Menu
ESC

Nhập từ khóa để tìm kiếm

↑↓ Di chuyển
Enter Mở
ESC Đóng

Đang tải...

Bài 25 — Security Testing Process & Pentest

Test Strategy and QA Leadership Bài 25/60

Security Testing

Levels of security testing

  • Static analysis (SAST) — scan source code.
  • Dynamic analysis (DAST) — scan running app.
  • Dependency scan — Snyk, Dependabot.
  • Penetration test (pentest) — manual + tool by security pro.
  • Bug bounty — incentive external researchers.

OWASP Top 10 (always check)

  • Injection (SQL, NoSQL, command).
  • Broken authentication.
  • Sensitive data exposure.
  • XML External Entities.
  • Broken access control.
  • Security misconfiguration.
  • XSS.
  • Insecure deserialization.
  • Vulnerable components.
  • Insufficient logging.

Tools

  • OWASP ZAP — free, dynamic scanner.
  • Burp Suite — pro tool.
  • SonarQube — static analysis.
  • Snyk — dependency scanning.
  • Metasploit — exploit framework.

Process

  • Threat modeling — identify attack surfaces.
  • Static scan in CI.
  • Dynamic scan staging weekly.
  • Pentest quarterly by external firm.
  • Bug bounty for mature org.

VN context

SBV regulation: banking app pentest mandatory annually by certified firm. ATTT Decree 2018: data localization, encryption at rest, breach notification 72h.

Cost

  • Pentest annual ~$15-50K from VN firm (CMC, Bkav).
  • International firm: $50-200K.
  • Bug bounty: variable, hackerone, intigriti.

Roles

  • AppSec engineer — embedded in QA team.
  • Security champion — dev volunteer learn security.
  • Quarterly pentest — outsource.