I’ve been meaning to talk about unit testing software for a while. This is software that can analyse source code on the developers desktop and identify errors and security vulnerabilities before they hit production.
I prefer unit testing to black-box testing and think that it’s far better value for money. For a start it encourages software quality because developers get to see the errors while they work, it raises awareness, supports training initiatives, and consequently fewer errors are put into production (where we all know they become more expensive and difficult to fix). It also fits right into the SDLC regardless of methodology, including Agile, and adds value to the compliance due diligence process.
Using unit testing tools throughout the lifecycle does in my opinion mitigate a good deal of product related risk. Couple that with grey box testing and you have a powerful armoury against code related vulnerabilities.
One particular vendor I’ve spent some time talking to is Fortify Software. I’ve been very impressed by a number of things: the ease with which their solution fits into just about any development environment, ease of use, and quality of reporting are all excellent. There are other tools as well such as JTest which I’ve heard good things about from development groups who use it, and FXCop which is an open source analysis tool for .NET developers.
Fortify Software maintain a blog at http://extra.fortifysoftware.com/blog/. It makes for a very interesting read.