Software QA: Stress and Pen Tests

Stress Testing

Stress testing is one type of test done to evaluate the stability, availability, and reliability of the software under development. The test is done by deliberately doing tasks beyond normal operational capacity, or even up to a breaking point, in order to observe the results. The results help developers determine the breaking points and/or up to what point the software fails to operate as intended.

Stress Test Demo

Enough theory crafting, let’s get into some stress testing demo. For this demo, The software being tested will be a Django REST Framework-based API. Locust which is a python-based GUI testing tool is a great tool for testing, so we will be using that in this demo. You can check out their documentation at Well then, let’s get started.

pip install locust
├── [projectname]/
│ ├──
│ ├──
│ ├──
│ └──
|── [App1]
└── requirements.txt
python runserver
locust homepage
Result table
Result Graph

Penetration Testing

Penetration testing is a type of test to evaluate the security of the software, especially towards cyber attacks. More specifically, penetration testing is performed to identify vulnerabilities as well as strengths, which will result in a full risk assessment. The test is done by simulating cyber attacks to the software. If you’d like to know more about cyber attacks, Cisco made a really easy to understand article here.

Penetration Test Demo

Each framework has different ways of penetration testing. But for Django apps, the developers of Django have added a command that checks for software vulnerabilities. We can do it right at the root of the project, all you have to do is type in the terminal:

python check --deploy
path/to/project/project> python check --deploy
System check identified some issues:
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling
HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
?: (security.W008) Your SECURE_SSL_REDIRECT setting is not set to True. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this
setting True or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS.
?: (security.W012) SESSION_COOKIE_SECURE is not set to True. Using a secure-only session cookie makes it more difficult for network traffic sniffers to hijack user sessions.
?: (security.W016) You have 'django.middleware.csrf.CsrfViewMiddleware' in your MIDDLEWARE, but you have not set CSRF_COOKIE_SECURE to True. Using a secure-only CSRF cookie makes it more difficult for network traffic sniffers to steal the CSRF token.
?: (security.W018) You should not have DEBUG set to True in deployment.
System check identified 5 issues (0 silenced).

Final Thoughts

In short, the term stress testing is doing tasks to evaluate the overall performance of the software. Whereas penetration testing is doing tasks to evaluate the security of the software. By evaluating the performance and security of the software by performing both of the tests, we can improve the reliability, availability, stability, and security by mitigating cyber attacks.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Computer Science Student at Universitas Indonesia