Comprehensive Guide To Code Quality Measures And Testing – All of the secure coding tools in the world are no good unless we have good tracking of code quality and testing. So once your code is developed, the first thing you’re going to want to do is you’re going to want to test that code. Luckily for us there’s lots of really great tools to help us test but we break it down into really two different types of tests.
First are what we’re going to call static code analyzers. Static code analyzers look at your actual code. They don’t run the code. They just look through the code and they look for standard types of errors that coders often do. So if you take a look on the screen I’ve got an example of a static tester, and if you take a look it’s a little bit hard to read at the bottom but you’ll notice that it doesn’t like the way I’m doing a particular input validation.
Also Read: What is the Difference Between Apache and NGINX
Static Code Analyzers
And I’ll use this as a way to go back and check that to see if maybe I could do it a little bit better. So there’s lots and lots of static code analyzers out there and you just pick the one that works best for your type of development platform. The important thing to understand is that it’s not running the code. It’s just reading it and based on lots of people’s experience it a little bit of logic it makes suggestions that you then go back in and change. If you really want to test something though you’re going to have to use a dynamic analysis.
In other words run the code. A dynamic analysis actually runs the code to look for logic errors, to look for security holes.
Dynamic code analysis
In other words run the code. A dynamic analysis actually runs the code to look for logic errors, to look for security holes. You can do things for example try to put really bizarre inputs in. I’m not talking about input validation. What I’m talking about is like typing in SQL commands into the last name field. Crazy things like this that are known generically as fuzzing and there are actually tools out there fuzzers that you can use to actually throw in a lot of well-known hacking type code to see if we can break your system. And that’s what it’s all about. So the dynamic analysis actually runs the code. Dynamic analysis handles things that you could never deal with a static code analyzer.
- You know how I sometimes have really brilliant ideas?
- Saving the world with meals on wheels.
- You’ve swallowed a planet!
- I’m the Doctor, I’m worse than everyone’s aunt. *catches himself* And that is not how I’m introducing myself.
Staging
Staging basically means you want to start creating more and more realistic real world environments to see how your code does. So the first test that we normally do is a stress test. With a stress test, what we’re doing is we’re actually putting the entire system under load.
- Can the databases keep up?
- Do I get refresh problems with screens?
- Do I have good denial of service attack defenses built in or at least up to a certain point. To do astress test, Code Quality
we usually use what’s known as a sandbox. With a sandbox what we’re doing is we actually use real servers, usually virtual servers, and we get everything up and running if you have a database server separate from your application server, everybody’s up and running and cooking, but it’s a completely isolated environment.
