Studied Computer Science and Information Security at Georgia Tech. • Dissatisfied with options in infosec industry in 2007, restarted web development work. • Now own a web application security firm with a growing team.
of code that [he or she] has not executed any unit test for, and one of the best ways to make sure you have not shipped a line of code without testing is to practice TDD” Robert Martin in his 2012 debate on TDD with Jim Coplien, video at https://www.youtube.com/watch?v=KtHQGs3zFAM&t=14%3A42
Processes and tools Working software Comprehensive documentation Customer collaboration Contract negotiation Responding to change Following a plan These have value! Software fails without these! Source: http://agilemanifesto.org
environment where authorization decisions are made by the web app alone. • A significant number of data breaches (63%+ by DBIR data) are the result of poor password security, especially staff passwords with extraordinary access. • Most developers do not know the basics of the OWASP Top 10 or Advanced Security Verification Standard.
code is often used as a slang term for difficult-to-change code that we don’t understand. But over years of working with teams, helping them get past serious code problems, I’ve arrived at a different definition. To me, legacy code is simply code without tests." Feathers, Michael. Working Effectively with Legacy Code (Robert C. Martin Series) (Kindle Locations 226-229). Pearson Education. Kindle Edition.
make a change in a legacy code base, here is an algorithm you can use. 1.Identify change points. 2.Find test points. 3.Break dependencies. 4.Write tests. 5.Make changes and refactor. Feathers, Michael. Working Effectively with Legacy Code (Robert C. Martin Series) (Kindle Locations 624-628). Pearson Education. Kindle Edition.
production code without having a corresponding failing test 2)Don’t write too many failing tests without writing production code 3)Don’t write more production code than is sufficient to pass the currently failing test Robert Martin http://butunclebob.com/ArticleS.UncleBob.TheThreeRulesOfTdd (2005)
act of design than verification. It is also more an act of documentation than verification. The act of writing a unit test closes a remarkable number of feedback loops, the least of which is the one pertaining to verification of function!” Robert C. Martin, Agile Software Development, Principles, Patterns, and Practices, p. 23
description of the story used for planning and as a reminder 2)conversations about the story that serve to flesh out the details of the story 3)tests that convey and document details and that can be used to determine when a story is complete. Cohn, Mike (2004-03-01). User Stories Applied: For Agile Software Development (Kindle Locations 400-403). Pearson Education. Kindle Edition.
stories are expected to be written by customers only, abuser stories should be written by: – The Customer (Business) – The Developers (who have unique technical understanding of the system) – Security team (who have unique understanding of security threats) • Every story must have an accompany test as part of its definiton of done and to feed the TDD cycle • Developers write detailed tests as part of their implementation to fill in more technical details and to show that no code was shipped without tests and that the particular issue cannot reappear without the tests failing