-
Notifications
You must be signed in to change notification settings - Fork 5
Security Testing Methodologies
Security testing is a critical part of application development that helps identify and address vulnerabilities before attackers can exploit them. This guide covers comprehensive security testing methodologies, tools, and best practices for web applications.
| Test Type | Description | When to Use |
|---|---|---|
| Vulnerability Assessment | Scan for known vulnerabilities | Regularly throughout development |
| Penetration Testing | Simulate attacks to exploit vulnerabilities | Pre-release, major changes |
| Static Application Security Testing (SAST) | Analyze source code for security issues | During development, CI/CD |
| Dynamic Application Security Testing (DAST) | Test running applications for vulnerabilities | Integration testing, staging |
| Interactive Application Security Testing (IAST) | Combine SAST and DAST | Advanced CI/CD pipelines |
| Software Composition Analysis (SCA) | Analyze dependencies for vulnerabilities | Throughout development |
| Security Code Review | Manual review of code for security issues | Critical security components |
Similar to the test pyramid, security testing should follow a structured approach:
/\
/ \
/ \ Manual Penetration Testing
/ \
/________\ DAST / API Security Testing
| |
| | IAST / Fuzzing
|________|
| |
| | SAST / SCA / Secret Scanning
|________|
- Base layers: Automated, fast, frequent (SAST, SCA)
- Middle layers: Semi-automated, targeted (IAST, API testing)
- Top layers: Manual, expert-driven (penetration testing)
OWASP ZAP is a free, open-source security tool for finding vulnerabilities in web applications.
# Install ZAP via Docker
docker pull owasp/zap2docker-stable
Run automated scan
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py
-t https://example.com -g gen.conf -r testreport.html
# .github/workflows/zap-scan.yml
name: OWASP ZAP Integration
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 0 * * 0' # Weekly scan
jobs:
zap_scan:
runs-on: ubuntu-latest
name: Scan the application
steps:
- name: Checkout
uses: actions/checkout@v2
- name: ZAP Scan
uses: zaproxy/action-baseline@v0.7.0
with:
target: 'https://staging.example.com'
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a'
Nuclei is a fast, template-based vulnerability scanner focusing on extensive coverage.
# Install Nuclei
GO111MODULE=on go get -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei
Run scan with common vulnerabilities
nuclei -u https://example.com -t nuclei-templates/
Use specific templates
nuclei -u https://example.com -t nuclei-templates/cves/ -t nuclei-templates/vulnerabilities/
Generate HTML report
nuclei -u https://example.com -t nuclei-templates/ -o report.html -me html
# Run SonarQube with Docker
docker run -d --name sonarqube -p 9000:9000 sonarqube:latest
Run SonarScanner for JavaScript project
docker run --rm -e SONAR_HOST_URL="http://localhost:9000"
-v "$(pwd):/usr/src"
sonarsource/sonar-scanner-cli
-Dsonar.projectKey=my-project
-Dsonar.sources=.
-Dsonar.javascript.lcov.reportPaths=coverage/lcov.info
SonarQube configuration file (sonar-project.properties):
# Project settings
sonar.projectKey=my-project
sonar.projectName=My Project
sonar.projectVersion=1.0
Path to source directories
sonar.sources=src
sonar.tests=tests
Exclude files from analysis
sonar.exclusions=node_modules/,/.spec.ts,**/.test.ts
Language
sonar.language=js