SlideShare una empresa de Scribd logo

Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)

Dinis Cruz
Dinis Cruz

"Turning TDD upside down - For bugs, always start with a passing test" - Common workflow on TDD is to write failed tests. The problem with this approach is that it only works for a very specific scenario (when fixing bugs). This presentation will present a different workflow which will make the coding and testing of those tests much easier, faster, simpler, secure and thorough' Presented at LSCC (London Software Craftsmanship Community) http://www.meetup.com/london-software-craftsmanship on sep 2016.

Tecnología
1 de 53
Descargar para leer sin conexión
Start with passing Tests (TDD for bugs) London, 22nd Sep 2016, v0.5
Me • Developer for 25 years • AppSec for 13 years • Day jobs: • Leader OWASP O2 Platform project • Application Security Training for JBI Training • Part of AppSec team of: • The Hut Group • BBC • AppSec Consultant and Mentor
• @Leanpub (buy for 0$ ) • http://leanpub.com/u/DinisCruz – 
 Books Published
• published at Leanpub (buy for 0$ ) – http://leanpub.com/u/DinisCruz Books under development Major revision with lots of new content (based on Maturity Models app) Ideas shown in this presentation
 and a lot more
See also: http://blog.diniscruz.com/2016/03/new-era-of-software-with-modern.html
See also: http://blog.diniscruz.com/2016/03/new-era-of-software-with-modern.html
TDD
• For bugs, always start with a passing test – Common workflow on TDD is to write failed tests. – The problem with this approach is that it only works for a very specific scenario (when fixing bugs). – This presentation will present a different workflow which will make the coding and testing of those much much easier, faster, simpler, secure and thorough' Key concept: Turning TDD upside down
• For TDD to be productive you need – Real time unit test execution (when hands lift) – Real time code coverage • TDD focus needs to be on – making developers more productive – preventing developers from switching context • You need something like Wallaby or NCrunch • If 99% code coverage doesn’t happen ‘by default’ TDD workflow is not working TDD
9 9 % C O D E C O V E R A G E …is not the destination 
 …it is ‘base camp’
TDD in WebStorm with WallabyJS
What happens when you increase attack surface
You want a test to fail
TDD in WebStorm with WallabyJS • … but is a topic for another talk :)
TDD WORKFLOW FOR A BUG
• Bug is found • Issue created and documented • Issue prioritised and scheduled • Fix • QA • Deploy – hope is has been fully fixed? Normal flow for bugs and security issues
• Bug found, Issue created, Scheduled • TDD loop – Write test that fails – Fix Issue – Test passes – All done? • QA – why is this needed? With TDD
• Very few do this loop in pure TDD – very hard to do without realtime test execution and code coverage • Needs test API & Infrastructure to be there already • are you able to spend an extra 4h, 8h,16h fixing a blind spot of your test APIs? • End result tends to be very shallow tests • Root cause of issue is usually not identified (or fixed)
• Given these bugs: • Login + open page X + enter data + submit data = BUG happens • Create object + populate with data + do action = BUG happens • call service A + inner call to Service B + bad data returned from Service B = BUG happens
 • If you write a failed test, what happens when a problem occurs before we reach the Bug happens How do you know what failed?
• Tests are only written while in ‘fix mode’ • Very little time to improve test APIs for test execution environment – There are really hard problems in Testing, that will need time to be solved • Creating test proxies • Creating ‘hot’ run-time environments • Improving test execution and code coverage visualisation (when Wallaby or NCrunch is not available) • Will break the build • Will create a high threshold of what can be tested The problem with failed tests
• Missing Headers on Production (HSTS for example) • Debug messages shown on production • SQL Injection on user controller field • Wrong product shown on page • Wrong link generated on page and email • Performance issues (for example: slow search) • Inconsistent error messages returned from Web Service • Message Queues accepting message with bad data • Expose user info via parameter manipulation • Over-posting on Controller’s Model bindings • Use of Strings on models to hold data (‘strings should to be banned’) Example of bugs
• Aren’t they the current behaviour of the application? • Isn’t that how the application was designed • If you are writing a test to replicate the issue, should that test: Pass or Fail? • My definition of feature is: 
 Once the code hits the main ‘develop’ branch, it’s behaviour is a feature (regardless if the code is in production) Are these bugs or features?
Until you write the (passing) test, you don’t really know the root cause of the issue
1.Find issue 2.Create PoC (Proof-of-Concept) 3.Report issue (on PDF or Bug tracking) 4.Dev ‘fixes’ issue 5.Fix pushed to production 6.Is it really fixed? If yes, end of story 7.Find variation of issue 8.go back to 2. Bug/Security fix merry-go-round
• Why is QA finding issues that the devs are not aware of, or have been fixed before? • Most QA teams are clicking on things and running scripts • QA teams: – should be reviewing the Tests created/changed since the last release – need to have developers since they need to write Tests – need to have senior developers since they need to improve the Test’s APIs and execution/development Environments QA - Most are not being efficient
WRITING PASSING TESTS
• Write Test first • Understand the issue • Improve test APIs and Frameworks • Write one Test per affected layer (or call stack) – start with e2e (end-to-end) and end with pure Unit Tests (on the root cause of the issue) – For affected each method, write tests for it’s callers (creating a reverse tree) • By definition, the fix of original issue(s) will break these tests • Transform these ‘passing bug tests’ into ‘passing regression tests’ • QA team (and manager/architect/security) reviews the test’s diff Suggested workflow
• Team members need to communicate using Tests • Tests should be easier to write than explanations (text, screenshot, videos) • Teams collaboration should be done via tests (from dev to QA, from QA to dev, from Team A to team B) • Managers need to write tests (and demand powerful/easy-to-use APIs) Tests need to be the lingua franca
• It is crazy that we tend to promote the best developers into management position (since that is the ‘only’ career path) and then make them do everything except coding • These ‘senior devs, now managers/architects’ tend to be the best programmers in the building and usually love coding • The solution is to make them read and write tests • Teams need to communicate using tests • Printing tests (on paper) is a very effective way to code review Managers need to code
When creating tests on the ‘Fix’ stage, the focus (& time allocated) is on 
 fixing the bug (not on testing it) When creating tests on the ‘Issue Creation’ stage, the focus (& time allocated) is on 
 how to test it and what is its root cause
CASE STUDY: WHEN I CREATED A VULNERABILITY
• Here is the code I wrote (at the Data Layer) • This method is designed to be called by the controller (i.e. rest api endpoint): Feature request: Allow data editing on UI
Feature request: Allow data editing on UI
Regression test that passes on issue
Fix for Path transversal
Regression test
LET’S SEE HOW IT LOOKED IN THE CODE
…before the vuln is created
…when the vuln is created
… adding comments
…after issues are created
…improving comments
…updating issues after 1st fix
… after final fix
Thanks, any questions @diniscruz dinis.cruz@owasp.org

Recomendados

App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5Dinis Cruz
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Dinis Cruz
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery WorldDinis Cruz
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0Dinis Cruz
 
Get Ready for JIRA 5 - AtlasCamp 2011
Get Ready for JIRA 5 - AtlasCamp 2011Get Ready for JIRA 5 - AtlasCamp 2011
Get Ready for JIRA 5 - AtlasCamp 2011Atlassian
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 

Recomendados

App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5App sec and quality london - may 2016 - v0.5
App sec and quality london - may 2016 - v0.5Dinis Cruz
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Using jira to manage risks v1.0 - owasp app sec eu - june 2016
Using jira to manage risks v1.0 - owasp app sec eu - june 2016Dinis Cruz
 
SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6SecDevOps Risk Workflow - v0.6
SecDevOps Risk Workflow - v0.6Dinis Cruz
 
Security in a Continuous Delivery World
Security in a Continuous Delivery WorldSecurity in a Continuous Delivery World
Security in a Continuous Delivery WorldDinis Cruz
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0Dinis Cruz
 
Get Ready for JIRA 5 - AtlasCamp 2011
Get Ready for JIRA 5 - AtlasCamp 2011Get Ready for JIRA 5 - AtlasCamp 2011
Get Ready for JIRA 5 - AtlasCamp 2011Atlassian
 
Security champions v1.0
Security champions v1.0Security champions v1.0
Security champions v1.0Dinis Cruz
 
SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Dinis Cruz
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Stefan Streichsbier
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)Dinis Cruz
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachMatt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015Matt Tesauro
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile worldStefan Streichsbier
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDrkadayam
 
Using threat models to control project brief
Using threat models to control project briefUsing threat models to control project brief
Using threat models to control project briefDinis Cruz
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationThreat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationAbhay Bhargav
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileDevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileMatt Tesauro
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0Dinis Cruz
 
Making threat modeling so easy
Making threat modeling so easyMaking threat modeling so easy
Making threat modeling so easyDinis Cruz
 

Más contenido relacionado

La actualidad más candente

SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of ITCloudPassage
 
Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Dinis Cruz
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Stefan Streichsbier
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)Dinis Cruz
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachMatt Tesauro
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015Matt Tesauro
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile worldStefan Streichsbier
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDrkadayam
 
Using threat models to control project brief
Using threat models to control project briefUsing threat models to control project brief
Using threat models to control project briefDinis Cruz
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationThreat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationAbhay Bhargav
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileDevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileMatt Tesauro
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 

La actualidad más candente (20)

SecDevOps: The New Black of IT
SecDevOps: The New Black of ITSecDevOps: The New Black of IT
SecDevOps: The New Black of IT
 
Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0Surrogate dependencies (in node js) v1.0
Surrogate dependencies (in node js) v1.0
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 
New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)New Era of Software with modern Application Security (v0.6)
New Era of Software with modern Application Security (v0.6)
 
Continuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's ReachContinuous Security: Using Automation to Expand Security's Reach
Continuous Security: Using Automation to Expand Security's Reach
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015
 
Null application security in an agile world
Null application security in an agile worldNull application security in an agile world
Null application security in an agile world
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Automating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CDAutomating OWASP Tests in your CI/CD
Automating OWASP Tests in your CI/CD
 
Using threat models to control project brief
Using threat models to control project briefUsing threat models to control project brief
Using threat models to control project brief
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 PresentationThreat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
Threat-Modeling-as-Code: ThreatPlaybook AppSecUSA 2018 Presentation
 
DevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone AgileDevOps, CLI, APIs, Oh My! Security Gone Agile
DevOps, CLI, APIs, Oh My! Security Gone Agile
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 

Destacado

Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0Dinis Cruz
 
Making threat modeling so easy
Making threat modeling so easyMaking threat modeling so easy
Making threat modeling so easyDinis Cruz
 
Hacking Portugal v1.1
Hacking Portugal v1.1Hacking Portugal v1.1
Hacking Portugal v1.1Dinis Cruz
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Dinis Cruz
 
Owasp summit 2017
Owasp summit 2017 Owasp summit 2017
Owasp summit 2017 Dinis Cruz
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec TeamsDinis Cruz
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Dinis Cruz
 

Destacado (7)

Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0Hacking Portugal , C-days 2016 , v1.0
Hacking Portugal , C-days 2016 , v1.0
 
Making threat modeling so easy
Making threat modeling so easyMaking threat modeling so easy
Making threat modeling so easy
 
Hacking Portugal v1.1
Hacking Portugal v1.1Hacking Portugal v1.1
Hacking Portugal v1.1
 
Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)Legacy-SecDevOps (AppSec Management Debrief)
Legacy-SecDevOps (AppSec Management Debrief)
 
Owasp summit 2017
Owasp summit 2017 Owasp summit 2017
Owasp summit 2017
 
SC conference - Building AppSec Teams
SC conference - Building AppSec TeamsSC conference - Building AppSec Teams
SC conference - Building AppSec Teams
 
Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)Veracode Automation CLI (using Jenkins for SDL integration)
Veracode Automation CLI (using Jenkins for SDL integration)
 

Similar a Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)

Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
Topic production code
Topic production codeTopic production code
Topic production codeKavi Kumar
 
Get Testing with tSQLt - SQL In The City Workshop 2014
Get Testing with tSQLt - SQL In The City Workshop 2014Get Testing with tSQLt - SQL In The City Workshop 2014
Get Testing with tSQLt - SQL In The City Workshop 2014Red Gate Software
 
Road to Continuous Delivery - Wix.com
Road to Continuous Delivery - Wix.comRoad to Continuous Delivery - Wix.com
Road to Continuous Delivery - Wix.comAviran Mordo
 
Automated Acceptance Tests & Tool choice
Automated Acceptance Tests & Tool choiceAutomated Acceptance Tests & Tool choice
Automated Acceptance Tests & Tool choicetoddbr
 
Testing for Logic App Solutions | Integration Monday
Testing for Logic App Solutions | Integration MondayTesting for Logic App Solutions | Integration Monday
Testing for Logic App Solutions | Integration MondayBizTalk360
 
5 Steps to Jump Start Your Test Automation
5 Steps to Jump Start Your Test Automation5 Steps to Jump Start Your Test Automation
5 Steps to Jump Start Your Test AutomationSauce Labs
 
Testing - How Vital and How Easy to use
Testing - How Vital and How Easy to useTesting - How Vital and How Easy to use
Testing - How Vital and How Easy to useUma Ghotikar
 
Testing practicies not only in scala
Testing practicies not only in scalaTesting practicies not only in scala
Testing practicies not only in scalaPaweł Panasewicz
 
#ESPC18 How to do #devops with the #SharePoint Framework and why it matters?
#ESPC18 How to do #devops with the #SharePoint Framework and why it matters?#ESPC18 How to do #devops with the #SharePoint Framework and why it matters?
#ESPC18 How to do #devops with the #SharePoint Framework and why it matters?Vincent Biret
 
Continuous Testing 2016
Continuous Testing 2016Continuous Testing 2016
Continuous Testing 2016Karim Fanadka
 
An Introduction To Software Development - Final Review
An Introduction To Software Development - Final ReviewAn Introduction To Software Development - Final Review
An Introduction To Software Development - Final ReviewBlue Elephant Consulting
 
Dev/Test scenarios in DevOps world
Dev/Test scenarios in DevOps worldDev/Test scenarios in DevOps world
Dev/Test scenarios in DevOps worldDavide Benvegnù
 
AgileDC15 I'm Using Chef So I'm DevOps Right?
AgileDC15 I'm Using Chef So I'm DevOps Right?AgileDC15 I'm Using Chef So I'm DevOps Right?
AgileDC15 I'm Using Chef So I'm DevOps Right?Rob Brown
 
A Brief Introduction to Test-Driven Development
A Brief Introduction to Test-Driven DevelopmentA Brief Introduction to Test-Driven Development
A Brief Introduction to Test-Driven DevelopmentShawn Jones
 
Sync Workitems between multiple Team Projects #vssatpn
Sync Workitems between multiple Team Projects #vssatpnSync Workitems between multiple Team Projects #vssatpn
Sync Workitems between multiple Team Projects #vssatpnLorenzo Barbieri
 

Similar a Start with passing tests (tdd for bugs) v0.5 (22 sep 2016) (20)

Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
Topic production code
Topic production codeTopic production code
Topic production code
 
Get Testing with tSQLt - SQL In The City Workshop 2014
Get Testing with tSQLt - SQL In The City Workshop 2014Get Testing with tSQLt - SQL In The City Workshop 2014
Get Testing with tSQLt - SQL In The City Workshop 2014
 
Test Driven Development
Test Driven DevelopmentTest Driven Development
Test Driven Development
 
Road to Continuous Delivery - Wix.com
Road to Continuous Delivery - Wix.comRoad to Continuous Delivery - Wix.com
Road to Continuous Delivery - Wix.com
 
Automated Acceptance Tests & Tool choice
Automated Acceptance Tests & Tool choiceAutomated Acceptance Tests & Tool choice
Automated Acceptance Tests & Tool choice
 
Testing for Logic App Solutions | Integration Monday
Testing for Logic App Solutions | Integration MondayTesting for Logic App Solutions | Integration Monday
Testing for Logic App Solutions | Integration Monday
 
Extreme Makeover OnBase Edition
Extreme Makeover OnBase EditionExtreme Makeover OnBase Edition
Extreme Makeover OnBase Edition
 
5 Steps to Jump Start Your Test Automation
5 Steps to Jump Start Your Test Automation5 Steps to Jump Start Your Test Automation
5 Steps to Jump Start Your Test Automation
 
Presentation delex
Presentation delexPresentation delex
Presentation delex
 
Testing - How Vital and How Easy to use
Testing - How Vital and How Easy to useTesting - How Vital and How Easy to use
Testing - How Vital and How Easy to use
 
Testing practicies not only in scala
Testing practicies not only in scalaTesting practicies not only in scala
Testing practicies not only in scala
 
#ESPC18 How to do #devops with the #SharePoint Framework and why it matters?
#ESPC18 How to do #devops with the #SharePoint Framework and why it matters?#ESPC18 How to do #devops with the #SharePoint Framework and why it matters?
#ESPC18 How to do #devops with the #SharePoint Framework and why it matters?
 
Continuous Testing
Continuous TestingContinuous Testing
Continuous Testing
 
Continuous Testing 2016
Continuous Testing 2016Continuous Testing 2016
Continuous Testing 2016
 
An Introduction To Software Development - Final Review
An Introduction To Software Development - Final ReviewAn Introduction To Software Development - Final Review
An Introduction To Software Development - Final Review
 
Dev/Test scenarios in DevOps world
Dev/Test scenarios in DevOps worldDev/Test scenarios in DevOps world
Dev/Test scenarios in DevOps world
 
AgileDC15 I'm Using Chef So I'm DevOps Right?
AgileDC15 I'm Using Chef So I'm DevOps Right?AgileDC15 I'm Using Chef So I'm DevOps Right?
AgileDC15 I'm Using Chef So I'm DevOps Right?
 
A Brief Introduction to Test-Driven Development
A Brief Introduction to Test-Driven DevelopmentA Brief Introduction to Test-Driven Development
A Brief Introduction to Test-Driven Development
 
Sync Workitems between multiple Team Projects #vssatpn
Sync Workitems between multiple Team Projects #vssatpnSync Workitems between multiple Team Projects #vssatpn
Sync Workitems between multiple Team Projects #vssatpn
 

Más de Dinis Cruz

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Dinis Cruz
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesDinis Cruz
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsDinis Cruz
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceDinis Cruz
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Dinis Cruz
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data scienceDinis Cruz
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyDinis Cruz
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Dinis Cruz
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityDinis Cruz
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsDinis Cruz
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)Dinis Cruz
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 Dinis Cruz
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)Dinis Cruz
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Dinis Cruz
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Dinis Cruz
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)Dinis Cruz
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Dinis Cruz
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febDinis Cruz
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febDinis Cruz
 

Más de Dinis Cruz (20)

Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
Map camp - Why context is your crown jewels (Wardley Maps and Threat Modeling)
 
Glasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted FilesGlasswall - Safety and Integrity Through Trusted Files
Glasswall - Safety and Integrity Through Trusted Files
 
Glasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidentsGlasswall - How to Prevent, Detect and React to Ransomware incidents
Glasswall - How to Prevent, Detect and React to Ransomware incidents
 
The benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC ConferenceThe benefits of police and industry investigation - NPCC Conference
The benefits of police and industry investigation - NPCC Conference
 
Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019Serverless Security Workflows - cyber talks - 19th nov 2019
Serverless Security Workflows - cyber talks - 19th nov 2019
 
Modern security using graphs, automation and data science
Modern security using graphs, automation and data scienceModern security using graphs, automation and data science
Modern security using graphs, automation and data science
 
Using Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and StrategyUsing Wardley Maps to Understand Security's Landscape and Strategy
Using Wardley Maps to Understand Security's Landscape and Strategy
 
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2Dinis Cruz (CV) - CISO and Transformation Agent v1.2
Dinis Cruz (CV) - CISO and Transformation Agent v1.2
 
Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)Making fact based decisions and 4 board decisions (Oct 2019)
Making fact based decisions and 4 board decisions (Oct 2019)
 
CISO Application presentation - Babylon health security
CISO Application presentation - Babylon health securityCISO Application presentation - Babylon health security
CISO Application presentation - Babylon health security
 
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security DecisionsUsing OWASP Security Bot (OSBot) to make Fact Based Security Decisions
Using OWASP Security Bot (OSBot) to make Fact Based Security Decisions
 
GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)GSBot Commands (Slack Bot used to access Jira data)
GSBot Commands (Slack Bot used to access Jira data)
 
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6 (OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
(OLD VERSION) Dinis Cruz (CV) - CISO and Transformation Agent v0.6
 
OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)OSBot - Data transformation workflow (from GSheet to Jupyter)
OSBot - Data transformation workflow (from GSheet to Jupyter)
 
Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)Jira schemas - Open Security Summit (Working Session 21th May 2019)
Jira schemas - Open Security Summit (Working Session 21th May 2019)
 
Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"Template for "Sharing anonymised risk theme dashboards v0.8"
Template for "Sharing anonymised risk theme dashboards v0.8"
 
Owasp and summits (may 2019)
Owasp and summits (may 2019)Owasp and summits (may 2019)
Owasp and summits (may 2019)
 
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
Creating a graph based security organisation - Apr 2019 (OWASP London chapter...
 
Open security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th febOpen security summit 2019 owasp london 25th feb
Open security summit 2019 owasp london 25th feb
 
Owasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th febOwasp summit 2019 - OWASP London 25th feb
Owasp summit 2019 - OWASP London 25th feb
 

Último

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 

Último (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 

Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)

  • 1. Start with passing Tests (TDD for bugs) London, 22nd Sep 2016, v0.5
  • 2. Me • Developer for 25 years • AppSec for 13 years • Day jobs: • Leader OWASP O2 Platform project • Application Security Training for JBI Training • Part of AppSec team of: • The Hut Group • BBC • AppSec Consultant and Mentor
  • 3. • @Leanpub (buy for 0$ ) • http://leanpub.com/u/DinisCruz – 
 Books Published
  • 4. • published at Leanpub (buy for 0$ ) – http://leanpub.com/u/DinisCruz Books under development Major revision with lots of new content (based on Maturity Models app) Ideas shown in this presentation
 and a lot more
  • 5.
  • 7.
  • 9.
  • 10. TDD
  • 11. • For bugs, always start with a passing test – Common workflow on TDD is to write failed tests. – The problem with this approach is that it only works for a very specific scenario (when fixing bugs). – This presentation will present a different workflow which will make the coding and testing of those much much easier, faster, simpler, secure and thorough' Key concept: Turning TDD upside down
  • 12. • For TDD to be productive you need – Real time unit test execution (when hands lift) – Real time code coverage • TDD focus needs to be on – making developers more productive – preventing developers from switching context • You need something like Wallaby or NCrunch • If 99% code coverage doesn’t happen ‘by default’ TDD workflow is not working TDD
  • 13. 9 9 % C O D E C O V E R A G E …is not the destination 
 …it is ‘base camp’
  • 14.
  • 15. TDD in WebStorm with WallabyJS
  • 16. What happens when you increase attack surface
  • 17. You want a test to fail
  • 18. TDD in WebStorm with WallabyJS • … but is a topic for another talk :)
  • 20. • Bug is found • Issue created and documented • Issue prioritised and scheduled • Fix • QA • Deploy – hope is has been fully fixed? Normal flow for bugs and security issues
  • 21. • Bug found, Issue created, Scheduled • TDD loop – Write test that fails – Fix Issue – Test passes – All done? • QA – why is this needed? With TDD
  • 22. • Very few do this loop in pure TDD – very hard to do without realtime test execution and code coverage • Needs test API & Infrastructure to be there already • are you able to spend an extra 4h, 8h,16h fixing a blind spot of your test APIs? • End result tends to be very shallow tests • Root cause of issue is usually not identified (or fixed)
  • 23. • Given these bugs: • Login + open page X + enter data + submit data = BUG happens • Create object + populate with data + do action = BUG happens • call service A + inner call to Service B + bad data returned from Service B = BUG happens
 • If you write a failed test, what happens when a problem occurs before we reach the Bug happens How do you know what failed?
  • 24. • Tests are only written while in ‘fix mode’ • Very little time to improve test APIs for test execution environment – There are really hard problems in Testing, that will need time to be solved • Creating test proxies • Creating ‘hot’ run-time environments • Improving test execution and code coverage visualisation (when Wallaby or NCrunch is not available) • Will break the build • Will create a high threshold of what can be tested The problem with failed tests
  • 25. • Missing Headers on Production (HSTS for example) • Debug messages shown on production • SQL Injection on user controller field • Wrong product shown on page • Wrong link generated on page and email • Performance issues (for example: slow search) • Inconsistent error messages returned from Web Service • Message Queues accepting message with bad data • Expose user info via parameter manipulation • Over-posting on Controller’s Model bindings • Use of Strings on models to hold data (‘strings should to be banned’) Example of bugs
  • 26. • Aren’t they the current behaviour of the application? • Isn’t that how the application was designed • If you are writing a test to replicate the issue, should that test: Pass or Fail? • My definition of feature is: 
 Once the code hits the main ‘develop’ branch, it’s behaviour is a feature (regardless if the code is in production) Are these bugs or features?
  • 27. Until you write the (passing) test, you don’t really know the root cause of the issue
  • 28. 1.Find issue 2.Create PoC (Proof-of-Concept) 3.Report issue (on PDF or Bug tracking) 4.Dev ‘fixes’ issue 5.Fix pushed to production 6.Is it really fixed? If yes, end of story 7.Find variation of issue 8.go back to 2. Bug/Security fix merry-go-round
  • 29. • Why is QA finding issues that the devs are not aware of, or have been fixed before? • Most QA teams are clicking on things and running scripts • QA teams: – should be reviewing the Tests created/changed since the last release – need to have developers since they need to write Tests – need to have senior developers since they need to improve the Test’s APIs and execution/development Environments QA - Most are not being efficient
  • 31. • Write Test first • Understand the issue • Improve test APIs and Frameworks • Write one Test per affected layer (or call stack) – start with e2e (end-to-end) and end with pure Unit Tests (on the root cause of the issue) – For affected each method, write tests for it’s callers (creating a reverse tree) • By definition, the fix of original issue(s) will break these tests • Transform these ‘passing bug tests’ into ‘passing regression tests’ • QA team (and manager/architect/security) reviews the test’s diff Suggested workflow
  • 32. • Team members need to communicate using Tests • Tests should be easier to write than explanations (text, screenshot, videos) • Teams collaboration should be done via tests (from dev to QA, from QA to dev, from Team A to team B) • Managers need to write tests (and demand powerful/easy-to-use APIs) Tests need to be the lingua franca
  • 33. • It is crazy that we tend to promote the best developers into management position (since that is the ‘only’ career path) and then make them do everything except coding • These ‘senior devs, now managers/architects’ tend to be the best programmers in the building and usually love coding • The solution is to make them read and write tests • Teams need to communicate using tests • Printing tests (on paper) is a very effective way to code review Managers need to code
  • 34. When creating tests on the ‘Fix’ stage, the focus (& time allocated) is on 
 fixing the bug (not on testing it) When creating tests on the ‘Issue Creation’ stage, the focus (& time allocated) is on 
 how to test it and what is its root cause
  • 35. CASE STUDY: WHEN I CREATED A VULNERABILITY
  • 36. • Here is the code I wrote (at the Data Layer) • This method is designed to be called by the controller (i.e. rest api endpoint): Feature request: Allow data editing on UI
  • 37. Feature request: Allow data editing on UI
  • 38. Regression test that passes on issue
  • 39.
  • 40.
  • 41.
  • 42.
  • 43. Fix for Path transversal
  • 45. LET’S SEE HOW IT LOOKED IN THE CODE
  • 46. …before the vuln is created
  • 47. …when the vuln is created