Integration and Testing

6.9. Integration and Testing#

After development, integration is when newly developed code is integrated with existing code or external services like databases.

6.9.1. Integration Activities#

Merging code

As developers work they will develop their code locally, either separate from the main project or using a local development version of the app. Once complete developers then need to merge their code into the main codebase.

Database integration

During development, developers might use a local database. As part of integration, you move everything to the production database.

6.9.2. Testing#

Testing ensures that your application meets the specifications and is free from vulnerabilities. This process typically includes code reviews, automated scans or tests and penetration testing.

Functional Testing#

Functional testing confirms that the code meets the functional requirements set out in your design and specs.

There are two main types of functional testing:

  • Unit tests which check that individual functions or methods behave as expected for given inputs

  • Integration tests which check that broader modules or functions that combine multiple sub-functions behave as expected.

Generally unit and integration tests are written in code using a testing library, which run the code with pre-set inputs.

There are many testing libraries for Python such as:

  • unittest - a built in library with Python

  • pytest - the most popular third party testing library

Code Review#

Code reviews are when peers or senior developers check your code for:

  • Logic Errors - does the code correctly implement what was intended?

  • Security Vulnerabilities - is user input handled safely to avoid vulnerabilities like injection attack?

  • Coding Standards - does the code follow established style guides or best practices?

Coding standards can be enforced by automatic linting and checking of code using libraries such as black.

Manual code review can be difficult to do thoroughly. It is best practice to make many small incremental updates to a code base rather than few large updates so that the changes are easier to understand and analyse.

Static Application Security Testing (SAST)#

SAST tools analyse code without running it, flagging potential security weaknesses such as:

  • Hardcoded credentials

  • Known insecure patterns

  • Possible SQL injection vulnerabilities (if raw string concatenation is detected)

Example

The bandit library scans Python code for common security mistakes.

To run bandit against a Python script you can use

bandit app.py

Dynamic Application Security Testing (DAST)#

DAST involves testing the running application just like an external attacker would. It is when we check runtime behavior rather than static code.

Most commonly, DAST is performed manually by software developers or QA teams because of the difficulty in automating these kinds of tests. For example for a web app these tests would involve inputting data into the app through a browser which is challenging to automate.

Penetration Testing#

Most testing done by software developers centers around making sure that best practices are followed and that the functionality is complete. Unfortunately even when this is done thoroughly and professionally there might still be unforeseen vulnerabilities.

Penetration testing is used to test for unforeseen vulnerabilities. Penetration testing is performed by security professionals or specialized testers. These professionals simulate real-world attacks by hackers and attempt to gain access or compromise the security of software by any means necessary - just like a hacker might.

Penetration testing can also involve social engineering which is when hackers attempt to influence other people into disclosing information or granting access to the hacker.

Security and Resilience Testing#

Security and resilience testing checks whether the software can resist attacks, continue operating when something goes wrong, and recover safely afterwards. It combines security testing with reliability and recovery testing.

Security and resilience testing can include:

  • determining vulnerabilities through code review, SAST, DAST, vulnerability assessment, and penetration testing

  • testing whether invalid, unexpected, or malicious input is rejected safely

  • checking that authentication, authorisation, and session controls cannot be bypassed

  • testing how the system behaves when a service, database, or network connection fails

  • confirming that important data can be restored from backups

  • checking that logs and monitoring provide enough information to investigate a security incident

A vulnerability assessment is a structured review of software, configuration, dependencies, and infrastructure to identify known weaknesses. Unlike penetration testing, it does not usually attempt to fully exploit the system. It is often used to decide which problems should be fixed first.

6.9.3. Glossary#

Merging code#

Combining completed development work into the main codebase.

Database integration#

Moving database-related work from development into the production database or environment.

Production database#

The database used by the live application.

Functional testing#

Testing that confirms code meets the functional requirements set out in the design and specifications.

Unit test#

A test that checks an individual function or method behaves as expected for given inputs.

Integration test#

A test that checks broader modules or functions that combine multiple parts behave as expected.

Code review#

A review where peers or senior developers check code for correctness, security vulnerabilities, and coding standards.

SAST#

Static Application Security Testing. Tools that analyse code without running it to find potential security weaknesses.

DAST#

Dynamic Application Security Testing. Testing the running application in the way an external attacker might.

Penetration testing#

Security testing performed by specialists who simulate real-world attacks to find unforeseen vulnerabilities.

Social engineering#

Attempting to influence people into disclosing information or granting access.

Resilience testing#

Testing that checks whether software can resist problems, continue operating where possible, and recover safely after failures or attacks.

Vulnerability assessment#

A structured review used to identify known weaknesses in software, configuration, dependencies, or infrastructure.