Upcoming Webinar: Rethinking Email Security with Forrester April 20 at 9AM EST / 4PM CET

Sandbox Software Development: Use Cases and Techniques

What is Sandbox Software Development?

sandbox is an independent testing environment that lets you run programs and files without affecting the surrounding applications or operating system. The sandbox ensures that applications under test and related processes cannot access user data, system resources, and networks without restrictions.

Sandboxes provide many benefits for developers and testers, including:

  • Predictable behavior of software regardless of where or how it was deployed, which is critical for consistent testing results
  • The ability to test software in multiple environments using one physical test machine
  • Protecting other parts of the environment against faults in the software under test
  • Faster deployment of software for testing purposes and easier automation

When software developers use sandboxes to test new code, they are known as development sandboxes or testing sandboxes. Another use of sandboxes is for security—sandboxes can be used by security experts to test for malware and security threats.

Use Cases of Sandboxes in Software Development

Here are a few ways sandboxes can be used as part of a software development lifecycle:


Developers need a fast feedback cycle to be productive. Instead of coding on their local machine and waiting for a build server to create the full product on a remote environment, with the help of a sandbox they can build and test software on their local machine. The local sandbox can contain a full working environment, including databases and other integrated components.

Software testing

Agile software testing needs a way to deploy software automatically and consistently multiple times a day. Sandboxes are a great way to achieve this—packaging software in an isolated environment, which can be deployed on any test server, and functions the same way regardless where it is installed.

Security testing

Security is an inseparable part of modern software development processes, with the advent of DevSecOps (the joining of development, security, and operations into one organization). Sandboxes are extremely important in security testing, because if software is infected by malware or other threats, they could do damage to test machines and spread to the rest of the environment. Sandbox testing ensures that threats cannot have any effect on the system outside the sandbox.

Demos and POCs

Software often needs to be demonstrated to stakeholders, prospective customers, or existing customers considering an upgrade. Sandboxes make it easy to package software in a predictable environment, together with test data that can allow the user to try out its important functions. The sandbox can either be deployed and used by sales engineers or marketing teams, or it can be shipped directly to the customer or user, and installed in their local environment.

Sandboxing Techniques

There are four primary ways you can set up a sandbox for software development purposes:

Sandbox Programs

Possibly the most popular is Sandboxie, but other options include SHADE, Turbo.net and BitBox. These are easy to use software programs that can run any software in a sandbox, and also allow you to manage multiple sandboxes on the same machine.

Virtual Machine (VM)

A VM creates a full operating system, running directly on the host machine’s hardware (a Type 1 hypervisor) or on top of the host operating system (a Type 2 hypervisor). It provides a high level of isolation, and an environment that is indistinguishable from a regular operating system installed on a regular machine.

You can create a virtual machine image that contains your software under test and all its relevant dependencies. The downside is that VMs require a lot of system resources and take time to start, which can be significant in fast-paced testing environments.

For large-scale enterprise environments the leading providers of virtualization are VMware, Citrix, and Microsoft Hyper-V. For smaller scale use cases, you can use free, lightweight virtualization software like Oracle VirtualBox and Solarwinds Virtualization Manager.


Containerization, typically based on the Docker container engine, is extremely popular in software development. Containers package a software component, its configuration, files, and everything else it needs to run, in an isolated environment. A container is—for all intents and purposes—a sandbox.

However, containers can in theory allow access to the underlying operating system and other containers, and they must be configured properly to ensure full isolation.

Built-In Operating System Sandboxes

Windows 10 comes with Windows Sandbox, a built-in sandbox environment, based on Windows Container technology. It provides a clean operating system, into which you install the software you want to test and its dependencies. Windows Sandbox is lean on system resources because it uses the underlying Windows operating system.

Apple provides similar capability with its Apple Sandbox, based on the TrustedBSD API. In Linux, you can do something similar with seccomp-BPF, a kernel extension that can isolate a Linux process and prevent it from communicating with other processes.

Learn more in our detailed guides to Windows Sandbox.

What is API Sandboxing?

An API sandbox is a special type of software development sandbox, which allows users to experience APIs in a controlled environment.

A common problem with APIs is that, while they can be extremely useful, it can be difficult to connect to an API and learn how to use it. API sandboxes help users get a taste of an API without having to go to the effort of integrating it with their systems.

There are three main ways you can set up an API sandbox for your users: API sandbox, API virtualization, and API playground.

API Sandboxes

An API sandbox consists of a complex interactive UI and a predefined set of features defined by the provider. It is usually limited in capabilities, allowing users to perform simple calls and see their results.

Another big advantage of API sandboxes is that they can be preloaded with test data. This means that:

  • There are less security and compliance issues
  • Users can immediately get started with the API without having to load their proprietary data, which can be complex
  • It is easy to showcase important functions of the API, by loading it with relevant data

API sandboxes are not only useful for users—they can also provide testing data to developers. However, this data has limited significance, because the sandbox is not equivalent to the full production environment.

API virtualization

API virtualization, also known as service virtualization, has been around for more than a decade. There are many well known tools that provide it out of the box, such as Micro Focus Service Virtualization, Smartbear SoapUI, and Tricentis OSV.

API virtualization lets you provide a copy of your full API server. It is a mirror of the full production API, but which will typically showcase a new version or different functionality that is not available in the current production version.

The advantage of this approach is that it enables consistent and accurate testing, because the API is provided in a full, production-like environment. The disadvantage is that it is less suitable for user testing purposes, because it can be just as difficult for users to adopt as the real API. In addition, because it is a real variant of production code, it can create security and compliance risks.

API Playground

An API playground is a middle ground between sandboxing and API virtualization. An API playground is a full, production-like environment, but it is configured to offer limited functionality and may be loaded with limited data for testing and evaluation purposes. It is common to provide an API playground as a cloud-hosted service—meaning that the user can immediately access it, without having to download and deploy it locally.

API playgrounds are useful both for users and testers:

  • For users, they enable fast onboarding and easy testing of API capabilities.
  • For testers, they make it possible to see how real users interact with a realistic production system.