Security Testing: SAST, DAST, and Penetration Testing
Security testing identifies vulnerabilities in software before they are exploited. Different security testing approaches address different types of vulnerabilities at different stages of the development lifecycle. A comprehensive security testing programme combines automated scanning with human expert assessment.
SAST: Static Application Security Testing
SAST analyses source code without executing it, looking for common vulnerability patterns: injection vulnerabilities, insecure configurations, dangerous function calls, hard-coded credentials. Tools: SonarQube, Semgrep, Checkmarx, Bandit (Python), Brakeman (Rails). Integrates into CI pipelines — runs on every code change. Fast, low false-negative rate for known patterns, but cannot find all runtime vulnerabilities.
DAST: Dynamic Application Security Testing
DAST tests the running application by sending malicious inputs and analysing responses — finding vulnerabilities that only manifest at runtime: SQL injection, XSS, authentication failures, insecure headers. Tools: OWASP ZAP, Burp Suite, Nuclei. Run against staging environments — not production. More realistic than SAST but slower and requires a running application.
Penetration Testing
Penetration testing (pen testing) employs human security professionals who actively attempt to compromise your application, infrastructure, and processes — thinking like attackers. More thorough than automated scanning, finds complex vulnerability chains that tools miss. Annual penetration tests are standard for production applications handling sensitive data. Commonly required for compliance (PCI DSS, ISO 27001, SOC 2).
Dependency Scanning
Third-party dependencies are a major vulnerability source. Tools like Dependabot, Snyk, and OWASP Dependency-Check scan for known vulnerabilities in your dependency tree. Run automatically and keep dependencies updated.