WEBVTT 00:00.420 --> 00:06.570 All of the secure coding tools in the world are no good unless we have good tracking of code quality 00:06.780 --> 00:07.910 and testing. 00:07.920 --> 00:12.420 So once your code is developed the first thing you're going to want to do is you're going to want to 00:12.420 --> 00:13.950 test that code. 00:13.950 --> 00:19.620 Luckily for us there's lots of really great tools to help us test but we break it down into really two 00:19.620 --> 00:21.500 different types of test first. 00:21.540 --> 00:26.590 Or what we're going to call static code analyzers static code analyzers. 00:26.640 --> 00:28.690 Look at your actual code. 00:28.710 --> 00:30.150 They don't run the code. 00:30.210 --> 00:36.470 They just look through the code and they look for standard types of errors that coders often do. 00:36.480 --> 00:42.660 So if you take a look on the screen I've got an example of a static tester and if you take a look it's 00:42.660 --> 00:48.210 a little bit hard to read at the bottom but you'll notice that it doesn't like the way I'm doing a particular 00:48.330 --> 00:49.730 input validation. 00:49.830 --> 00:56.240 And I'll use this as a way to go back and check that to see if maybe I could do it a little bit better. 00:56.250 --> 01:02.040 So there's lots and lots of static code analyzers out there and you just pick the one that works best 01:02.040 --> 01:03.900 for your type of development platform. 01:04.630 --> 01:08.980 The important thing to understand is that it's not running the code it's just reading it. 01:09.070 --> 01:12.310 And based on lots of people's experience it a little bit of logic. 01:12.340 --> 01:18.950 It makes suggestions that you then go back in and change if you really want to test something though 01:19.340 --> 01:22.360 you're going to have to use a dynamic analysis. 01:22.370 --> 01:29.600 In other words run the code a dynamic analysis actually runs the code to look for logic errors to look 01:29.600 --> 01:31.380 for security holes. 01:31.430 --> 01:37.160 You can do things for example try to put really bizarre inputs and I'm not talking about input validation 01:37.160 --> 01:37.890 per se. 01:38.060 --> 01:43.160 What I'm talking about is like typing in sequel commands into the last name field. 01:43.340 --> 01:48.230 Crazy things like this that are known generically as fuzzing and there are actually tools out there 01:48.280 --> 01:56.240 flusters that you can use to actually throw in a lot of well-known hacking type code to see if we can 01:56.240 --> 01:58.400 break your system and that's what it's all about. 01:58.400 --> 02:03.920 So the dynamic analysis actually runs that code dynamic analysis handles things that you could never 02:03.920 --> 02:08.310 deal with a static code analyzer for example do you have a memory leak. 02:08.330 --> 02:12.100 Do you have a problem with the way you're querying the databases. 02:12.530 --> 02:15.890 These things really require a dynamic analysis. 02:15.890 --> 02:20.420 All right so you keep running these tests these tests are run once they're run continuously through 02:20.420 --> 02:22.010 the development process. 02:22.130 --> 02:26.270 But there is a point where you're really starting to think you got your code and that's where we move 02:26.270 --> 02:28.000 into staging. 02:28.040 --> 02:33.440 Staging basically means you want to start creating more and more realistic real world environments to 02:33.440 --> 02:35.030 see how your code does. 02:35.030 --> 02:39.770 So the first test that we normally do is a stress test with a stress test. 02:39.770 --> 02:43.940 What we're doing is we're actually putting the entire system under load. 02:43.940 --> 02:45.920 Can the databases keep up. 02:45.980 --> 02:48.830 Do I get refresh problems with screens. 02:48.830 --> 02:55.010 Do I have good denial of service attack defenses built in or at least up to a certain point to do a 02:55.010 --> 02:55.850 stress test. 02:55.850 --> 02:59.690 We usually use what's known as a sandbox with a sandbox. 02:59.690 --> 03:04.940 What we're doing is where we actually use real servers usually virtual servers and we get everything 03:04.940 --> 03:08.780 up and running if you have a database server separate from your application server. 03:08.790 --> 03:12.780 Everybody's up and running and cooking but it's a completely isolated environment. 03:12.800 --> 03:15.270 You're not actually out in the real world. 03:15.290 --> 03:18.960 You might even be public facing a little bit in some sandbox environments. 03:20.280 --> 03:25.350 After a good stress test within a sandbox you're getting close to saying I think we're getting ready 03:25.350 --> 03:30.500 to put this up into the last stage which is going to be deployment or production. 03:30.690 --> 03:36.960 But before we do that the last step we're doing is called Model verification model verification is the 03:36.960 --> 03:43.320 process where we go back and we go look when we first decided to make this application whatever it is 03:43.560 --> 03:47.220 we had a vision of what it was supposed to be and what it was supposed to do. 03:47.220 --> 03:54.120 That is our model the model verification is that step that goes is this doing what we visualized from 03:54.120 --> 03:55.010 the model. 03:55.020 --> 04:00.930 Now if it's a game it could be things like Well when we shoot the evil robot overlord does he explode 04:00.930 --> 04:05.240 into 25 pieces that are blue or 37 pieces that are red. 04:05.490 --> 04:11.610 If we're setting up a database system error the input screens coming up at the time we expect them to 04:11.610 --> 04:13.620 come up and closing properly. 04:13.620 --> 04:20.520 So we go through this model verification not to necessarily say that it's not working but to make sure 04:20.520 --> 04:24.660 that it's matching the vision the model that we originally chose. 04:24.840 --> 04:30.060 Once we've gone through these steps then the last steps the most interesting and that is production 04:30.390 --> 04:33.360 at this point we're taking things off the sandbox. 04:33.480 --> 04:38.150 We're putting up on public facing servers and we flip the switch and hopefully we make. 04:38.170 --> 04:38.700 I don't know. 04:38.700 --> 04:39.330 Lots of money.