CDL - Section 13 - Testing and Securing Applications

Question 1

What is Test Driven Development (TDD)?

Answer 1

A software development practice that focuses on creating unit test cases before developing the actual code.

It’s a style of programming where coding, testing, and design are tightly interwoven.

Question 2

What are the 4 layers of the TDD Testing Pyramid?

Answer 2

1. Unit Testing
2. Integration Testing
3. System Testing
4. Acceptance Testing

Question 3

What is Unit testing (UUT)?

Answer 3

Conducted at the beginning for the development process; unit tests are done in isolation. They should not test interaction between multiple system components.

Automated tests that individually focus on a small portion of the application code that you want to test.

The tests should be: reliable, fast, isolated and readable.

Question 4

What is Integration Testing (CUT)?

Answer 4

After the unit testing (UUT) is finished, you need to validate that the component can interact properly with actual system components.

Combining and testing multiple components and their interaction is called integration testing.

CUT = Component Under Test

Question 5

What is System Testing?

Answer 5

The purpose of this testing layer is validating that the system or product works as a whole.

Examples are: functionality, security, usability, storage, and regression testing.

Question 6

What is Acceptance Testing?

Answer 6

Once developers are finished with developing and testing the product, it is ready for delivery.

This final testing layer serves the purpose of validating that the delivered product matches the requirements of the client.

Question 7

What is the difference between Alpha and Beta testing?

Answer 7

Alpha = testing done by developers in a Dev environment.

Beta = a selected group of users get access to the product before it’s release to provide feedback on quality,

Question 8

Is a Unit Test clearly defined? IS the size defined?

Answer 8

No.

The size of a unit under test is not strictly defined, and neither is the definition of what a unit is.

A unit test in practice is a piece of code, typically a method or function, that invokes any part of the application code that you want to test.

Question 9

What are the only two verdicts of a Unit Test?

Answer 9

PASS or FAIL

Question 10

What are Happy Path/Sunny Day and Error Path/Rainy Day scenario?

Answer 10

The happy path scenario is a default use case where a test uses known input and executes successfully without any exceptions. AKA the test is always a PASS

the input is not in the expected form; it can help you to identify code smells and bugs early in the development of your application. AKA the test should FAIL.

Question 11

REVIEW: Containers

→ Containers run isolated processes on an operating system, providing reliable and consistent deployments regardless of the environment.

→ They provide a standard way of packaging your application code and all the dependencies into a single object

→ It makes containers very convenient for running tests, as well as making sure you are deploying the same code that was used for testing

→ Containerization technology makes it possible for developers to replicate the production environment on the local computer; containers can be managed via the Terminal

Answer 11

→ Process of creating a container:

1. Write the Dockerfile
2. Add files to Build’s context
   * * the Build’s Context = the directory where the Dockerfile is located
3. Build the image using the “docker build” cmd
4. Start the container with the new image

Question 12

What is a Docker File?

Answer 12

The file which holds the set of instructions that define a Docker image.

Containers are then spun up from a Docker Image.

Question 13

REVIEW: Common Docker Commands

○ Convention dictates the instructions to be all in upper-case

○ Starts with the instruction FROM

• -> “FROM” Specifies the parent (base) image to be used for the following instructions in the Dockerfile.
• -> EX) FROM ubuntu:latest = creating a container based on an image from the latest release of Ubuntu. You would then use “docker run ubuntu:latest” to create a new Docker container.

○ Lines starting with “#” are the comments

Answer 13

○ COPY - Used to copy files or directories from the build’s context into the container

○ ENV - Creates a new environment variable or sets a value of an existing variable inside the container

○ RUN - Used to run a single or multiple commands in a shell in the container to prepare the image

○ VOLUME - Creates a mounting point for persisting data that is consumed by the Docker containers

○ EXPOSE - Exposes a TCP or UDP port on which the application running in the container is accessible

○ CMD - Unlike the RUN command, the CMD command does not execute while building the image. Instead, it just specifies what command to execute when a new container is started from this image

Question 14

What is a Docker Repository?

What is a collection of Docker Repo’s called?

Answer 14

A Docker Repo is where a collection of Docker Images are stored.

A collection of Repo’s is called a Registry

Question 15

What is a Network Driver (when working with Containers)?

Answer 15

Drivers are used to connect containers to other containers, or to a machine on the host network, or outside the network.

Question 16

What is more vulnerable to attacks - data @ rest or data in transit?

What is the main method used for protection in both?

Answer 16

Data @ Rest

Encryption

Question 17

REVIEW: Types of Attacks

–> Cross-Site Scripting (XSS) - occurs when an attacker executes/injects malicious scripts/code in the web browser of a victim; It exploits known vulnerabilities in web applications, web application servers, and its plug-in systems

–> SQL Injection - made of an insertion of a SQL query through the input data from an attacker to the web application; the attacker can then red/modify sensitive data from the DB

Answer 17

–> Cross-Site Request Forgery (CSRF) - occurs when an attacker forces a victim to issue undesirable actions on the victim-authenticated web application. CSRF is done through social engineering where a victim clicks a link (such as inside an email) and unknowingly submits a forged request - such as transferring money.

–> Server Side Request Forgery - allow the attacker to send a forged request from a web server on the behalf of the attacker

Question 18

What instruction must be used for a Docker File to start?

Answer 18

FROM

Question 19

A “same-origin policy” relies on which parts or components of a URL request to be the same?

Answer 19

URI scheme

Hostname

Port Number

Question 20

REVIEW:

→ Good app design allows you to scale up to 2-3 times the average amount of Ingress traffic with the same level of performance delivered when it’s the average amount of traffic

→ Traffic security (1) and Scaling (2) is often times done after it’s too late; SSL Offloading and Load Balancers help with this

Answer 20

SSL:

1) SSL Bridging - gets encrypted data, and then sends data re-encrypted through to backend servers i.e Traffic is encrypted all the way through.
- more secure
- requires more overhead
- backend server has to decrypt + re-encrypt

2) SSL Termination - when a LB or Proxy de-crypts traffic from user and send its to backend web server unencrypted. The LB/Proxy then re-encrypts the data on the way back out to the user.
- helps with scaling web app traffic because it removes the need for the backend server to handle the decrypt + re-encrypt.

Question 21

What are the 4 methods LB’s use for distributing traffic?

Answer 21

1. Round Robin is the default algorithm, which selects servers in turns.
2. Least Connections selects a server with the least number of connections.
3. Source algorithm establishes a hash of the user IP address, making sure that the user connects to the same server.
4. Sticky sessions ensure that the same user connects to the same web server when web applications demand so; downside is the server can get more easily overloaded
   - - If the server down, all sticky sessions are lost making the performance inconsistent