Automated Testing Handbook #
Testing tools #
The automated testing handbook is a resource that guides developers and security professionals in configuring, optimizing, and automating many of the static and dynamic analysis tools we use at Trail of Bits.
In our day-to-day work, we audit software projects ranging from cloud-native software to embedded devices. We often find issues that should be easy to spot early in development with the correct security tooling, but that make their way across the software lifecycle undetected.
We hope to assist development teams across technology stacks in their quest to improve the security posture of their software by providing practical documentation they can apply when performing security analyses of their codebases.
We aim to make it as straightforward as possible to set up security tools effectively across all steps of the software development lifecycle.
In doing so, we also hope to demystify static and dynamic analysis techniques such as fuzzing and taint analysis.
Why is this needed? #
- The documentation for configuring and optimizing existing tools is often not developer friendly, as it is often targeted at security professionals. This is especially the case with fuzzing utilities. This lack of easy-to-follow documentation can lead to frustration and poor adoption of security tools that should be straightforward to configure.
- Even if the tool is easy to configure locally, it can be difficult to configure it in a CI/CD pipeline.
- Often, security tools are set up by following the online documentation, but their configuration is rarely optimized. This lack of tuning can lead to noisy tool results that are more frustrating than they are helpful.
We currently cover the following tools:
We are working on expanding the tools we cover here. We are also planning to cover several dynamic analysis tools. Stay tuned for updates from our team!