Chef Blogs

Shift-Left Security Testing with Test Driven Development

Kameerath Abdul Kareem | Posted on | Chef Compliance | Chef InSpec | Continuous Delivery | DevOps

Organizations gain a competitive edge when they deploy software consistently and more frequently. DevOps teams are continually evolving to accelerate application delivery by adopting efficient processes and implementing automation. Investing in a robust development and testing strategy is a must to achieve stable and reliable release cycles. If development and testing processes are not optimized, it introduces vulnerabilities in the system that impact security, stability, and performance.

Testing for security and compliance is one of the significant challenges for dev teams, and it has a direct impact on application delivery. In this blog post, we discuss what test driven development means and how it can help DevTest teams shift left and optimize the software development cycle.

Continuous Delivery with Test Driven Development (TDD)

Google’s latest DORA report states, “the faster your teams can make changes to your software, the sooner you can deliver value to your customers, run experiments, and receive valuable feedback.” The metrics measured in the report are an indicator of software delivery and operational performance.


Dev and test teams are not always aligned and have limited visibility once the software moves into the deployment phase. These teams often work in silos, focusing on their assigned tasks without always considering the limitations and roadblocks that may arise during the deployment process. Everything from compliance requirements, security testing, and third-party variables can delay deployment.

Continuous delivery guarantees higher deployment frequency with lower risk and improved security with every release. Continuous delivery automates all processes from development to production, using pipelines while balancing software delivery risks and deployment frequency.


One of the processes that compromise continuous delivery is testing. The teams involved in testing code find it time-consuming, expensive, and complex. Multiple components require testing in different environments with a range of variables.

Test Driven Development (TDD) is a practice that breaks down the testing process into easily managed smaller tests that validate code faster. TDD allows developers to test code changes easily and make changes more quickly before the code goes to production. In addition, the smaller changes make it easy to incorporate testing into every phase of the development and delivery process.

TDD is essentially the process of converting every IT change that relies on specific policies or requirements into test cases before the software hits production. These pre-defined test cases can track all changes; newer changes are continually tested against the defined test cases to ensure the code succeeds.

Implementing Test Driven Development requires:

  • DevTest environments to be set up quickly to run tests
  • A Dev environment that can generate a rapid response to minor changes
  • Software modules and components that are cohesive and loosely coupled
  • An environment that allows each test to run in isolation

Test Driven Development brings in essential to continuous delivery as it:

  • Reduces risks in the deployment phase; errors are caught and fixed before they reach production.
  • Incorporates security testing into every phase of software delivery, minimizing security breaches and vulnerabilities.
  • Improves code quality with repeated testing
  • Enables automation and continuous delivery at scale.
  • Reduces time taken to debug code, and overall script maintenance is more manageable.

Implementing Test Driven Development with Chef for Security Testing

Constant testing is key to good design and quality software. When testing is introduced early in the development cycle, the delivery phase becomes less complex and risky for the dev and test teams, and they can focus on creating more stable and reliable code. TDD automates this time-consuming phase of software development by writing the tests first.

Automated tests are, in essence, business requirements and policies expressed in code. They ensure maximum alignment between the requirements and the code that goes into production. Developers write code based on the pre-defined test cases, so the end result conforms to standards. Refactoring is the next step in TDD once the code passes the different pre-defined test cases. It optimizes the code, removes duplicates in the codebase, and manages versioning.

The image below outlines the different test types in TDD

  • Linting: The code syntax and style are analyzed to follow standards and best practices.
  • DevOps testing: This involves unit-testing individual components of the codebase to validate logic, input/output, versioning, and architectural conformance
  • Integration testing: This validates the runtime environment to ensure the code is functional. This also includes policy and security tests to track how multiple components interact

Chef bridges the gap between the engineering and governance teams with its policy-as-code approach. Any change or update to the existing codebase can throw the risk vs. security scale out of balance. Chef policy-as-code simplifies security testing and makes it easier to implement TDD, helping teams translate compliance and security postures into simple, reusable code. Shifting security testing left, that is, testing at every phase of the development cycle, uncovers security issues early, giving the DevTest team ample time to fix problems before production.


Summary

Test driven development results in shorter design cycles that help deliver resilient software consistently. By implementing TDD, you continually evaluate business requirements, develop the right tests, and drive good software design. TDD Is the way forward to implement policy as code and secure infrastructure at scale.

Managing security- and compliance as code will enable your organization to incorporate TDD and maintain continuous delivery. You can then shift security testing left to reduce the risk of failure in the application delivery phase. With Chef, you can scale with reliability and consistency across any environment, whenever needed.

Learn more about TDD and Chef, watch the on-demand webinar here.