Security testing is a part of software testing mainly focus on a process to find flaws, vulnerabilities, threats, risks or weaknesses in order to avoid the application to malfunction, stop working or being exploited.

In addition, there are a diversity of types of security testing to be applied:

• Vulnerability scanning.

• Security scanning.

• Penetration testing.

• Ethical hacking.

Consequently, these types of security testing can be applied through the phases of testing like:

• Unit test.

• Integration test.

• System test.

• Functional test.

Moreover, the security testing can be classified on three areas:

• Static Application Security Testing (SAST).

• Dynamic Application Security Testing (DAST).

• Software Composition Analysis (SCA).

Static Application Security Testing

The SAST analyzes the source code or binaries to find flaws, vulnerabilities or weaknesses based on security rules list like owasp top 10, cwe and coding standards. This type of security testing is classified as a white box testing method usually performed on the early stages of software development cycle.

Currently, the company uses some tools to perform and automate this analysis on builds to ensure the quality of the code. These tools can be listed:

• SonarQube: uses cwe top 25 and owasp top 10 lists to analyze the source code for vulnerabilities, bugs and security hotspots. In addition, through SonarQube API these metrics can be shown on dashboards. Here can be found the SonarQube documentation and also the rules use for SAST analysis on SonarSource rules.

• Semgrep CLI: uses cwe top 25 and owasp top 10 vulnerabilities list but also has the feature of adding custom rules to cover and validate rules not being count on those lists, which is being used on Frontend analysis. To take a look on the rulesets used for SAST, those can be found on the Semgrep Registry and for more help here is the Semgrep documentation.

Both of those tools runs during changes integration (pull requests) and on post integration of changes (master builds).

Dynamic Application Security Testing

Work in progress...

Software Composition Analysis

The Software Composition Analysis (SCA) is a security analysis which search throughout the dependencies that are being used on our projects on the development phase for vulnerabilities or license risks. This type of analysis is performed on the early stages of the development life cycle.

Consequently, for this analysis the tools used to execute this analysis are:

• NPM Audit: node package manager tool to analyze on a package.json the dependencies in order to find vulnerabilities or risks. It generates a json file that can be shown through a widget on dashboards. If required this widget can be found here: npm audit widget.

• License risks: work in progress...