name: security-testing-patterns description: Security testing patterns including SAST, DAST, penetration testing, and vulnerability assessment techniques. Use when implementing security testing pipelines, conducting security audits, or validating application security controls.

Security Testing Patterns

Expert guidance for implementing comprehensive security testing strategies including static analysis, dynamic testing, penetration testing, and vulnerability assessment.

When to Use This Skill

Implementing security testing pipelines in CI/CD
Conducting security audits and vulnerability assessments
Validating application security controls and defenses
Performing penetration testing and security reviews
Configuring SAST/DAST tools and interpreting results
Testing authentication and authorization mechanisms
Evaluating API security and compliance with OWASP standards
Integrating security scanning into development workflows
Responding to security findings and prioritizing remediation
Training teams on security testing methodologies

Core Concepts

Security Testing Pyramid (Layered Approach)

Unit Security Tests - Test security functions (encryption, validation)
SAST - Static analysis during development
SCA - Dependency and component vulnerability scanning
DAST - Dynamic testing in running applications
IAST - Interactive analysis combining SAST and DAST
Penetration Testing - Manual security testing by experts
Red Team Exercises - Adversarial simulation testing

Testing Categories

Static Testing (SAST)

Analyzes source code without execution
Early detection in development lifecycle
Complete code coverage
High false positive rates

Dynamic Testing (DAST)

Tests running applications
Detects runtime and configuration issues
Language agnostic
Requires deployed environment

Composition Analysis (SCA)

Scans dependencies for vulnerabilities
Tracks license compliance
Automated remediation options

Manual Testing

Penetration testing
Business logic validation
Complex attack scenarios

Quick Reference

Task	Load reference
Static Application Security Testing (SAST)	`skills/security-testing-patterns/references/sast.md`
Dynamic Application Security Testing (DAST)	`skills/security-testing-patterns/references/dast.md`
Software Composition Analysis (SCA)	`skills/security-testing-patterns/references/sca.md`
Penetration Testing Techniques	`skills/security-testing-patterns/references/penetration-testing.md`
API Security Testing (OWASP Top 10)	`skills/security-testing-patterns/references/api-security.md`
Fuzzing and Property-Based Testing	`skills/security-testing-patterns/references/fuzzing.md`
Security Automation Pipeline	`skills/security-testing-patterns/references/automation-pipeline.md`

Security Testing Workflow

Phase 1: Planning

Define security requirements and threat model
Select appropriate testing tools and techniques
Establish baseline security posture
Set severity thresholds and acceptance criteria

Phase 2: Automated Testing

SAST - Integrate into IDE and CI/CD pipeline
SCA - Configure dependency scanning (npm audit, Snyk, Dependabot)
DAST - Schedule scans against deployed environments
Container Scanning - Scan Docker images (Trivy, Aqua)

Phase 3: Manual Testing

Authentication and authorization testing
Business logic vulnerability assessment
API security testing (OWASP API Top 10)
Penetration testing and exploitation

Phase 4: Analysis and Remediation

Triage findings by severity and exploitability
Eliminate false positives
Prioritize remediation based on risk
Track vulnerabilities to resolution
Verify fixes with regression testing

Phase 5: Continuous Monitoring

Monitor for new vulnerabilities in dependencies
Re-scan after code changes
Conduct periodic penetration tests
Update security baselines and policies

Common Mistakes

Tool Selection

Wrong: Using only SAST or only DAST
Right: Layered approach combining multiple testing types

False Positive Management

Wrong: Ignoring or suppressing findings without review
Right: Systematic triage process with security team validation

Integration Timing

Wrong: Security testing only before release
Right: Continuous security testing throughout development

Scope Definition

Wrong: Testing only main application code
Right: Include dependencies, APIs, infrastructure, and third-party integrations

Remediation Priority

Wrong: Fixing all findings equally
Right: Risk-based prioritization (severity × exploitability × business impact)

Authentication in Testing

Wrong: DAST scans without authentication
Right: Configure authenticated scanning to test protected features

Best Practices

Shift Left: Integrate security testing early in development
Continuous Testing: Automate security scans in CI/CD pipelines
Layered Approach: Combine SAST, DAST, SCA, and manual testing
Risk-Based Testing: Prioritize testing based on threat model
False Positive Management: Establish process for triaging findings
Remediation Tracking: Use SIEM/SOAR for vulnerability management
Regular Updates: Keep security tools and signatures current
Security Champions: Train developers in security testing
Metrics and KPIs: Track security posture over time
Compliance Validation: Map tests to regulatory requirements

Resources

OWASP Testing Guide: https://owasp.org/www-project-web-security-testing-guide/
OWASP API Security: https://owasp.org/www-project-api-security/
NIST SP 800-115: Technical Guide to Information Security Testing
PTES: Penetration Testing Execution Standard
SANS Security Testing: https://www.sans.org/security-resources/
HackerOne Methodology: https://www.hackerone.com/ethical-hacker/hack-learn
PortSwigger Academy: https://portswigger.net/web-security

security-testing-patterns

$ 安裝