421.4 Testing and debugging

Overview

Testing and debugging occur after development and before deployment in the Secure Software Development Lifecycle (SSDL). This stage ensures the system behaves as expected, meets all requirements, and handles faults or attacks gracefully. Secure software must be verified not only for correctness but also for resilience against misuse and malicious input.

Debugging is closely related—developers must investigate and fix issues that arise during testing. Together, these processes improve the quality and security of the software before it is released to users.

Targets

In this topic, students learn to:

• Describe the role of testing and debugging in the SSDL

• Apply different types of tests to check for correctness and robustness

• Use tools to identify, trace, and fix coding errors

• Evaluate how well software performs under edge cases, invalid input, and failure conditions

Syllabus references

Why testing is critical in the SSDL

Testing provides structured assurance that:

• The software meets its functional and non-functional specifications

• Vulnerabilities are identified before the software is released

• Errors are handled safely, protecting users and data

• The system performs reliably under expected and unexpected conditions

Without adequate testing, even well-designed systems can contain faults that lead to data loss, security breaches, or system failure.

Types of testing in the secure lifecycle

Secure development includes traditional test types, with an emphasis on edge cases and robustness:

• Unit testing: Checks that individual components perform as intended

• Integration testing: Ensures that combined components work together correctly

• System testing: Validates overall system functionality and performance

• Acceptance testing: Confirms that user requirements have been met

Security-focused tests include:

• Boundary testing: Verifies behaviour at input limits (e.g. maximum length, zero, negative values)

• Abnormal input testing: Checks how the system handles incorrect, unexpected, or malicious inputs

• Path coverage testing: Ensures that every decision branch in the code is exercised

Debugging in the development lifecycle

Debugging is the process of tracing and correcting errors identified during testing. In the SSDL, debugging should be methodical and well-documented.

Common debugging techniques include:

• Breakpoints – Pause execution at a specific line to inspect variables

• Step-through execution – Observe program flow one line at a time

• Watch variables – Monitor changing values over time

• Logging and print statements – Insert messages to reveal the state of the program

• Debugging tools in IDEs – Use integrated consoles, stack traces, and memory viewers

Common types of errors

• Syntax errors: Prevent code from running (e.g. missing colon, unclosed string)

• Logic errors: Cause incorrect output due to flawed reasoning

• Runtime errors: Cause crashes or instability when the program is run (e.g. division by zero, null reference)

Testing helps detect all three types early in the lifecycle, where fixes are more efficient and less disruptive.

Documentation and traceability

In the SSDL, all bugs and test outcomes should be documented. This supports:

• Reproducibility of tests

• Version tracking of bug fixes

• Continuous improvement and future maintenance

• Evidence of due diligence for compliance and auditing

Outcome of this stage

By the end of the testing and debugging phase, the software should:

• Behave correctly under normal and extreme conditions

• Contain no known critical errors or vulnerabilities

• Handle unexpected input without crashing or exposing data

• Be ready for deployment with confidence in its reliability and security