Security Testing
Levels of security testing
- Static analysis (SAST) — scan source code.
- Dynamic analysis (DAST) — scan running app.
- Dependency scan — Snyk, Dependabot.
- Penetration test (pentest) — manual + tool by security pro.
- Bug bounty — incentive external researchers.
OWASP Top 10 (always check)
- Injection (SQL, NoSQL, command).
- Broken authentication.
- Sensitive data exposure.
- XML External Entities.
- Broken access control.
- Security misconfiguration.
- XSS.
- Insecure deserialization.
- Vulnerable components.
- Insufficient logging.
Tools
- OWASP ZAP — free, dynamic scanner.
- Burp Suite — pro tool.
- SonarQube — static analysis.
- Snyk — dependency scanning.
- Metasploit — exploit framework.
Process
- Threat modeling — identify attack surfaces.
- Static scan in CI.
- Dynamic scan staging weekly.
- Pentest quarterly by external firm.
- Bug bounty for mature org.
VN context
SBV regulation: banking app pentest mandatory annually by certified firm.
ATTT Decree 2018: data localization, encryption at rest, breach notification 72h.
Cost
- Pentest annual ~$15-50K from VN firm (CMC, Bkav).
- International firm: $50-200K.
- Bug bounty: variable, hackerone, intigriti.
Roles
- AppSec engineer — embedded in QA team.
- Security champion — dev volunteer learn security.
- Quarterly pentest — outsource.