What about security testing? External penetration testing is one thing, but can developer testing help in any way?

Committing to developer testing doesn’t mean abandoning all other aspects of software development like good object-oriented design, use of design patterns, domain-driven design, or the OWASP top threat list. That said, some developer testing concepts may be quite helpful.

Contracts, especially preconditions, will obviously help when it comes to input validation. Minding the domain-to-range ratio will ensure better input values and potentially protect from vulnerabilities like buffer overflow. Equivalence partitioning may be used to identify classes of invalid inputs like SQL injections, while formalized boundary value analysis can help in identifying edge cases between valid and invalid input.

Generative testing is also relevant in the context of security testing.  One can use it to either generate random values to ensure that the application handles any input correctly, or to generate inputs that are malicious on purpose.

Book References
Read more about this topic in Developer Testing: Building Quality into Software:

  • Chapter 3: The Testing Vocabulary, pages 28-30
  • Chapter 5: Programming by Contract, pages 57-65
  • Chapter 10: Data-driven and Combinatorial Testing, pages 141-144