Software projects are rarely on-spec, on-time and on-budget, and the primary cause is miscommunication. As Martin Fowler says, there is a "yawning crevasse of doom" between stakeholders and developers, full of misunderstanding. How do you make sure that you're building something that adds value? How do you know you're building the thing that was asked for? How does your bottom line affect user experience?
Into the fray leaps Cucumber, a business-readable DSL combined with an awesome Ruby library that lets domain experts express business requirements as executable user stories. We'll cover outside-in, story-driven development with Cucumber, how to write effective stories, and how to make Cucumber work for your project.
(as given to CharlotteRuby on Jan 6, 2010)
Outside-in Development with Cucumber and RspecJoseph Wilk
Talk given by Joseph Wilk at Scotland on Rails 2009. Examines how Cucumber and Rspec fit together in the testing workflow, how and why Cucumber is useful and how it works. Walks through a simple example based on renting DVDs showing how to use Cucumber and some of the best practices. Looks at how Webrat can drive Selenium to in-turn drive Cucumber features through the browser.
“Can we integrate mobile, web and API testing into a single open-source automation framework? And, we only want all the test scripts to be written in human-readable language, we want them to be easily integrated to CI system. It’s quite a hard question, isn’t it?” If you or your organization also have the same question and still on trying to find solution for that. Then, we believe that this seminar is for you! At the seminar, we will cover the following topics:
The Need of Automation Testing Nowadays
How BDD Cuke and Ruby on Rails can help
A Universal Automation Framework: Mobile, Web, API and CI Integration
Outside-in Development with Cucumber and RspecJoseph Wilk
Talk given by Joseph Wilk at Scotland on Rails 2009. Examines how Cucumber and Rspec fit together in the testing workflow, how and why Cucumber is useful and how it works. Walks through a simple example based on renting DVDs showing how to use Cucumber and some of the best practices. Looks at how Webrat can drive Selenium to in-turn drive Cucumber features through the browser.
“Can we integrate mobile, web and API testing into a single open-source automation framework? And, we only want all the test scripts to be written in human-readable language, we want them to be easily integrated to CI system. It’s quite a hard question, isn’t it?” If you or your organization also have the same question and still on trying to find solution for that. Then, we believe that this seminar is for you! At the seminar, we will cover the following topics:
The Need of Automation Testing Nowadays
How BDD Cuke and Ruby on Rails can help
A Universal Automation Framework: Mobile, Web, API and CI Integration
Concise guide to starting with Behat.
Covers:
* What is Behat?
* How do you get started with Behat?
* How to write tests?
* How to write good tests!
How to write portable tests, and other common problems.
“How are business users assured that all features are built and tested?”. “Test cases written by the test teams are too technical for business users”. If you find yourself in the above situations, Behavior-Driven Development (BDD) may be a good choice for your team. In this presentation, we will discuss BDD as an agile development practice, automation testing using Cucumber as well as the advantages and disadvantages of BDD/Cucumber.
A Debugging Adventure: Journey through Ember.js GlueMike North
In this talk, we'll first look at a couple areas of the Ember framework that we typically don't end up touching. We'll first take a trip through the application and registry objects, touching on the changes around the recently-added Ember.getOwner API. We'll discuss initializers and instance initializers -- the most common place to make an adjustment to these kinds of objects. We'll leave listeners with a methodical process for debugging container-related issues
Next, we'll take a look at how Ember finds ES6 modules in particular places using the Resolver. If you get a "module not found" error, where can you look to see all registered modules in your app? How can we add a new ES6 module to our project? How can we ES6-ify a global or a named AMD module?
Finally, we'll look at Broccoli Ember-CLI's asset pipeline. We'll build a simple broccoli plugin that adds a copyright notice and a "build date" comment to the top of your production JavaScript assets, in less than 10 lines of code. We'll use broccoli-stew to get some visibility into what's going on in our app's build pipeline.
For over a decade, most of us built web UIs operating under the assumption that servers would render mostly-static HTML, and we’d boil the ocean and free all client-side memory with every page load. This was a simple world, where the server-side was aware of the user’s intent and context.
Enter the Single Page Application (SPA) - there are all sorts of usability and performance, and scalability benefits that come along with building a web app this way, but there are also some serious challenges. There are some implicit assumptions that our users make about how apps should work, and we must work a bit harder in order to keep them intact. Take the “Back” and “Refresh” buttons, for example: in order for this to work as our users expect, we must keep certain elements of state serialized in the URL in order to avoid “breaking” this as we simulate a multi-page experience in a SPA.
Add in the concept of “server-side rendering”, where our asset serving layer sometimes needs browser details (i.e. viewport dimensions) in order to render the correct content, and state decisions become even more consequential and complex.
In this talk, I’ll outline four types of state
Navigation state
Persisted state
UI state
“Will be persisted” state
and provide examples for each. Along the way, we’ll start to assemble a framework of questions that you can ask yourself when encountering new pieces of state, to lead you down the right path(s).
Rails Antipatterns | Open Session with Chad Pytel Engine Yard
As developers worldwide have adopted the Ruby on Rails web framework, many have fallen victim to common mistakes that reduce code quality, performance, reliability, stability, scalability, and maintainability. Even experienced developers will find that they can reevaluate the work they've done and make it better.
In this session, Chad Pytel will provide an overview of some of these common mistakes as well as take questions from the audience and provide real-world advice. Bring your issues and get expert advice on how to bring your code in line with today's best practices.
Getting Started with Test Automation: Introduction to Cucumber with Lapis LazuliRebecca Eloise Hogg
Introduction to web testing with Cucumber using spriteCloud's Lapis Lazuli Cucumber helper.
This presentation will take you through the steps needed to set up a test automation project using Cucumber - a software tool that runs automated tests in the BBD style - in combination with Lapis Lazuli, a gem that provides Cucumber helper functions and scaffolding for easier web test automation suite development.
To do this you will need to have installed Ruby with some drivers and libraries. You can find detailed notes on how to do this here: http://www.testautomation.info/Getting_Started
To successfully follow this tutorial, prior knowledge of test automation isn’t needed, but knowledge of scripting - especially Ruby - and HTML skills are recommended.
Lapus Lazuli's GitHub depository: https://github.com/spriteCloud/lapis-lazuli
For more information about everything test automation, whether you need someone to help you set up TA in your organisation or want to find out more about our Test Automation as a Service options, email: info@spritecloud.com.
Concise guide to starting with Behat.
Covers:
* What is Behat?
* How do you get started with Behat?
* How to write tests?
* How to write good tests!
How to write portable tests, and other common problems.
“How are business users assured that all features are built and tested?”. “Test cases written by the test teams are too technical for business users”. If you find yourself in the above situations, Behavior-Driven Development (BDD) may be a good choice for your team. In this presentation, we will discuss BDD as an agile development practice, automation testing using Cucumber as well as the advantages and disadvantages of BDD/Cucumber.
A Debugging Adventure: Journey through Ember.js GlueMike North
In this talk, we'll first look at a couple areas of the Ember framework that we typically don't end up touching. We'll first take a trip through the application and registry objects, touching on the changes around the recently-added Ember.getOwner API. We'll discuss initializers and instance initializers -- the most common place to make an adjustment to these kinds of objects. We'll leave listeners with a methodical process for debugging container-related issues
Next, we'll take a look at how Ember finds ES6 modules in particular places using the Resolver. If you get a "module not found" error, where can you look to see all registered modules in your app? How can we add a new ES6 module to our project? How can we ES6-ify a global or a named AMD module?
Finally, we'll look at Broccoli Ember-CLI's asset pipeline. We'll build a simple broccoli plugin that adds a copyright notice and a "build date" comment to the top of your production JavaScript assets, in less than 10 lines of code. We'll use broccoli-stew to get some visibility into what's going on in our app's build pipeline.
For over a decade, most of us built web UIs operating under the assumption that servers would render mostly-static HTML, and we’d boil the ocean and free all client-side memory with every page load. This was a simple world, where the server-side was aware of the user’s intent and context.
Enter the Single Page Application (SPA) - there are all sorts of usability and performance, and scalability benefits that come along with building a web app this way, but there are also some serious challenges. There are some implicit assumptions that our users make about how apps should work, and we must work a bit harder in order to keep them intact. Take the “Back” and “Refresh” buttons, for example: in order for this to work as our users expect, we must keep certain elements of state serialized in the URL in order to avoid “breaking” this as we simulate a multi-page experience in a SPA.
Add in the concept of “server-side rendering”, where our asset serving layer sometimes needs browser details (i.e. viewport dimensions) in order to render the correct content, and state decisions become even more consequential and complex.
In this talk, I’ll outline four types of state
Navigation state
Persisted state
UI state
“Will be persisted” state
and provide examples for each. Along the way, we’ll start to assemble a framework of questions that you can ask yourself when encountering new pieces of state, to lead you down the right path(s).
Rails Antipatterns | Open Session with Chad Pytel Engine Yard
As developers worldwide have adopted the Ruby on Rails web framework, many have fallen victim to common mistakes that reduce code quality, performance, reliability, stability, scalability, and maintainability. Even experienced developers will find that they can reevaluate the work they've done and make it better.
In this session, Chad Pytel will provide an overview of some of these common mistakes as well as take questions from the audience and provide real-world advice. Bring your issues and get expert advice on how to bring your code in line with today's best practices.
Getting Started with Test Automation: Introduction to Cucumber with Lapis LazuliRebecca Eloise Hogg
Introduction to web testing with Cucumber using spriteCloud's Lapis Lazuli Cucumber helper.
This presentation will take you through the steps needed to set up a test automation project using Cucumber - a software tool that runs automated tests in the BBD style - in combination with Lapis Lazuli, a gem that provides Cucumber helper functions and scaffolding for easier web test automation suite development.
To do this you will need to have installed Ruby with some drivers and libraries. You can find detailed notes on how to do this here: http://www.testautomation.info/Getting_Started
To successfully follow this tutorial, prior knowledge of test automation isn’t needed, but knowledge of scripting - especially Ruby - and HTML skills are recommended.
Lapus Lazuli's GitHub depository: https://github.com/spriteCloud/lapis-lazuli
For more information about everything test automation, whether you need someone to help you set up TA in your organisation or want to find out more about our Test Automation as a Service options, email: info@spritecloud.com.
Darius Silingas - From Model Driven Testing to Test Driven ModellingTEST Huddle
EuroSTAR Software Testing Conference 2010 presentation on From Model Driven Testing to Test Driven Modelling by Darius Silingas. See more at conferences.eurostarsoftwaretesting.com/past-presentations/
Please view the updated SlideShare presentation - "Golden Rules of User Experience Design" (April, 2013)
Theo Mandel, Ph.D. was invited to give this keynote presentation at the User eXperience Russia conference in Moscow in 2009.
"The Golden Rules of Web Design," is a presentation based on a chapter from the well-known book, "The Elements of User Interface Design" (John Wiley & Sons, 1997). The presentation describes the history of UI/Web interface design and usability guidelines, and then shows how these "Golden Rules" of interface design still apply to today's web design world. Mandel was also part of IBM's CUA user interface architecture team that designed the object-oriented OS/2 operating system interface. The team published the acclaimed book, "Object-Oriented Interface Design: IBM Common User Access Guidelines (Que, 1992).
Mandel's book was translated into Russian in 2005. It was the first book translated into Russian with the word "Interface" in its title. Many of the attendees at the conference learned their craft by reading this book.
For more information, contact:
Theo Mandel, Ph.D.
theo (at) theomandel.com
www.theomandel.com
Learn the basics of the agile way-of-life that has helped many companies realize their potential in the market. The agile secret sauce was once a thing that was only enjoyed by software organizations on the East and West coasts, but is now invading Indianapolis -- increasing productivity, making teams empowered (and happier!), and helping managers focus less on the taskmaster role and more on the important stuff.
How to organize a user story writing workshop. An overview for Scrum Masters, Product Owners, and others wanting to organize creation of an agile product backlog
Make Everyone a Tester: Natural Language Acceptance TestingPatrick Reagan
Patrick discusses various approaches to automating acceptance testing and strategies for getting non-developers to communicate requirements through tests.
This presentation has been given at ScanDev 2013 and XP 2013. It's also going to be given at NDC 2013 later this week.
The key message is that there is a huge amount in common between the various example-based development techniques. The differences are minor and mainly due to the background of the technique and its intended audience.
EWD 3 Training Course Part 10: QEWD Sessions and User AuthenticationRob Tweed
This presentation is Part 10 of the EWD 3 Training Course. It explains the relationship between QEWD Sessions and User Authentication in a QEWD application, and how to control and manage User Authentication in your applications.
Paperless On-Boarding on Ribily is the 3rd App built in the build fast series. It automates the process of getting stuff ready for the new Employee before his/her joining date.
Make Everyone a Tester: Natural Language Acceptance TestingViget Labs
Application testing has traditionally been the responsibility of those in formal QA roles or, more recently, the application developers themselves. Is being a programmer or tester really a requirement for effectively testing your web application? Discover ways to enable your existing team to write human-readable tests they can run in their own browser.
Many of the testers understand the importance of automated tests which can test the system end to end. There are plenty of tools like Selenium, Watir, White etc. which allow you to drive your web or desktop ui for these tests. The intention of these tests is to mimic the user’s interaction with the system and automatically validate that he could achieve his goals.
Considering this, wouldnt it make sense for tests to talk the same language that an end user understands. Although, When we look around today most of the functional tests talk the language that the browser understands, it goes click button A, enter value in textfield B etc.
In this session we will share various approaches which allow you to build tests which an end user can understand and maybe even participate in writing. We will look at the problems with the usual approach of end-to-end writing tests such as being too verbose and technical.
We will look at the multiple benefits of writing tests in the end user’s language and the different ways in which to achieve it.
Finally, we will look at the key takeaways.
Outlines a simple Rails workflow utilizing git, Github Issues, Cucumber, and RSpec. Demonstrates that Cucumber can be used to drive the implementation path.
Driving adoption in Salesforce.com can be a full time job. The easiest way is to automate work for your users. Custom buttons and links take away some of the "busy work".
Jobzella.com Website UX Map Proposal Presentation Ahmed Alshair
This is a UX Plan and orientation of the design concept and main points of focus for Jobzella new website.
I prepared it as a first meeting presentation to discuss the business model and its impact on the design process and the target audience.
Behaviour-Driven Development (BDD) is a game changer for the whole team! Behaviour Driven Development is a powerful collaboration technique that can empower teams to deliver higher value features to the business faster and more effectively. More than just a testing technique, BDD is both a collaboration and a verification tool, and a vital step on the road to Continuous Delivery.
Eventually Consistent Data Structures (from strangeloop12)Sean Cribbs
There are many reasons to use an eventually-consistent database — like Riak, Voldemort, or Cassandra — including increased availability, lower latency, and fault-tolerance. However, doing so requires a mental shift in how to structure client applications, and certain types of traditional data-structures, like sets, registers, and counters can’t be resolved simply in the face of race-conditions. It is difficult to achieve “logical monotonicity” except for the most trivial data-types.
That is, until the advent of Convergent Replicated Data Types (CRDTs). CRDTs are data-structures that tolerate eventual consistency. They replace traditional data-structure implementations and all have the property that, given any number of conflicting versions of the same datum, there is a single state on which they converge (monotonicity). This talk will discuss some of the most useful CRDTs and how to apply them to solve real-world data problems.
There are many reasons to use an eventually-consistent database -- like Riak, Voldemort, or Cassandra -- including increased availability, lower latency, and fault-tolerance. However, doing so requires a mental shift in how to structure client applications, and certain types of traditional data-structures, like sets, registers, and counters can't be resolved simply in the face of race-conditions. It is difficult to achieve "logical monotonicity" except for the most trivial data-types.
That is, until the advent of Conflict-Free Replicated Data Types (CRDTs). CRDTs are data-structures that tolerate eventual consistency. They replace traditional data-structure implementations and all have the property that, given any number of conflicting versions of the same datum, there is a single state on which they converge (monotonicity). This talk will discuss some of the most useful CRDTs and how to apply them to solve real-world data problems.
Concurrency in Ruby is all the rage these days, and people can't seem to agree
whether Threads, Fibers, event loops, or actors are the best solution. But did you ever consider that your *sequential* Ruby program might be concurrent, with nary a Thread, Fiber, or callback in sight? Well, it happened to me.
This is the story of how accidental concurrency (also known as re-entrancy) broke my brain multiple times over the course of two years, spawned flamewars on Twitter, long blog posts, and the various solutions I took to solve the problem. Along the way we'll illuminate some subtleties of concurrent programming in Ruby, differences between several Ruby implementations, and how we can all write code that is friendlier when accidental concurrency strikes.
Embrace NoSQL and Eventual Consistency with RippleSean Cribbs
So, there's this "NoSQL" thing you may have heard of, and this related thing called "eventual consistency". Supposedly, they help you scale, but no one has ever explained why! Well, wonder no more! This talk will demystify NoSQL, eventual consistency, how they might help you scale, and -- most importantly -- why you should care.
We'll look closely at how Riak, a linearly-scalable, distributed and fault-tolerant NoSQL datastore, implements eventual consistency, and how you can harness it from Ruby via the slick Ripple client/ORM. When the talk is finished, you'll have the tools both to understand eventual consistency and to handle it like a pro inside your next Ruby application.
A discussion of strategies for designing application schemas that use the Riak distributed key-value store.
Video available here: http://vimeo.com/17604126
Ruby on Rails is a powerful web framework that focuses on developer productivity. Riak is a friendly key-value store that is simple, flexible and scalable. Put them together and you have lots of exciting possibilities!
Moving to Riak involves a number of changes from the status quo of RDBMS systems, one of which is taking greater control over your schema design.
* How do you structure data when you don't have tables and foreign keys?
* When should you denormalize, add links, or create map-reduce queries?
* Where will Riak be a natural fit and where will it be challenging?
An introduction to Basho's Riak distributed data store, and the Ripple client in Ruby. Code samples from the demos are here: http://gist.github.com/365791
Many developers will be familiar with lex, flex, yacc, bison, ANTLR, and other related tools to generate parsers for use inside their own code. For recognizing computer-friendly languages, however, context-free grammars and their parser-generators leave a few things to be desired. This is about how the seemingly simple prospect of parsing some text turned into a new parser toolkit for Erlang, and why functional programming makes parsing fun and awesome
Most developers will be familiar with lex, flex, yacc, bison, ANTLR, and other tools to generate parsers for use inside their own code. Erlang, the concurrent functional programming language, has its own pair, leex and yecc, for accomplishing most complicated text-processing tasks. This talk is about how the seemingly simple prospect of parsing text turned into a new parser toolkit for Erlang, and why functional programming makes parsing fun and awesome.
Reviews grammar and parsers and discusses my personal path toward writing my own packrat parser-generator for Erlang called neotoma.
Given to "Evil Robot Conference" on September 12, 2009.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
28. Feature: Standard Signup
In order to begin using the application
As a new user
I want to create an account
Scenario: Signup with valid email/password combination
Given I do not have an account
When I signup with email and password
Then I should be logged in
And my profile details should be filled in
29. Feature: Standard Signup
In order to begin using the application
As a new user
I want to create an account
Scenario: Signup with valid email/password combination
Given I do not have an account
When I signup with email and password
Then I should be logged in
And my profile details should be filled in
30. $ cucumber
Feature: Standard Signup
In order to begin using the application
As a new user
I want to create an account
Scenario: Signup with valid email/password combination
Given I do not have an account
When I signup with email and password
Then I should be logged in
And my profile details should be filled in
1 scenario (1 undefined)
4 steps (4 undefined)
0m0.754s
31. You can implement step definitions for undefined steps with these
snippets:
Given /^I do not have an account$/ do
pending
end
When /^I signup with email and password$/ do
pending
end
Then /^I should be logged in$/ do
pending
end
Then /^my profile details should be filled in$/ do
pending
end
32. Given /^I do not have an account$/ do
User.count.should == 0
end
33. Feature: Standard Signup
In order to begin using the application
As a new user
I want to create an account
Scenario: Signup with valid email/password combination
Given I do not have an account
uninitialized constant User (NameError)
./features/step_definitions/signup_steps.rb:2:in `/^I do not have an
account$/'
features/signup.feature:7:in `Given I do not have an account'
When I signup with email and password
Then I should be logged in
And my profile details should be filled in
Failing Scenarios:
cucumber features/signup.feature:6 # Scenario: Signup with valid email/
password combination
1 scenario (1 failed)
4 steps (1 failed, 3 undefined)
0m0.136s
35. Feature: Standard Signup
In order to begin using the application
As a new user
I want to create an account
Scenario: Signup with valid email/password combination
Given I do not have an account
When I signup with email and password
Then I should be logged in
And my profile details should be filled in
1 scenario (1 undefined)
4 steps (3 undefined, 1 passed)
0m0.136s
37. Feature: Standard Signup
In order to begin using the application
As a new user
I want to create an account
Scenario: Signup with valid email/password combination
Given I do not have an account
When I signup with email and password
Then I should be logged in
And my profile details should be filled in
1 scenario (1 passed)
4 steps (4 passed)
0m0.138s
38. Before do
# do before each scenario
end
After do
# do after each scenario
end
AfterStep do
# do after each Given/When/Then/And/But step
end
Before("@tagged") do
# do before scenarios tagged with @tagged
end
39. # features/support/time.rb
module TimeHelpers
def set_zone(zone_name)
Time.zone = zone_name
end
end
World(TimeHelpers)
# features/step_definitions/user_steps.rb
Given /^I am in the "([^"]*)" time zone$/ do |zone|
set_zone(zone)
end
43. Feature: Name or theme
In order to make, protect, or save money
As a stakeholder
I want to have some feature
44. Feature: School account management
In order to maximize revenue by offering
our product to multiple schools at once
As the site owner
I want to provide individual accounts to each
school and manage them
45. Feature: School account management
In order to maximize revenue by offering
Schoolbinder to multiple schools at once
As the site owner
I want to provide individual accounts to each
school and manage them
Scenario: List accounts
Scenario: Create an account
Scenario: Revoke an account
Scenario: List admin users for accounts
Scenario: Change subdomain for account
46. Feature: School account management
In order to maximize revenue by offering
Schoolbinder to multiple schools at once
As the site owner
I want to provide individual accounts to each
school and manage them
Scenario: List accounts
Then I should see a list of accounts
47. Feature: School account management
In order to maximize revenue by offering
Schoolbinder to multiple schools at once
As the site owner
I want to provide individual accounts to each
school and manage them
Scenario: List accounts
When I go to the accounts page
Then I should see a list of accounts
48. Feature: School account management
In order to maximize revenue by offering
Schoolbinder to multiple schools at once
As the site owner
I want to provide individual accounts to each
school and manage them
Scenario: List accounts
Given I am logged in as the site owner
When I go to the accounts page
Then I should see a list of accounts
51. # descriptive
When I create a new account for "ms218"
# imperative
When I follow "New account"
And I fill in "Name" with "ms218"
And I submit the form
55. # conjunctive
When I change my name to "Sean" and my password to "foobar"
# independent
When I change my name to "Sean"
And I change my password to "foobar"
57. # conflated scenarios, multiple passes
Scenario: Bulk comment on short term goals
Given I have set all short-term goals for "ELA > Writing > Organization" for class
"601"
When I follow "Edit" for long-term goal "Organization"
And I follow "Comment" for short-term goal "Coherence"
Then I should see all students that pertain to this short-term goal
And I should see the standard comment box and "Post new comment" button
When I type in the comment box
And I follow "Post"
Then I should see that my comment was posted
# single scenario, single pass
Scenario: Bulk comment on short term goals
Given I have set all short-term goals for "ELA > Writing > Organization" for class
"601"
When post a comment for short-term goal "Coherence"
Then I should see that my comment was posted
And all students in class "601" should receive my comment
59. Background:
Given an account for subdomain "ms217"
And these administrators for subdomain "ms217":
| email | name |
| joe@ms217.edu | Joe Smith |
| jane@ms217.edu | Jane Doe |
And this welcome message for subdomain "ms217":
"""
Welcome back, students!
- The principal
"""
60. Scenario Outline: Successful authentication with email
Given a <type> named "<first name> <last name>" with email <email> and password
"<password>"
And I am on the login screen
When I login with "<email>" and "<password>"
Then I should be logged in
Examples:
| type | email | first name | last name | password |
| student | joe@school.edu | Joe | Smith | testing123 |
| teacher | jane@school.edu | Jane | Brown | testing456 |
| staff | mark@school.edu | Mark | White | testing789 |
| admin | paul@school.edu | Paul | Greene | testing098 |
The root cause of so many problems in software projects is miscommunication.
This is largely because so much of software development is abstract - that is, it happens in your brain. Nontechnical people also have ideas and desires about what software can do that are equally abstract.
In the course of a project, it&#x2019;s often hard to tell what&#x2019;s really important to its success...
...and who said what, and why you should care.
Bottom line, miscommunication is wasteful - in time, money, energy and relationships.
Miscommunication causes you to build the wrong feature...
... or to build it incorrectly ...
... or to build unnecessary features.
I bet you&#x2019;re saying, &#x201C;hey, aren&#x2019;t you using an Agile process?&#x201D; Why yes, I am, thanks. Agile methodologies have a few tools that we can use to help alleviate these miscommunication problems.
The first is user stories. For any feature that needs to be developed, you create a persona and write a story about how that person will use your software, and what things that person will want to accomplish.
Agile also gives us one of the top buzzes of the Ruby community since its adoption in the West- TDD. TDD encourages us to write tests for our software before we write the software, often resulting in better designs and greater flexibility as the project evolves. So what if we put these two techniques together?
When you do, you get what I call Story-Driven Development. Your agile user stories become the tests for your software. You&#x2019;ll see more of what I mean in a little bit.
The focus of SDD is to keep your software lean and to create value with every new feature.
That is, at each step you&#x2019;ll be doing the minimum to satisfy the requirements specified by the story...
...and that story will be designed so that it directly affects your project&#x2019;s ability to make new revenue, protect existing revenue, control costs, or alleviate user pain and increase utility (basically protecting revenue).
The path to finding the business value in each new feature is to pop the &#x201C;why&#x201D; stack.
That is, the person writing the story will query the business expert who is requesting the feature with pointed &#x201C;why&#x201D; questions until the result comes down to money. Along the way, you&#x2019;ll identify who the stakeholders are and what value they receive. We&#x2019;ll see more about how this fits into the process later.
By expressing the tests for your software first as user stories, you are greatly increasing the ability for the technical people to communicate with the business people. You start to develop a &#x201C;ubiquitous language&#x201D; for the problem your software addresses that will assist as the project progresses. See also Eric Evans&#x2019; &#x201C;Domain Driven Design&#x201D;.
With story-driven development, you can start to bridge Martin Fowler&#x2019;s &#x201C;yawning crevasse of doom&#x201D; between the developers and the suits.
Your stories become a living functional specification and documentation for your software. Rather than requirements being handed down etched in a stone tablet, the stories become conversation pieces between all parties in the process -- customers, project managers, designers, and developers.
Furthermore, your user stories are executable tests that can be used to verify your software. Hooray for TDD!
So how can you implement this process in a Ruby project? You use Cucumber!
Now what I&#x2019;ve described before this point is 75% or more of what you&#x2019;ll do in Story-Driven Development. Cucumber is just a tool to take you the last 25% from concept to implementation. So this next section is going to be a little more about the &#x201C;how&#x201D; and not the &#x201C;why&#x201D;. But first, more about Cucumber...
Cucumber&#x2019;s first component is a business-readable DSL curiously called &#x201C;gherkin&#x201D;. This is a loose format for structuring your user stories so that they will easily translate to executable tests. Note that I didn&#x2019;t say &#x201C;business-writable&#x201D;! The DSL is meant to be written by somebody who works with the biz person, but is also aware of the technical side.
Cucumber is also, unsurprisingly, a Ruby library that runs the stories as tests against your application.
Cucumber stories are intended to exercise your application from top-to-bottom, or more accurately, from the perspective of the user. So if you had to classify them, they&#x2019;d be considered integration tests.
So here&#x2019;s a pretty typical Cucumber story; this one happens to be about signing up to use the application.
The only portions of the story that Cucumber cares about are shown here in bold, so you&#x2019;re pretty free to write the stories as make sense for the domain. &#x201C;Scenario&#x201D; signifies the beginning of a new story, Given/When/Then specify preconditions, user actions, and post-conditions respectively. You can also use &#x201C;And&#x201D; or &#x201C;But&#x201D; to make your story read well.
So let&#x2019;s execute that story. Cucumber parses the story and attempts to run the Given/When/Then steps that we defined. Since we haven&#x2019;t written any code yet, all of the steps are pending.
Now, you were probably wondering how we can implement one of those steps. Well, Cucumber gives us a hint whenever we have unimplemented steps. You can copy and paste any or all of those blocks out of the terminal into your favorite editor.
So let&#x2019;s implement the first step. Given represents preconditions, so in this case, we&#x2019;re just doing a paranoid check that there are no registered users. If this statement makes you uncomfortable, don&#x2019;t worry just yet. Let&#x2019;s run the story again.
Well, it failed, DUH! We haven&#x2019;t defined the User class yet. So let&#x2019;s go &#x201C;down a gear&#x201D; and implement what we need to make that step pass.
So, since this is a Rails app, we&#x2019;ll use script/generate to create the User model and migrate the database.
Now if we run the story again, we see that the step passed. Before we did that, we might want to write some test/unit tests or RSpec examples to exercise our User model. However - remember we&#x2019;re always trying to do the minimum amount possible to make the feature pass. If it wasn&#x2019;t asked for, don&#x2019;t build it!
So once you have created a step matcher, written what needs to be written to exercise the application, and filled in your lower layers of tests, you repeat that process until you get...
... all green! At this point, you would pass the feature to other stakeholders who will evaluate and hopefully approve the work. But let&#x2019;s first talk about some more of the features that Cucumber gives you that&#x2019;ll make story-driven development a snap.
Every testing framework pretty much needs lifecycle hooks, and Cucumber doesn&#x2019;t disappoint. You can define blocks that will be executed before or after each scenario, after each step, or applied to only specific scenarios or features you have tagged.
One feature I use a lot is to extend the Cucumber &#x201C;World&#x201D;, which is the object within which all of your steps execute. Just define a module and pass it to the global &#x201C;World&#x201D; method, and then the module&#x2019;s methods will be available within any step or callback. There are quite a few plugins for Cucumber that use this technique.
So far, I&#x2019;ve been speaking about how great this process is. But the ugly truth is that good user stories are really hard to write.
So how do you begin? You first write the value proposition. This is the most important part of your story and should answer why you need the described feature at all!
I start by writing &#x201C;Feature:&#x201D; and then a descriptive name for the thing that this story will describe, or a vertical aspect of the application that might not have a specific name -- for example, &#x201C;Admin privileges&#x201D;.
The next part is to &#x201C;pop the why stack&#x201D;, identifying the value in the feature. I usually write the value proposition in this three-line format, but there are no restrictions on how you write it. I just find that this format helps me focus on the business value of the feature.
So here&#x2019;s an example from an app I worked on earlier this year. We identified the value, who would be taking the action in the story, and what the software would do to provide that value. This story describes a feature of an application for student goal and competency management in primary and secondary schools. [describe the value prop]
Next, I create a list of the various things the stakeholder/user can do. Each of these things becomes a scenario within the feature story.
Then you start formulating the scenario. The best way to do this is to write the outcome or &#x201C;Then&#x201D; step first, making sure that the desired outcome directly relates to the value proposition stated at the top. In this story, we want to manage school accounts, so seeing a list of the existing accounts would help toward that goal.
After you have the outcome, you decide what action the user takes to achieve that outcome, or the &#x201C;When&#x201D; steps. In this case, our user is navigating to the accounts page in our web app.
Finally, you write the preconditions for the user to be able to take that action, or the &#x201C;Given&#x201D; steps. We want this functionality only accessible to the site owner and not normal users, so we specify that the user must be logged in as the owner.
So how did I decide to write the story in that fashion? A good rule of thumb to use is that descriptive stories are generally better than imperative stories. Why?
You want to reveal intention. Your user doesn&#x2019;t care about how the software is implemented unless they are directly affected.
Here&#x2019;s an example from our previous feature of how descriptive steps and imperative steps differ. In the first we&#x2019;re talking about a holistic action (WHAT), whereas in the second we specify the nitty-gritty detail (HOW).
Descriptive stories are more flexible than imperative stories. Why? The user interface of your software is the most brittle portion - you don&#x2019;t want your whole suite of tests to break if the designer changes the wording of a single button, link, or field without changing the core functionality of the app.
However, you still need to strike a balance. It&#x2019;s easy to be too vague and have a story cover huge swaths of functionality without intending it. Or the story might be unclear about which of several alternatives to take. Try to be descriptive without being ambiguous.
Also, sometimes, especially early in the story-writing process, it&#x2019;s a good thing to have imperative stories. When no code has written, when no design has been drawn, having that extra step-by-step may help flesh out more difficult details. You can always go back and rewrite those stories once everyone has a better grasp on the domain.
A common &#x201C;story smell&#x201D; in features are conjunctive statements. This is best illustrated in an example.
Conjunctive steps like the first one shown here tend to conflate two separate user actions. Independent steps, however, make the story more readable and the steps reusable within other stories. Remember that we&#x2019;re trying to develop a ubiquitous language for our domain -- reusability is key to that goal.
Another &#x201C;story smell&#x201D; are multi-pass scenarios, or scenarios where multiple precondition-action-outcome groups occur. These are especially tempting to write if you are thinking imperatively about the problem.
The solution to multi-pass scenarios is to split them into multiple scenarios, or to abstract conditions and actions that are covered by another scenario. In this case, we&#x2019;ve abstracted the concept of posting a comment, encompassing the steps the user took to get to that point. If you&#x2019;ve already defined the offending steps for other stories, Cucumber lets you call them directly from within another step definition, so you can just subsume the steps that you want to abstract out.
Cucumber provides a few more features in the DSL that let you keep your stories terse and cover corner or edge cases efficiently.
In this slide I&#x2019;m showing three of those features. The first is Background, which looks like Scenario, but is defined at the top of a feature file and applies to all of the scenarios in that file -- basically like a &#x201C;Before&#x201D; block with multiple steps. The second is a table - which you can access within the definition for the step before the table. You can treat the table as a simple array, or an array of hashes using the headers in the first row. The last feature is a multi-line string or &#x201C;py_string&#x201D; (as in Python).
Finally, we have Scenario Outlines, which are really great for quickly specifying scenarios across a range of possibilities, including edge or corner cases. Cucumber will run the outline against every row of the table that you specify in the &#x201C;Examples&#x201D; section, and apply the values in the table to the angle-bracketed items.
So, that&#x2019;s the overview of Cucumber, and now here comes some shameless self-promotion.
You might have seen that little head in my second slide - which is from our app Lowdown. Lowdown is a collaborative story-writing tool for Cucumber that we created for the Rails Rumble last year, and we were lucky to win the prize for Appearance and User interface. I&#x2019;d be willing to give a demonstration of Lowdown in the questions period.