Automated Code Testing for Software Quality Assurance
Quality assurance done through code testing is an important part of the software development process (s. Diagram 1). Discovering the bugs and vulnerabilities early in the development process saves costs and reduces risks in the following stages.
Diagram 1: Software Development Lifecycle (Source: Wikimedia Commons)
Common testing methods used in software development include static and dynamic software testing as well as more innovative approaches such as smart fuzzing or FAST. There are different providers on the market that offer products based on one of these testing methods or, sometimes, their combination. Since manual testing consumes a lot of resources and cannot exclude the human factor, priority should be given to automated code scanning solutions.
Selection criteria for the automated testing solution
When choosing the software for automated code scanning, one should consider some important factors:
- Possibility for dynamic testing. The advantage of dynamic testing is that it is carried out in “real-time” during software execution. Also, user interaction with the software through input can be checked. During static software testing, on the other hand, the written code is analyzed without executing it, thus producing a lot of false positives (“false alarms”), which makes testing less efficient.
- Automated set up. The testing solution should be easy to install and set up. As opposed to manual unit testing, where the developers have to write the code for the tests themselves, the chosen testing product should contain a facility for creating test cases automatically (with a few mouse-clicks).
- Continuous code scanning without manual interaction. For complex source code, automatic scanning can take hours or days, so it is important to ensure the autonomous running of code tests.
- Combination of several testing tools. The more testing tools or engines are combined in one application, the better results the scanning software can deliver.
- Integration into standard coding procedures. If the tests can be conducted in the IDE of the developer, this reduces the time needed to learn the testing application and allows for the early discovery of vulnerabilities.
- Test reports. Advanced code testing solutions should offer test reports and dashboards both during executing the tests (progress status) and after the test completion.
- Debugging features. After scanning the code, the testing solution should display which parts of the code caused crashes during execution and what types of vulnerabilities were discovered. Ideally, the developer or the tester should be able to reproduce the crashes in the debugging mode.
- CI/CD workflow integration. Testing applications that fit into continuous development processes can greatly improve the workflow in a software development project and enhance the overall efficiency of development teams.
Diagram 2: Important selection criteria for a code testing application
CI Fuzz - automated code scanning solution
Based on the criteria above, we developed a unique code testing solution that combines three fuzzing engines with initial static code scanning and concolic execution.
CI Fuzz automatically scans the software code on each code change and finds deeply hidden bugs and vulnerabilities. Through its easy and intuitive setup and its IDE integration, the developers can start testing their source code right away.
The debugging mode of the software allows for easy bug discovery and fast bug fixing by the developer. CI Fuzz is also compatible with standard CI/CD workflows such as Jenkins. Using CI Fuzz for automated source code scanning will speed up the testing phase of software development projects and improve the overall quality of the software.