Web3 Test Automation with Joshua Gorospe

[00:00:04] Joe Colantonio Get ready to discover the most actionable end-to-end automation advice from some of the smartest testers on the planet. Hey, I'm Joe Colantonio, host of the Test Guild Automation Podcast, and my goal is to help you succeed with creating automation awesomeness.

[00:00:25] Joe Colantonio Hey, it's Joe, and welcome to another episode of the Test Guild Automation Podcast. And today, we'll be talking all about Web3 testing with Joshua. If you don't know, Joshua is a tester with over 18 years of experience. It works as a QA tech lead in the security space. He has a lot of experience with this. He also has worked in agency and product companies, so he knows a lot of different companies and how they work. And Joshua loves testing and has an insatiable curiosity for researching anything related to testing. Currently, his most interesting experiment with blockchain Web3 technology, security testing strategies, machine learning, and model-based testing. All topics I hope to touch on in this episode. I first met Joshua at RoboCon in 2023 that I hosted this year and I really thought his expertise would help you. So you don't want to miss this episode. Listen up.

[00:01:13] This episode of the Test Guild Automation Podcast is sponsored by the Test Guild. Test Guild offers amazing partnership plans that cater to your brand awareness, lead generation, and thought leadership goals that your products and services in front of your ideal target audience. Our satisfied clients rave about the results they've seen for partnering with us from boosted event attendance to impressive ROI. Visit our website and let's talk about how Test Guild could take your brand to the next level. Hand it over TestGuild.info and let's talk.

[00:01:45] Joe Colantonio Hey, Joshua. Welcome to the Guild.

[00:01:52] Joshua Gorospe It's great to be here, Joe. Thank you for having me.

[00:01:55] Joe Colantonio Great to have you. Sometimes I botched the intro or botched the bios, is there anything that you want The Guild to know more about that I may have left out in your bio?

[00:02:04] Joshua Gorospe No, you've touched on all of them and just let the audience know. Basically, a fun fact is your articles from back in I think 2016 or earlier covered Robot Framework. It actually inspired me to take it more seriously because at first I had found a Robot Framework just casually looking around on various I'm sure you've heard of GitHub awesomeness. I actually found Robot Framework in one of them. It was specifically about automation and at the time was just getting off of another company that was more into Gherkin style. And not that there's anything wrong with Gherkin. I wasn't really for me, so I wanted to learn more about an automation stack that could just be more natural flowing, more natural language oriented and Robot Framework fit my style because I was going to go into more of a consulting style of work after that specific time in my career.

[00:02:58] Joe Colantonio Awesome. I'm always surprised or excited when I host RoboCon because there are so many things a Robot Framework does. I don't even think about forget about like, it can help you with security testing, it has plug ins have really is a full ecosystem almost for any type of testing. As we've seen also like if you have Robot Framework in place and you know how it works, you could start to integrate all types of testing into your testing suites.

[00:03:22] Joshua Gorospe Absolutely. And the interesting thing is when I started working in consulting, I was working for an agency at the time, and one of the things that our clients were always after is we want stand up automation in our project and also we need to do it quickly and we do it in a way that can easily, I say off-ramp the word when the time comes, because that's the nature of consulting is eventually you have to hand over the product and it's easier to do that when it's in human-readable format through human-readable format, which I think the Robot Framework is perfect for.

[00:03:57] Joe Colantonio Absolutely. Sometimes when people as testers, maybe they need to get involved in security, and maybe they seemed overwhelmed. It almost seems like you said, because of some Robot Framework it is human-readable. Maybe it makes a little more accessible to the team. Does that what you've seen also?

[00:04:12] Joshua Gorospe Exactly. And there's a bunch of situations where I was asked to do, okay, test this thing here and all right, now quickly turn around an automation part that we could get out to our team as quickly as possible and tie that into a CI platform, too. I started out with like just a bunch of like, for example, some back-end tests that were just curl commands that I was using to explore through a system, learn how it works, and learn the responses. And then as I learned more of it, I just wanted to just quickly throw that together using Robot Frameworks libraries, and just get that into a CI platform as quickly as possible because they really want to see results metrics and sometimes in some cases they want to be handed like a very simple XUnit style report. Say show me all the passes and fails. Then move on to the next thing and they just bang out this project as quickly as possible for our clients because they care about how many things are building for them. What's the next SOW look like? So yeah.

[00:05:13] Joe Colantonio I guess speaking to clients, you also have a kind of a cool niche, you know automation testing and you also know security, which I think is kind of a good combination to have. Is there a reason for that? Have you seen more companies needing a demand for security because you just mentioned you need to be kind of billable as a consultant? So is security something you see as a growing demand for testers that is probably a good area for them to get into?

[00:05:35] Joshua Gorospe I agree. I totally agree. I mean, security is, it's just basically one of those areas that I feel is when I was working in the client. So I'm putting on my client hat now, client work hat. I noticed that it was an interesting place to find the exploratory bugs, like just hard-to-find edge cases. But it's interesting because it depends on the sector you're working in when you're doing client work, but you could just find the most interesting types of problems when you're just kind of looking around casually. And then when you catch the scent of something really off, you just go into it kind of deeper, and then you go into that domain and say, Oh, wait a minute, there's a vulnerability of this type going into this. Like, I don't know, building automation protocol. From the 80s and just feeling from my own experience of when I had to help test a type of building automation protocol that dealt with elevators or sort of like building systems type of things. And believe it or not, they're super old and antiquated and there are certain things that you could do on them that are a little bit iffy and they don't feel right. Yeah, just challenging that assumptions with those different types of, well, I guess they're called CDE or I forget the actual terminology there. But anyway, so certain types of vulnerabilities going into them in the deep end and researching the security really. Security is a lot of research because the bad guys are always ahead. They're always going to definitely get to something. It just takes time. And when you give them time and when they have the opportunity, it's just going to happen. We're always coming in after the fact, finding things out and how they did it.

[00:07:14] Joe Colantonio Absolutely. And this just come into my head. I know with functional automation, a lot of testers are gonna be replaced by AI or automation. It seems like with security, if you really have a testers heart, you get to do all the testing because it's so hard. You use tools to help you uncover things. We still need to use your tester mindset and actually, like you said, exploratory-type testing to uncover a lot of these things.

[00:07:35] Joshua Gorospe That's right. And I feel like the automation actually benefits a lot from the exploratory testing. Just learning about what this product in front of you, this thing in front of you, whether it's hardware, whether it's software, you're interacting with the cloud, learning about it, seeing what it does, testing its limitations, finding where that edges and pushing it a little further. So yeah, it's very important, I think.

[00:07:59] Joe Colantonio Awesome. So in Web3, I've been here about Web3 for at least four years now. I don't know why? For me, I haven't seen it really taken off yet, but maybe it's just because people I speak with. Is Web3 something you see about to explode because I know AI had been on the horizon for a while? People like Yeah, and also on ChatGPT came out and as it explodes you see Web3 at some point really coming to the forefront at some point with some sort of new innovation like that?

[00:08:26] Joshua Gorospe Definitely. I feel like that Web3 as like what you just said about A.I. and Chatbots and stuff. I mean, Chatbots. It's funny you mention it again. When I was working in an agency where Chatbots were already a thing back then, and that was around like maybe 2017, or 2016. There was then a fad that was being picked up and clients wanted that more. They wanted that automation that will just interact with their customers and get data out of them and then get them onto the platform and then get them wanting to use the platform more. I like that it's being picked up again and it's actually seeing utility in terms of what ChatGPT. I personally have used it myself to say, Hey, how do I write this little bit of solidity for this type of protocol or this type of show me how this bit of solidity automation works? It was very good for that. So naturally, though, the other side of it is, of course, these are kind of work in I guess, a synergy and hand in hand. I think that yeah, Web3 will pick up more because you have that assistant to tell you how to write a little bit of solidity code. It is like here he is or here it is, it's right there, it's available to you. But yeah, Web3 though, it's funny you mention that too, but I mean, I feel like if we all look at the situation around us right now, I mean, trust in banks is a little low in these times. I personally I mean, this is not let me preface this by saying this is not financial advice. This of course, this is Joe show. This is not about financial advice. My predictions are that from 2008 there was a low point in that generally in the economy when these things happen, generally, there's a trend. I encourage people to look at the history and watch what happens to these different blockchain technologies as things start to get a little more interesting and the financial sector and the economy. Honestly, I think that Web3 will definitely pick up in the years to come, for sure.

[00:10:25] Joe Colantonio Great point. You mentioned solidity a few times. I'm not sure how many people on this show know what solidity is. What is solidity?

[00:10:32] Joshua Gorospe Well, solidity is basically a Turing complete programing language that is used for creating smart contracts on EVM-compatible blockchains. And I believe it's the most heavily used smart contract language. There are different types. There's Haskell, which is used in Cardano, and there's also Solana, which is, I believe using more of Rust syntax. I'm not sure. I haven't tried to learn yet. And by the way, I'm still learning myself. Solidity and in general is the most heavily used one. There are other more Pythonic ones I think there's one called Viper, which is a little bit Pythonic. It's more of a Python syntax, so I think it's more of a python syntax, I believe. I haven't looked into it myself, but there's a bunch out there. But solidity is the most heavily used right now. So if you're good with JavaScript solidity, you may find it very easy to work with.

[00:11:29] Joe Colantonio Nice. So we spoke about Robot Framework has a lot of different plug-ins. And I think, did you create this? I saw a Robot Framework Solidity Testing Toolkit. What is that?

[00:11:38] Joshua Gorospe So basically, it's my first dive into self-teaching because I'm a very, I guess, self-motivated learner. I've been used to just being thrown into something by myself and both client work and product work again. And this is my attempt to, on my downtime, pick up something new, but also kind of like my own curiosity because I'm in a number of defi protocol projects in terms of as someone who played around with the defi protocol, and by the way, with decentralized finance protocols is what I'm talking about. I've researched them and I've also gotten into them and also gone into their Discord communities and actually spoken to a couple of people in their developer communities just to learn like what it is they're doing, what are they use to interact with these dapps basically decentralized apps. What I did was first, when I find out new technology, one of the things I try to figure out because I love Robot Framework so much, it's basically my way of figuring out and learning how to bring in these technologies into a type of RPA flow. RPA flow is maybe I see my RPA robotic process automation, so that kind of is my entry point. And then I start playing around with their static analysis tools, learning about like what is it they use to check the code smells and also how do they check for vulnerabilities or security because that's stuff that I care about. And yeah, it kind of like, I guess snowballed into something bigger. And then I found out from a friend of mine in a defi community that I'm in often in discord Web3 JS and Ethers JS. Basically what those are libraries to interact with blockchains. They're client libraries that allow you to basically interact with those blockchains that are out there, for example, Ethereum. So with Ethers JS is essentially, Web3 JS was the first. Ethers JS was kind of like someone created a slightly different one. I want to say which one is better, which one's worse. But I like Ethers JS because it's associated with one of my favorite new, let's call it smart contract development environments called Hardhat, and it's a really great library. And after I found that library and I learned the basics of how it's being used to interact with Etherium and any EVM-compatible blockchain, by the way, I found out that there's actually a remote library interface library for Robot Framework for JavaScript because Ethers JS is basically it's an NPM package, you just NPM install it. I was studying how just any old developer goes in and writes a little bit of JavaScript code and brings in Ethers JS into that. And I was like, okay, now I see that it's just this bits of JavaScript and I found this and basically the I guess I'll provide these links to you later. So if you could share with your audience is called Node Robot Remote server by a GitHub user named comic. I'm crediting his or her work because this is the heart of like how I was able to get Robot Frameworks Solidity Testing Toolkit off the ground. Well, it's one of them. This is one-third of the bigger picture of what I'm trying to build out. I hope that answered. So really long answer, sorry.

[00:15:15] Joe Colantonio Yeah. No, that's great. I guess, like I said, a lot of newbies are listening to this, so you could use the solidity testing toolkit to help you test smart contracts?

[00:15:23] Joshua Gorospe Yeah. So it's a beautiful thing because this toolkit encompasses a lot of many other tools into it. And what I'm trying to do is kind of many phases of work, kind of like combine into one. I want my first phase to be. I want to learn just enough solidity to just get it simple token contract out there, deploy that, and then the next test learn the deployment. Next phase is to learn how these deployment scripts work. Automate that out. It doesn't have to be just about testing. I also want to do RPA, which is a generic approach towards automation with three Robot Framework, RPA style deployments, RPA style security checks, Get them all into like a very nice and neat because one of the things I'm personally a fan of robot in Robot Framework is that luggage and that beautiful test logs and test reports. Get those all in one place with that and also figure out some very basic things about how to test these contracts once they're deployed because essentially with these tests, in the Web3 space, they're called interactive contract tests. So you're essentially interacting directly with the methods of that deployed contract. And by the way, when you deploy a contract, it's out there forever and there's no way of taking it back. It's going to be always out there. And it's also very important that you consider the security of that, which of course I'll get into the later. If you're into it, it might go out of the log.

[00:16:50] Joe Colantonio Yes, that's a good point. Like, I just thought for some the nature of blockchain is security. It's built on security so well, there are common security flaws that people need to take up in the developing, like what kind of security things could be exploited the blockchain that you should be worried about or you should be looking at?

[00:17:06] Joshua Gorospe That's a great question. It's very important to when you're dealing with any blockchain, understand that when you pay for a change to the blockchain, when you pay to get something done on the blockchain, you're essentially paying gas and you have to, when you do things in the blockchain, you're paying gas and it's out there and that's a transaction and that basically think of the blockchain as just a ledger that anybody can see. It's basically a giant backend, so everyone can see that you did that transaction. And essentially there are advantages of course with that. And of course, there's a whole suite of like uses and unknown use cases that we could do with that. And the decentralized nature is there's no centralized entity that owns that. Everybody kind of owns that, but also everyone can see where it came from and see where it's going. And of course, the disadvantage of that is people can do a replay of that across many other blockchains too, because, well, when you deal with a Web3 Dapp, for example, you have to have some kind of Web3 enabled wallet like let's use for example, Metamask is one of the most popular ones. And once you use Metamask on either a Testnet or with a Testnet those tokens, those coins, those layer-on protocol cryptocurrencies like Etherium, they're worthless. They're not worth anything on the Testnet, but on the Mainnet of course there are what they are and they have value to the general public. And the thing is, what's done on their Testnet can be replayed on that Mainnet. So that's called a replay attack and also replay it across many other EVM-compatible blockchains as well. So that's something to think about. When you interact with the blockchain, you are in the public eye. There are things and people that are constantly watching that if you can think of them as Apex predators. And you're a little fish just doing little things and just throwing out transactions, just to test. You might want to think about maybe taking that locally and consider development environments like Hardhat and Truffle. These are all basically development environments for Web3 for even compatible blockchains.

[00:19:18] Joe Colantonio And I believe the robot toolkit you're creating actually helps you. It has a Truffle library, I think. Is that correct?

[00:19:23] Joshua Gorospe Yes, that's right. That was the next step. I wanted to get out as quickly as possible was after I had played my first step, wasn't taking a dive into Hardhat because Hardhat is, in my opinion, one of my personal favorites. I like it a lot. It's very easy to dive into plugins are easy to install and easy to learn, and it's just under the hood. After you get the Ethers JS plug in, getting it in there and install it into your local. A simple matter of just using your Ethers JS coding knowledge to get those Keyword started. So yeah, if people were to like have that initial experience with Hardhat, which is by the way one of the more they're both popular, but actually both are very backed by very big companies. I believe Truggle is backed by like JPMorgan Chase. Hardhat is backed by I think there's a foundation I think that backs it opens Zeplin, yeah open Zeplin is one of the most popular it's got frameworks for just general solidity development and many other things and they're very big nonprofit, I believe. I have to look them up. I'm still learning and they're used by many people who have deployed other Defi protocols and it's used a lot in the Web3 space.

[00:20:35] Joe Colantonio Nice. I know with general Security, a lot of times people miss out on simple things, like when they check in code, running a static analysis or something or a vulnerability scan. For Web3, does the tool help with that as well for people that want to maybe get it part of the pipeline built in?

[00:20:51] Joshua Gorospe It will at some point. And I'm trying to pull in more of the let's call them the popular security testing libraries and tools. And the great thing about Robot Framework is it just wraps so nicely around those. And once it's in an RPA process, as long as those tools are installed on the same environment that Robot Framework is installed in, it all just will come together really nicely. But yeah, that's the goal. That's the next phase of my development of the Robot Framework Solidity Testing Toolkit is get more security tools in there.

[00:21:21] Joe Colantonio Great. And I think I also saw a bot utilization. What's that?

[00:21:25] Joshua Gorospe So one of the common things that you see in Web3 is different uses of bots essentially that are connecting to those blockchains via RPC nodes. Some of the RPC node that is your basic, it's a client software that allows you to get to that blockchain, communicate with it, read from it. I said before that you have to pay to get it to make a transaction on the blockchain, but other interactions with the blockchain are free to read from the blockchain is free, so you don't have to pay for that. You can just read it every time you want via the RPC node. As long as you have an RPC node with alchemy is one and also Infura is another. And there are many other. I haven't really counted basically Web3 infrastructure as service platform that serve up RPC nodes, which are essentially any kind of client software that runs consensus layer, execution layer on their machine. They could get into the blockchain and read from it or write to it.

[00:22:23] Joe Colantonio Cool. So you mentioned replay attack in your previous answer. Sorry, I just jotted down and discharged my memory. So how do you know that's a task you should test for because I know like Metasploit has built-in exploits where you know common things that people that are known. Is this something similar? Is there a tool that helps you with knowing or here are the common type of attacks or exploits that can be done on a blockchain or Web3 type of application?

[00:22:49] Joshua Gorospe I think there's I'm going to just use GitHub as an example. There are basically vulnerability list security lists out there and replay attacks is like there's this one of those I'm sure you've heard of OWASP top ten. I think that's like kind of like in that top ten. And yeah, it's definitely something that I haven't found the definitive list of security vulnerabilities yet. I guess a consensus they have their own actually list of GitHub or open-source projects and I know that they have list in there somewhere. I might be mistaken, but they do have a huge collection of different open-source security projects consensus, and I forget where to find it specifically, but definitely is just as simple as going on GitHub. Lookup a nice popular security list and you'll catch one of those types of attacks. Yeah.

[00:23:44] Joe Colantonio Awesome. So Joshua, I'm always surprised once again when we talk about Robot Framework, how maybe it's just me, I would think it would be more utilized. But when I interview people, not many people mention it so. What's the future of Robot Framework? Someone turn this is saying, Well, I haven't really used it. I haven't heard of it. Should I invest time in it? What would your thoughts on the future of Robot Frameworks, community, and things like that?

[00:24:07] Joshua Gorospe I think that the future of Robot Framework is bright. I also think that like many people out there, are getting out of school per se, like many people out there who are just starting out as engineers and you happen to fall upon quality engineering or just QA work or just a software tester, they're going to see the value of being able to put something together very quickly and something that is just has a humongous suite of community built tools and community built plugins, community built libraries and community build, basically IDE plugins, etc. There's value in that. And when you see that a community is very passionate about keeping that alive, I think they'll understand that's kind of what you want to go for. And I'd say, for example, what I saw happen with SmartBear under the Gherkin developers, I believe they were some of them were like, Let go. And yeah, that's the thing. And when something is not owned by a centralized entity like the Robot Framework Foundation, no one company ever could on that. It's all very tight knit group of many technologists all over the world taking, maintaining that and basically ensuring its future growth.

[00:25:24] Joe Colantonio Great point. Okay, Joshua, before we go, is there one piece of actual advice you can give to someone to help them with their automated security testing efforts? And what's the best way to find or contact you?

[00:25:35] Joshua Gorospe So my best advice to you, if you're going to get into security and also building tools for it, which also involves automation, is definitely keep an open mind and also try not to paint yourself in a corner. Well, I can only write this in Python. Definitely be open-minded to many things and try to be as polyglot as you can. And you can contact me on LinkedIn. I'm on LinkedIn and it's very easy to find me.

[00:26:03] Joe Colantonio Thanks again for your automation awesomeness. The links of everything we value we covered in this episode. Head in over to Testguild.com/a441. And if the show has helped you in any way, why not rate it and review it in iTunes? Reviews really help in the rankings of the show, and I read each and every one of them. That's it for this episode of the Test Guild Automation Podcast. I'm Joe, my mission is to help you succeed with creating end-to-end full-stack Automation awesomeness. As always, test everything and keep the good. Cheers.

[00:26:36] Hey, thanks again for listening. If you're not already part of our awesome community of 27,000 of the smartest testers, DevOps, and automation professionals in the world, we'd love to have you join the FAM at Testguild.com and if you're in the DevOps automation software testing space or you're a test tool provider and want to offer real-world value that can improve the skills or solve a problem for the Guild community. I love to hear from you head on over to testguild.info And let's make it happen.