclosing information or granting access to the hacker.