Most of us are familiar with the idea of testing. We test the water temperature before stepping into the shower, for example.
As a creative writer, I always evaluate my writing before it's submitted to any publications. This strategy follows stages: high order changes to plot and characters after the first draft, medium order alterations to pacing and structure for second and third drafts, low order edits to sentence structure and grammar before the final product. Depending on the priorities of the current stage, I test different aspects of the story to see how they hold up and update it as I discover gaps.
DevOps teams take a similar approach to testing products. However, they shift their testing "left" and try to evaluate individual components as soon as they are written versus waiting for the first iteration of a software — the first draft in our story metaphor. They also test the product during the individual stages of the DevOps pipeline to confirm the software is ready to move to the next phase.
No matter the method, testing is a critical aspect of any software development strategy, and it is especially important to the DevOps model for keeping delivery quality high while maintaining momentum. Let’s review DevOps testing strategies and tools that support these approaches in the following sections.
DevOps Testing Strategies
The below categories are the main areas you will want to focus on in your DevOps testing strategy. Of course, your team may have unique use cases that warrant more focused testing than what's covered here, which is fully encouraged. In a DevOps model, it's better to test too much than risk missing an issue.
DevOps Unit Testing
Unit testing inspects individual components of the application to confirm the code they're built on works as expected. Testing engineers or tools will create test cases for the functions, procedures, or methods to either pass or fail. The results are recorded, and the development team then works to update any failing components to pass the next test.
The main advantage of unit testing is that the scope is limited to allow for granular inspection of each piece of the software. Problems are identified earlier, and fixes are implemented before the components are built and compiled. The development team can now integrate the modules with fewer issues to slow the build phase.
It's also simpler to debug when the scope is limited to individual components since there's a limited source of errors for engineers to evaluate versus a fully merged application — speeding the time to bug resolution.
Types of DevOps Unit Tests:
- White Box Testing: The employee creating the test cases knows the software's internal structure and evaluates against design specifications. Also known as structural testing.
- Black Box Testing: The employee does not know the internal structure or code of the application and evaluates against expected outcomes. Also known as functional testing.
- Gray Box Testing: The employee writing the test cases is partially aware of the structure and code as they evaluate for defects. This method combines black box and white box testing methods.
Unit testing is a central practice of the shift left testing approach by examining code in its simplest state. It also produces more resilient code, which supports the application's security. We'll review security testing strategies next.
DevOps Security Testing
DevOps security is essential. A DevOps team is responsible not only for the security of their own pipeline but more importantly the security of the applications they are delivering to their customers. Whether those customers are internal employees or external users, the risks of deploying untested products are the same.
DevOps security testing is the systematic review of the application's code, structure, and operating environment to identify any weaknesses so that the team can mitigate them. These evaluations are done from individual code modules (think unit testing from the last section) all the way up to the fully integrated application and its surrounding infrastructure. Threats are determined, vulnerabilities are assessed, and patches are implemented to shore up defenses.
Types of DevOps Security Tests:
- Vulnerability Scanning: Scans of the application's ports, network, and surrounding infrastructure to determine potential opportunities for unauthorized access or cyber attack
- Penetration Testing: Evaluation of vulnerabilities identified by scans and additional test cases to determine which vulnerabilities are false positives and which are true exploits
- Ethical Hacking: Authorized hacks of the application to attempt to gain unauthorized access from outside the organization or steal sensitive information to highlight any backdoors into the system
- Risk Assessment: A comprehensive review and cataloging of the risks in the application based on the results of the previous tests to determine where vulnerabilities exist and their severity to prioritize them for the security team
- Security Audits: Routine audits of both the virtual and physical defenses of the application combined with data from the other tests and any successful attacks to gain a holistic view of the DevOps teams' security posture
Creating an application that is resilient to DDoS and other problems that cause downtime or outages is also a concern of DevOps security testing, which is informed by the results of DevOps performance tests.
DevOps Performance Testing
When an application is under development, initially it will only be accessible to the members of your DevOps team. However, it will typically be deployed to a much larger user base, so DevOps teams can confirm that the application's internal and external infrastructure will be able to accommodate this demand through DevOps performance testing. No team wants its web application to crash from something as benign as too much traffic.
The expected number of users, demand on resources, traffic volume (if publicly accessible), and other relevant benchmarks will be determined during the planning phase so the DevOps team can build to meet these standards. Performance testing is how the team confirms the application is ready for production and deployment by evaluating it against requirements for speed, scalability, and stability.
Types of Performance Tests:
- Load Testing: Simulations of normal and peak usage of the built application to determine if it meets requirements for load times and consistently responds to requests
- Stress Testing: Demos of application usage specifically to determine the "breakpoint" when the application's servers stop responding and to identify any other scenarios that overload the system
- Volume Testing: Simulations to measure if the application can handle massive amounts of data input or output while still performing additional functions and serving other users' requests
- Capacity Testing: Evaluations to determine if an expected demand increase in the future will be supported by existing infrastructure and what will need to be added if not
- Recovery Testing: Simulated outages to measure if and how the application recovers from downtime and the length of time required to return to a normal state of operations
Performance tests will be conducted before deployment and routinely once the application is live to confirm that it performs as expected. After this checkpoint, a DevOps team will want to set a regular testing cadence to confirm performance metrics aren't decreasing as the application's database grows. DevOps automated testing can help maintain this schedule and deliver findings faster.
DevOps Automated Testing
Automation is central to a productive DevOps model, and it applies equally to DevOps testing. The previous testing strategies we examined (unit testing, security testing, performance testing) can all be automated to varying degrees.
DevOps automated testing is less of a specific practice and more of a general strategy for how to approach testing in the DevOps model. Automation simplifies testing by providing scale to otherwise manual processes such as running repeated tests to see if an application’s servers fail to respond at any point.
While a human could perform this test, you'll have better returns by making your team members responsible for the overall testing strategy versus executing the individual test cases. DevOps tools are a major component of automation. We'll cover tools that can help you streamline each DevOps testing strategy we've discussed in the next section.
DevOps Testing Tools
- ZED Attack Proxy (ZAP)
- Apache JMeter
Now that we know the different test strategies for our DevOps pipeline, let's examine tools that will help you optimize your testing methodology. We've identified three of the top tools tailored to meet your evaluation needs for each testing category.
Unit Testing Tools
Note: unit testing tools are tailored to specific languages, so we have selected three tools that span popular coding languages and called out their concentrations in the headings.
2. Typemock — C++ and .NET
Typemock is a unit testing framework tailored to support legacy code. The framework is supported on Windows and Linux for C# as well as Microsoft Visual Studio for .NET. It offers many features, including code coverage reports to identify areas not covered by existing test cases, suggestions for new test cases, instant review of newly written code to highlight lack of coverage to support test-driven development, and additional insights into the security of your code.
3. EMMA — Java
EMMA is a unit testing framework for Java applications. Its focus is on recording the level of code covered by tests and highlighting gaps where more test cases are needed. The framework is designed to evaluate files quickly, and it is an open-source tool that is easy to install and integrate for quick deployment and feedback.
Security Testing Tools
ZED Attack Proxy (ZAP) is an open-source penetration testing tool used to identify vulnerabilities in web applications. It provides automated and passive scanning capabilities as well as tools for manually identifying gaps in your software's defenses. ZAP is compatible with Windows, macOS, Linux, and Unix. ZAP also provides additional testing features such as a proxy server to intercept requests and brute force attack simulations.
SonarQube is an open-source quality assurance platform built to analyze your application's code for security issues and vulnerabilities. It also identifies bugs and performance issues to give you a holistic view of your code's health. In addition, SonarQube enforces code standards and best practices to ensure your files are clean and manageable through either dynamic or static analysis.
Nmap is an open-source tool designed to rapidly scan large networks. Nmap uses raw IP packets to determine dozens of characteristics about your network, including available hosts, available services on those hosts, and firewalls in use. It is supported on all major operating systems and comes with additional tools for more insights into scan results, such as Ndiff to compare current and previous findings to identify patterns.
Performance Testing Tools
Apache JMeter is open-source software built for load testing applications and measuring performance. The tool runs tests across standard web protocols (e.g. HTTPS, FTP, TCP) and can simulate heavy loads across environments, including individual servers, groups of servers, networks, or objects. Additional features include a full-featured test IDE and dynamic reports.
Predator is a load testing tool that allows you to perform unlimited tests across an unlimited number of application instances. It integrates with Kubernetes, DC/OS, and Docker, and the tool provides real-time reporting on the results of tests. Additionally, it offers built-in capabilities for storing test data in Cassandra, Postgres, MySQL, MSSQL, and SQLITE formats.
Automated Testing Tools
TestProject is a test automation framework that evaluates applications in web and mobile environments. It supports Android and iOS testing as well as all major web browsers, and test cases can be written in its SDK tool or recorded in the browser. All cases can be shared with other team members. Finally, TestProject offers multiple add-ons and integrations with other open-source automation frameworks like Selenium and Appium.
Selenium is an open-source automation tool for testing web applications across different web browser environments (i.e. Chrome, Mozilla Firefox, Internet Explorer) and different devices (e.g. smartphone, laptop, desktop, etc.). It also has a built-in scripting language to allow for easier automation of test cases and is one of the most popular test automation tools available. Selenium supports parallel test execution so that other tests run against the application concurrently, which saves time.
Leapwork is an automation platform committed to making test automation accessible to non-coders through a visual dashboard that requires no scripting. The tool allows users to build tests through flowcharts and then automate them to evaluate applications at scale. Leapwork can run tests against the full technology stack, including web applications, local machines, virtual machines, and even legacy mainframes.
Implementing DevOps Testing in Your Pipeline
To return to my creative writing example, my strategy for evaluating my writing did not come into place overnight. I learned by trial and error combined with a healthy amount of research and mentoring along the way.
In other words, I kept testing and refining my strategy based on new data and input from stakeholders. We recommend the same method for your DevOps testing practices. Whether you already have testing strategies in place or are starting to create these, adopt the iterative process of DevOps and focus on continual improvements. DevOps is a journey, not a destination, and this applies to DevOps testing as much as the rest of the model. Your goal should not be to perfect your testing but to keep it adaptive to innovations and new methods. This approach will pay the most dividends as technology continues to evolve.