🖌️
Product Process Documentation
  • Product Process Documentation
  • Definition of Done (DoD)
    • General checkpoints
      • Specific checkpoints by team
    • Important process: QA review & PO review
      • QA Review
      • PO Review
  • Work Items
    • Product Backlog Item (PBI)
    • Bug
      • Basic rules for creating a bug
      • How to report a Bug
    • Bugs Management
  • Code Standards
  • Different Test Levels
    • Unit Test
      • Frontend Unit Testing
        • What is a Unit Test?
        • How do I know if I am developing a good unit test?
        • AAA (Arrange, Act and Assert)
        • Overloaded test suits
        • Setup & Teardown
          • JEST Mocks
          • FakeTimers
        • Istanbul Annotations
        • C8 Annotations
        • JEST Runner (Debug unit tests with Jest)
    • Component Test
      • Frontend Component Testing
        • What is Component Testing?
        • Best practices
        • Bad practices
        • Setup
          • Sandbox
          • Mocks, Services and Providers
          • Test scenario
    • Integration Test
      • Frontend Integration Testing
        • What is a Integration Test?
        • AAA (Arrange, Act and Assert)
        • Best Practices
        • Bad practices
        • Setup & Teardown
        • How to create a scenario
          • Create the migrated app
          • Add to project
        • How to debug
        • Common problems
      • Testing Driven Development Guide and recommendations
    • Functional Test
    • Security Testing
      • Security Testing Tools
      • Frontend Security Testing
    • Performance testing
    • Best Practices
    • Test Documentation
  • Run test projects
    • General steps
    • Specific steps by team
  • DevOps
    • Pipelines
    • Builds
    • Specific information by team
    • Test plan
    • Service Hooks for Azure DevOps Notifications
      • Slack Notifications
      • Microsoft Teams Notifications
  • Dashboards
    • General
    • QA Dashboards
  • Release Process
    • General Steps
    • Specific steps by team
  • Migration Cells
    • Basics of testing process
  • Release process
  • References
Powered by GitBook
On this page
  • Static Application Security Testing
  • Dynamic Application Security Testing
  • Software Composition Analysis

Was this helpful?

  1. Different Test Levels

Security Testing

Security testing is a part of software testing mainly focus on a process to find flaws, vulnerabilities, threats, risks or weaknesses in order to avoid the application to malfunction, stop working or being exploited.

In addition, there are a diversity of types of security testing to be applied:

  • Vulnerability scanning.

  • Security scanning.

  • Penetration testing.

  • Ethical hacking.

Consequently, these types of security testing can be applied through the phases of testing like:

  • Unit test.

  • Integration test.

  • System test.

  • Functional test.

Moreover, the security testing can be classified on three areas:

  • Static Application Security Testing (SAST).

  • Dynamic Application Security Testing (DAST).

  • Software Composition Analysis (SCA).

Static Application Security Testing

The SAST analyzes the source code or binaries to find flaws, vulnerabilities or weaknesses based on security rules list like owasp top 10, cwe and coding standards. This type of security testing is classified as a white box testing method usually performed on the early stages of software development cycle.

Currently, the company uses some tools to perform and automate this analysis on builds to ensure the quality of the code. These tools can be listed:

Both of those tools runs during changes integration (pull requests) and on post integration of changes (master builds).

Dynamic Application Security Testing

Work in progress...

Software Composition Analysis

The Software Composition Analysis (SCA) is a security analysis which search throughout the dependencies that are being used on our projects on the development phase for vulnerabilities or license risks. This type of analysis is performed on the early stages of the development life cycle.

Consequently, for this analysis the tools used to execute this analysis are:

  • License risks: work in progress...

PreviousFunctional TestNextSecurity Testing Tools

Last updated 1 year ago

Was this helpful?

SonarQube: uses cwe top 25 and owasp top 10 lists to analyze the source code for vulnerabilities, bugs and security hotspots. In addition, through SonarQube API these metrics can be shown on dashboards. Here can be found the and also the rules use for SAST analysis on .

Semgrep CLI: uses cwe top 25 and owasp top 10 vulnerabilities list but also has the feature of adding custom rules to cover and validate rules not being count on those lists, which is being used on Frontend analysis. To take a look on the rulesets used for SAST, those can be found on the and for more help here is the .

NPM Audit: node package manager tool to analyze on a package.json the dependencies in order to find vulnerabilities or risks. It generates a json file that can be shown through a widget on dashboards. If required this widget can be found here: .

SonarQube documentation
SonarSource rules
Semgrep Registry
Semgrep documentation
npm audit widget