top of page

Security Testing Fundamentals for Developers

  • Contributor
  • Mar 25
  • 5 min read

Security testing has a reputation as something the security team does to you after you've shipped. In healthy teams, developers do most of the security testing themselves, with security teams catching what slips through. Done right, this catches issues weeks earlier and at much lower cost.

This guide is the fundamentals every developer should know.

The Layers

Security testing has roughly four layers:

  1. Static analysis (SAST) — scanning source code for known vulnerability patterns

  2. Dynamic analysis (DAST) — testing the running application from the outside

  3. Dependency scanning — checking third-party libraries for known vulnerabilities

  4. Penetration testing — humans actively trying to exploit the system

Each catches different things. A mature program uses all four.

SAST: Static Analysis

Tools scan your source code for patterns associated with vulnerabilities:

  • SQL injection (unsafe string concatenation)

  • XSS (unescaped user input in HTML)

  • Hard-coded secrets

  • Insecure crypto usage

  • Path traversal

  • Insecure deserialization

Common SAST tools: Semgrep, SonarQube, Snyk Code, GitHub Advanced Security.

Strengths:

  • Fast — runs in CI on every commit

  • Cheap — open-source options exist

  • Catches whole classes of issues

Weaknesses:

  • High false positive rate (especially generic rules)

  • Misses runtime-dependent issues

  • Can be silenced or ignored if not enforced

Practical approach: run SAST in CI with curated rules (tune out the noise), block PRs on high-confidence findings, log lower-confidence ones for review.

DAST: Dynamic Analysis

Tools test the running application from the outside, sending malicious-looking inputs to see what the application does.

Common DAST tools: OWASP ZAP, Burp Suite, Nuclei.

Strengths:

  • Catches runtime issues SAST misses

  • Tests the application as deployed

  • Finds configuration mistakes

Weaknesses:

  • Slower than SAST

  • May miss issues that require authentication

  • Can disrupt running systems if not careful

Practical approach: run DAST against staging environments, not production. Schedule weekly or pre-release. Don't run from CI on every commit.

Dependency Scanning

Most modern applications include hundreds of third-party libraries. Many have known vulnerabilities (CVEs).

Tools: Dependabot, Snyk, Renovate.

These tools:

  • List all dependencies

  • Check against vulnerability databases

  • Flag known issues

  • Often produce automatic update PRs

Strengths:

  • Catches a major source of real-world breach

  • Automated; minimal effort per check

  • Drives steady upgrade cadence

Weaknesses:

  • False positives common (vulnerability in code path you don't use)

  • Triage required — not every CVE is actionable

  • Updates can break things

Practical approach: enable dependency scanning, triage findings weekly, update aggressively on critical CVEs, batch routine updates.

Penetration Testing

Humans actively trying to break in. Sometimes internal red team, sometimes external firm.

Strengths:

  • Finds chains of issues automated tools miss

  • Tests business-logic vulnerabilities

  • Produces actionable reports with remediation guidance

Weaknesses:

  • Expensive

  • Time-boxed; can't run continuously

  • Quality varies dramatically by tester

Practical approach: annual pentest at minimum; before major releases; after significant architecture changes. Vendor quality matters more than vendor brand.

What Developers Should Watch For

The OWASP Top 10 is a regularly-updated list of common web vulnerabilities. Worth knowing:

  • Broken access control — users accessing data or functions they shouldn't

  • Cryptographic failures — weak crypto, exposed sensitive data

  • Injection — SQL, command, LDAP injection

  • Insecure design — fundamental design flaws

  • Security misconfiguration — default credentials, exposed config

  • Vulnerable components — outdated libraries

  • Authentication failures — weak auth, session issues

  • Data integrity failures — unsigned updates, compromised pipelines

  • Logging failures — insufficient or excessive logging

  • Server-side request forgery (SSRF)

For each, learn the pattern and the mitigation. Most are simple to avoid once you've seen them.

Building Security Into Tests

Beyond dedicated security tools, security-relevant tests in your normal suite:

  • Authentication tests (signed-out users can't access protected resources)

  • Authorization tests (users can't access other users' data)

  • Input validation tests (malicious-looking inputs are rejected)

  • Rate limiting tests (abuse patterns are slowed or blocked)

  • CSRF tests (cross-origin requests handled correctly)

These aren't separate from your regular tests. They're part of behavior verification. Treat security as a behavior, not a separate concern.

Threat Modeling

Before testing security, understand what you're defending against.

A lightweight threat model asks:

  • What are we protecting? (data, services, money, reputation)

  • Who might attack us? (random scanners, motivated attackers, insiders)

  • What could they do? (steal data, deny service, escalate privilege)

  • What's the impact?

This shapes your testing priorities. A simple internal tool needs different testing than a payment processor.

The Shift-Left Approach

"Shift left" means catching security issues earlier in the development cycle, where they're cheaper to fix.

Concrete shift-left practices:

  • Secrets scanning in pre-commit hooks

  • SAST in PR checks

  • Dependency scanning continuous

  • Security review for sensitive design changes

  • Developer training on common patterns

The alternative — security finding issues at the end — costs much more to address and produces friction between teams.

Common Mistakes

Checkbox security. Running tools and ignoring results. Worse than not running them.

Tool overload. Five SAST tools producing thousands of findings. Triage costs more than insight.

Security-only-at-pen-test-time. Spending nothing during development, then surprised by the pentest results.

Security as gate, not partner. Security team enters at the end with veto. Friction guaranteed.

Ignoring DAST. Running only SAST. Misses runtime issues.

A Working Setup for a Small Team

If you have nothing today:

  1. Enable Dependabot or equivalent dependency scanning

  2. Add a SAST tool (Semgrep or similar) to CI with curated rules

  3. Run secrets scanning as a pre-commit hook

  4. Set up basic DAST (OWASP ZAP) against staging weekly

  5. Schedule an annual pentest

Total setup time: a few days. Ongoing cost: low. Coverage: enough to catch most common issues.

Reading Results

Security tools produce findings. Each finding needs triage:

  • True positive, exploitable: fix

  • True positive, not exploitable in your context: document why; consider preventive fix anyway

  • False positive: tune the rule

  • Ambiguous: investigate

Track triage decisions. Without tracking, the same false positive gets re-triaged forever.

Integration With Development

Security testing works best when it's integrated, not bolted on:

  • Findings appear in normal review tools (PR comments)

  • Severity levels respect normal priority systems

  • Security regressions are tracked like other regressions

  • Security learnings feed back into engineering practices

The team's culture should treat security findings the same as functional bugs: serious, prioritized, fixable.

Key Takeaway

Security testing has four layers: SAST (code analysis), DAST (running application), dependency scanning (third-party libraries), and penetration testing (human-driven). Each catches different things. Developers should run SAST in CI, scan dependencies continuously, and write security-relevant tests as part of normal coverage. Threat modeling guides priorities. Shift-left practices catch issues weeks before they'd otherwise surface. The mature program isn't running all the tools; it's integrating findings into normal development flow.

Related reading

Keep learning. This article is part of the Software Testing Foundations path in the ShiftQuality Learning Center. Learn to design tests that catch real bugs.

bottom of page