Security Testing Tools And Practices
Purpose
Security testing gives teams feedback about risk. No single tool is enough. The useful approach is layered testing: code, dependencies, secrets, containers, infrastructure, APIs, running applications, and manual judgment.
Security tools should help developers fix problems earlier. If tools only create noisy reports nobody owns, they become decorative alarms.
Testing Types
| Type | What It Finds | When To Use |
|---|---|---|
| SAST | Code-level vulnerabilities and insecure patterns | Pull requests and CI |
| SCA | Vulnerable dependencies and licenses | Pull requests, scheduled scans |
| Secrets scanning | Tokens, passwords, keys in repos | Pre-commit, PR, CI |
| DAST | Runtime web/API vulnerabilities | Test/staging environments |
| IAST | Runtime issues with app instrumentation | Test environments |
| API security testing | Broken auth, schema issues, abuse cases | During API development |
| Container scanning | Vulnerable images and packages | Build pipeline and registry |
| IaC scanning | Cloud/Kubernetes/Terraform misconfiguration | PR and CI |
| Fuzz testing | Unexpected input handling issues | Parsers, APIs, critical components |
| Penetration testing | Human-led attack simulation | High-risk releases and periodic reviews |
Practical Tool Examples
| Area | Examples |
|---|---|
| Code scanning/SAST | GitHub CodeQL, SonarQube, Semgrep, Checkmarx, Veracode |
| Dependency scanning/SCA | GitHub Dependabot, GitHub Advanced Security, Snyk, Mend, OWASP Dependency-Check |
| Secrets scanning | GitHub secret scanning, Gitleaks, TruffleHog |
| DAST | OWASP ZAP, Burp Suite, StackHawk |
| API testing | OWASP ZAP, Postman/Newman, Schemathesis, Burp Suite |
| Container scanning | Trivy, Grype, Snyk Container, Docker Scout |
| IaC/Kubernetes scanning | Checkov, tfsec, Terrascan, kube-score, Kubescape |
| Runtime/cloud posture | Microsoft Defender for Cloud, AWS Security Hub, Google Security Command Center |
Tool names change. Testing categories matter more than vendor loyalty.
CI/CD Placement
Suggested pipeline placement:
- Pre-commit: formatting, linting, secrets scan where practical.
- Pull request: SAST, SCA, secrets scan, IaC scan, unit/security tests.
- Build: container scan, SBOM generation, signed artifacts where required.
- Deploy to test: DAST/API scan.
- Scheduled: dependency updates, deeper scans, license review.
- Release: risk review for high-severity unresolved findings.
How To Handle Findings
Each finding should have:
- Severity.
- Affected service/app.
- Owner.
- Evidence.
- Exploitability context.
- Fix or mitigation plan.
- Due date based on risk.
- Exception process if accepted temporarily.
Do not treat all findings equally. Fix high-risk exploitable issues quickly, tune noisy tools, and track accepted risk transparently.
Simpro Minimum Security Checks
For normal application repositories:
- Secrets scanning.
- Dependency scanning.
- Static code analysis.
- Container scanning if containers are built.
- IaC scanning if infrastructure is defined.
- Security unit/integration tests for authorization.
- DAST/API scanning for exposed web/API surfaces.
Manual Testing Still Matters
Automated tools are good at known patterns. Humans are better at business logic abuse.
Manually test:
- Can one tenant access another tenant's data?
- Can a normal user call admin APIs directly?
- Can workflow steps be skipped?
- Can IDs be changed to access another record?
- Can expired or revoked tokens still work?
- Can rate limits be bypassed?
- Are logs exposing sensitive data?
Team Reference Guide
Guidelines For Teams
- Put security checks close to the developer.
- Tune tools to reduce noise.
- Assign owners to findings.
- Track remediation like normal engineering work.
- Combine automated scanning with threat-model-based manual tests.
Reflection Questions
- Which security issue would our current pipeline catch?
- Which issue would only be caught manually?
- Which tool is noisy enough that people ignore it?
- What high-risk flow needs an abuse-case test?
Further Study
- OWASP Web Security Testing Guide: https://owasp.org/www-project-web-security-testing-guide/
- OWASP ZAP: https://www.zaproxy.org/
- CodeQL documentation: https://codeql.github.com/docs/
- Semgrep documentation: https://semgrep.dev/docs/
- OWASP Dependency-Check: https://owasp.org/www-project-dependency-check/
- Trivy documentation: https://aquasecurity.github.io/trivy/
- Gitleaks documentation: https://gitleaks.io/
- Checkov documentation: https://www.checkov.io/
- SLSA framework: https://slsa.dev/