You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Security testing is the process of evaluating a web application's defences against potential threats. It encompasses a range of techniques and tools designed to discover vulnerabilities before attackers do. A robust security testing programme combines automated scanning with manual testing throughout the software development lifecycle.
| Type | Acronym | Description | When to Use |
|---|---|---|---|
| Static Application Security Testing | SAST | Analyses source code without executing it | During development (in IDE, CI/CD) |
| Dynamic Application Security Testing | DAST | Tests the running application from the outside | Against staging/production environments |
| Interactive Application Security Testing | IAST | Combines SAST and DAST using instrumented code | During integration and QA testing |
| Software Composition Analysis | SCA | Identifies known vulnerabilities in third-party dependencies | Continuous — integrated into CI/CD |
| Penetration Testing | Pentest | Simulated attack by skilled testers | Periodically (quarterly, annually) |
| Bug Bounty | — | External researchers find and report vulnerabilities | Ongoing |
SAST tools analyse source code, bytecode, or binary code to find security vulnerabilities without running the application.
Source Code ──▶ [SAST Engine] ──▶ Vulnerability Report
│
Analyses control flow,
data flow, and patterns
| Strengths | Limitations |
|---|---|
| Finds vulnerabilities early (shift left) | High false positive rate |
| Can scan the entire codebase | Cannot detect runtime issues |
| Identifies the exact line of code | Cannot test authentication flows |
| Fast and automated | Language-specific — each tool supports specific languages |
| Integrates into IDE and CI/CD | Cannot test infrastructure or configuration |
| Tool | Languages | Notes |
|---|---|---|
| Semgrep | 30+ languages | Open source; highly configurable rules |
| SonarQube | 25+ languages | Popular open-source platform with commercial edition |
| CodeQL | C/C++, Java, JavaScript, Python, etc. | GitHub's code analysis engine |
| Checkmarx | 25+ languages | Enterprise SAST platform |
| Fortify | 25+ languages | Enterprise SAST by Micro Focus |
| Bandit | Python | Python-specific security linter |
| ESLint security plugins | JavaScript/TypeScript | eslint-plugin-security, eslint-plugin-no-unsanitized |
# GitHub Actions example — running Semgrep in CI
name: SAST
on: [push, pull_request]
jobs:
semgrep:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: returntocorp/semgrep-action@v1
with:
config: p/owasp-top-ten
DAST tools test a running application by sending requests and analysing responses, simulating an external attacker.
[DAST Scanner] ──▶ HTTP Requests (crafted payloads) ──▶ [Running Application]
│
[Vulnerability Report] ◀── Analysis of Responses ◀───────────┘
| Strengths | Limitations |
|---|---|
| Tests the actual running application | Cannot identify the exact line of vulnerable code |
| Language and framework agnostic | Slower than SAST (needs a running app) |
| Finds runtime issues (misconfigurations, missing headers) | Cannot see inside the application |
| Low false positive rate for certain classes | May miss vulnerabilities that require authentication |
| Tests the complete stack | Coverage depends on crawling ability |
| Tool | Type | Notes |
|---|---|---|
| OWASP ZAP | Free, open source | The most widely used free DAST tool |
| Burp Suite | Commercial (with free Community edition) | Industry standard for manual and automated testing |
| Nuclei | Free, open source | Fast, template-based vulnerability scanner |
| Nikto | Free, open source | Web server scanner focused on misconfigurations |
| OWASP Amass | Free, open source | Attack surface discovery and enumeration |
ZAP is the most popular free security testing tool for web applications.
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.