Regula, our open-source infrastructure as code (IaC) policy engine, now supports AWS CloudFormation. This means you can use Regula to perform static analysis of CloudFormation YAML or JSON templates for security vulnerabilities and compliance violations – including templates that use the Serverless Application Model. For instance, if a template declares an EBS volume that does not have encryption enabled, Regula’s report will show which template – and which specific resource – failed the check.
Recently, I was tasked with creating an automated testing tool for Fugue. Fugue monitors cloud resources for compliance and security, and we needed a way to verify that the full results of a Fugue scan were correct. My goal was to create an automated system that runs locally or in CI, deploys configurable infrastructure, scans it using Fugue, and verifies the results. This blog post walks through the design and implementation process for what became autotest, our internal automated testing tool.
Note: This blog post was updated on December 10, 2021, to reflect fregot v0.13.4. Fugue performs more than 100 million policy validations a day in order to identify compliance violations for cloud infrastructure environments at scale. These policy-as-code validations are written in Rego, the policy language for the Open Policy Agent (OPA) engine. To enhance the process of writing and debugging Rego policies, we recently open-sourced fregot, the Fugue Rego Toolkit. You can think of fregot as an alternative to OPA's built-in interpreter -- the REPL allows you interactively debug Rego code with easy-to-understand error messages, and you can evaluate expressions and test policies. Read more about it in our blog post here.
My previous blog post, Python Mocking 101: Fake It Before You Make It, discussed the basic mechanics of mocking and unit testing in Python. This post covers some higher-level software engineering principles demonstrated in my experience with Python testing over the past year and half. In particular, I want to revisit the idea of patching mock objects in unit tests. Patching External Clients Clients in this post refer to any objects that create side effects, such as disk or network I/O. Consider a class, CloudCreator, that receives messages over HTTP, generates some side effects by creating cloud infrastructure, and sends messages over HTTP in response: import http_client class CloudCreator : def __init__(self) : self.network_client =...
If you’ve been looking around for information on unit testing and want to know a bit more, or possibly see an example of how to put it into practice, you’re in the right place. By the end of this blog post, you should be able to: Look over parts of your code where you'd like to add unit tests. Understand how to break your code into smaller functions. Determine what to test. Start creating your tests. We'll also cover rudimentary mocking, which is the practice of writing pretend calls to test your code against predictable values. This blog post uses Python, but these concepts will transfer to other languages as unit testing is the same. Why Do Unit Tests Matter? I'm sure you've heard this before. Unit tests matter because they make sure your code works well in...
This post was written by Mike Lin.Welcome to a guide to the basics of mocking in Python. It was born out of my need to test some code that used a lot of network services and my experience with GoMock, which showed me how powerful mocking can be when done correctly (thanks, Tyler). I'll begin with a philosophical discussion about mocking because good mocking requires a different mindset than good development. Development is about making things, while mocking is about faking things. This may seem obvious, but the "faking it" aspect of mocking tests runs deep, and understanding this completely changes how one looks at testing. After that, we'll look into the mocking tools that Python provides, and then we'll finish up with a full example. Learn more about testing code for python security...
Testing is the process of executing a program or system with the intent of finding errors. — Glenford Myers, The Art of Software Testing, 1979 Testing is any activity aimed at evaluating an attribute of a program or system. Testing is the measurement of software quality. — Bill Hetzel, The Complete Guide to Software Testing, 1983 Testing is a concurrent life cycle process of engineering, using and maintaining testware in order to measure and improve the quality of the software being tested. — R. Craig and S. Jaskiel, Systematic Software Testing, 2002 Here at Fugue, we’re building a system that automates and enforces the operation of your cloud infrastructure. It’s powerful, resilient, and easy to use. Under the hood, this system is made up of a collection of services...
PLEASE NOTE: As of February 2018, Emulambda is not actively maintained by Fugue. When Python support was announced for AWS Lambda at re:Invent, we were excited to start using it. As you could see with our emoji-powered Votebot for Slack, we put it to quick use, converting our skirmishes about lunch orders into a peaceful, democratic process. Building Lambda functions is great, but there can be some challenges during development. There are many that we may yet cover, but the one we wanted to start with was just writing and debugging the function. As such, we wanted to build a local harness for lambda functions that could shorten the feedback loop on development, be used for attaching debuggers, drive test data through the function, and profile it as well so we'd have an idea what...