Security Testing for Applications

Security testing is the practice of finding vulnerabilities before attackers do. Unlike functional testing — which verifies what the application does — security testing verifies what the application should never do: leak data, escalate privileges, accept injection, or expose internal state.

Security Testing Types

Type	When	What It Finds	Speed
SAST (Static)	At code time	Code-level vulnerabilities, hardcoded secrets	Seconds
SCA (Composition)	At build time	Vulnerable dependencies, license issues	Seconds
DAST (Dynamic)	At runtime	Injection, XSS, misconfigurations	Minutes
IAST (Interactive)	During testing	Runtime code paths with vulnerabilities	During tests
Penetration testing	Pre-release	Business logic flaws, chained exploits	Days
Fuzzing	Continuous	Crash bugs, buffer overflows, unexpected input handling	Hours

SAST (Static Application Security Testing)

Tool	Languages	Integration	Best For
Semgrep	30+ languages	CLI, CI, IDE	Custom rules, fast scanning
SonarQube	25+ languages	Server + CI	Enterprise security + quality
CodeQL	6+ languages	GitHub native	Open source, deep analysis
Snyk Code	10+ languages	CLI, IDE, CI	Developer-friendly, real-time
Checkmarx	25+ languages	Enterprise platform	Compliance-driven orgs

What SAST Catches

Vulnerability	Example
SQL injection	String concatenation in queries
XSS	Unsanitized user input in HTML
Path traversal	User-controlled file paths
Hardcoded secrets	API keys, passwords in source code
Insecure deserialization	Untrusted data in deserialize calls
Weak cryptography	MD5/SHA1 for passwords, weak key sizes

SCA (Software Composition Analysis)

Tool	Ecosystem	Database	Best For
Snyk	NPM, pip, Maven, Go, etc.	Proprietary	Developer workflow integration
Dependabot	GitHub ecosystem	GitHub Advisory DB	GitHub-native projects
Trivy	Containers + languages	Multiple DBs	Container + dependency scanning
OWASP Dependency-Check	Java, .NET, Node	NVD	Open source, comprehensive
Renovate	Multi-platform	Multiple	Auto-update + vulnerability alerts

DAST (Dynamic Application Security Testing)

Tool	Approach	Best For
OWASP ZAP	Proxy-based scanner	Free, comprehensive web scanning
Burp Suite	Proxy + active scanner	Professional penetration testing
Nuclei	Template-based scanner	Fast, customizable scanning
Nikto	Web server scanner	Server misconfiguration
sqlmap	SQL injection automation	Database-specific injection testing

OWASP Top 10 Testing Coverage

Vulnerability	Test Method
A01: Broken Access Control	DAST + manual review of authorization logic
A02: Cryptographic Failures	SAST + SSL/TLS scanner
A03: Injection	SAST + DAST + fuzzing
A04: Insecure Design	Threat modeling + manual review
A05: Security Misconfiguration	DAST + infrastructure scanning
A06: Vulnerable Components	SCA
A07: Auth Failures	DAST + custom tests
A08: Data Integrity Failures	SAST + DAST
A09: Logging Failures	Manual review + SAST
A10: SSRF	DAST + fuzzing

CI/CD Integration

Pull Request:
    → SAST scan (Semgrep/CodeQL) — block on critical/high
    → SCA scan (Snyk/Trivy) — block on known exploited CVEs
    → Secret scanning (gitleaks) — block on any detection

Merge to main:
    → Full SAST scan
    → DAST scan against staging
    → Container image scan

Pre-release:
    → Penetration test (quarterly)
    → Compliance scan

Fuzzing

Tool	Target	Language
AFL++	Binary fuzzing	C/C++
LibFuzzer	In-process fuzzing	C/C++
Atheris	Python fuzzing	Python
Jazzer	JVM fuzzing	Java/Kotlin
go-fuzz	Go fuzzing	Go
cargo-fuzz	Rust fuzzing	Rust

Anti-Patterns

Anti-Pattern	Problem	Fix
Security testing only before release	Vulnerabilities found too late to fix	Shift left: SAST on every PR
Ignoring SCA alerts	Known vulnerabilities in production	Auto-patch with Dependabot, block on critical CVEs
DAST without authentication	Misses authenticated-only vulnerabilities	Configure DAST with valid session tokens
No severity triage	All findings treated equally	Categorize: critical (block), high (fix in sprint), medium (backlog)
Penetration testing once a year	Gaps between tests accumulate	Quarterly pen tests + continuous automated scanning

Checklist

SAST integrated into PR pipeline (block on critical findings)
SCA scanning on every build (block on known exploited CVEs)
Secret scanning on every commit (gitleaks or GitHub secret scanning)
DAST runs against staging after every deployment
Container image scanning before pushing to registry
Penetration testing scheduled quarterly
OWASP Top 10 coverage verified
Security findings triaged and tracked like bugs
Developer security training annually

:::note[Source] This guide is derived from operational intelligence at Garnet Grid Consulting. For application security consulting, visit garnetgrid.com. :::