Skip to content

Thomas Shipley Posts

Introduction to Automated Security Testing with OWASP Zap, Dependency Checker and Glue.

Security testing can be really time-consuming. Ever tried to organise a penetration test for your website? It is expensive! For my current client, we wanted to think about how much security testing can be done ahead of time in an automated way. Not as a replacement for professional penetration testing but as a way to give us some confidence before that stage that we are catching issues as early as we can. I did this by adding automated security tests for common issues in our codebase. For example, insecure dependencies or API endpoints that are vulnerable to SQL injection attempts.…

Quickstart: Try Static Analysis with SonarQube and Docker

Recently I started a new contract and was in the rare position of joining a team before the developers! Without a team producing work, I wanted to think about ways to get the team off to a good start. My last post was about static analysis with Sonarqube. I love static analysis tools they are like an additional tester in your team and when the results are taken in the context of the wider effort they can be really valuable. Below I want to show you how to set up a quick proof of concept Sonarqube server to discuss with…

Static Analysis for .NET Core Projects using SonarQube

Static analysis is a way of automatically analysing code without executing it. As a development team, this is really powerful as once the static analysis software is up, running and integrated with your deployment pipelines you can gain an extra tester in your team with little ongoing maintenance! While some of the issues static analysis software finds are not always high value (code styling for example) some are issues your engineers are less likely to notice such as obscure security flaws and out of date dependencies. SonarQube; A Static Analysis Tool SonarQube is a static analysis tool that I have been using and…

Contract Testing with Pact in .NET Core

When working in a microservice architecture it can be hard to verify the whole system end to end due to all the moving parts involved. Often the purported solution to this is to write integration tests which verify a couple bits of the system at the same time with the test mocked out. If all these subsections of the system pass their respective integration tests we can be confident in the system, right? The Problem with Integration Tests Integration tests are a good way of verifying our system as they use real (not mocked out) components but quite a lot…

Selenium Solved: Null Responses for HTTP Session Requests

Recently I was updating the UI tests in a project now Selenium Webdriver plays nice with .NET Core. And came across a strange error: View the code on Gist. What made this a strange error is it is a failure to communicate with the Webdriver Server, not my underlying application and because of this failure in communication Webdriver could not manipulate my website. The Fix After some googling, this turns out to be a straightforward fix – my project uses the Chromedriver server as it’s Webdriver for tests and simply the Chromedriver server executable I had locally was out of date when…