Adversaries exploit vulnerabilities to compromise systems. For instance, a vulnerability in a Web browser sandbox may allow an attacker to leak private data. Reducing the number of bugs improves security guarantees. We will discuss two key scenarios of system security: detecting bugs introduced by developers and bugs introduced by compilers. Since software is written by human beings, any program suffers from bugs. Improving testing prevents bugs from reaching production environments. Even for bug-free programs, compilers can still introduce hideous side effects that undermine the security premises. I will first introduce automatic testing, while the second part will discuss security challenges caused by misalignments between compiler optimizations and security assumptions.