93 lines
2.8 KiB
Markdown
93 lines
2.8 KiB
Markdown
# Security Testing Overview
|
|
|
|
## OWASP Top 10 (2024)
|
|
|
|
| Rank | Vulnerability | Testing Method |
|
|
|------|--------------|----------------|
|
|
| A01 | Broken Access Control | Test unauthorized actions across roles |
|
|
| A02 | Cryptographic Failures | Check HTTPS, encryption algorithms |
|
|
| A03 | Injection (SQL/NoSQL/Cmd) | Test with payloads (see vulnerability-payloads.md) |
|
|
| A04 | Insecure Design | Threat modeling, abuse case testing |
|
|
| A05 | Security Misconfiguration | Default creds, open ports, headers |
|
|
| A06 | Vulnerable Components | npm audit, Snyk scanning |
|
|
| A07 | Auth Failures | Brute force, session hijacking |
|
|
| A08 | Integrity Failures | Deserialization, CI/CD security |
|
|
| A09 | Logging Failures | Verify security event logging |
|
|
| A10 | SSRF | Test internal URL access |
|
|
|
|
## Security Testing Types
|
|
|
|
### SAST (Static Analysis)
|
|
- **When**: Early development, pre-commit
|
|
- **Tools**: SonarQube, CodeQL, Semgrep
|
|
- **Focus**: Code flaws without execution
|
|
- **Limitation**: High false positives
|
|
|
|
### DAST (Dynamic Analysis)
|
|
- **When**: QA/staging, running application
|
|
- **Tools**: OWASP ZAP, Burp Suite, Nuclei
|
|
- **Focus**: Runtime vulnerabilities
|
|
- **Limitation**: Requires running app
|
|
|
|
### SCA (Dependency Scanning)
|
|
- **Tools**: npm audit, Snyk, Dependabot
|
|
- **Focus**: Known CVEs in dependencies
|
|
- **Automation**: CI/CD integration
|
|
|
|
### Secret Detection
|
|
- **Tools**: detect-secrets, GitGuardian
|
|
- **Focus**: API keys, passwords in code
|
|
- **Implementation**: Pre-commit hooks
|
|
|
|
## Quick Security Scan
|
|
|
|
```bash
|
|
# Dependency vulnerabilities
|
|
npm audit
|
|
npx snyk test
|
|
|
|
# OWASP ZAP baseline scan
|
|
docker run -t ghcr.io/zaproxy/zaproxy:stable \
|
|
zap-baseline.py -t https://example.com
|
|
|
|
# Nuclei template scan
|
|
nuclei -u https://example.com -t cves/
|
|
|
|
# Check security headers
|
|
curl -I https://example.com | grep -i "security\|content-security\|x-"
|
|
```
|
|
|
|
## Penetration Testing Phases
|
|
|
|
1. **Reconnaissance**: DNS, WHOIS, tech fingerprinting
|
|
2. **Scanning**: Port scan, service enumeration
|
|
3. **Vulnerability Assessment**: Automated + manual testing
|
|
4. **Exploitation**: Verify findings, demonstrate impact
|
|
5. **Reporting**: CVSS scores, remediation guidance
|
|
|
|
## Tools Comparison
|
|
|
|
| Tool | Type | Cost | Best For |
|
|
|------|------|------|----------|
|
|
| OWASP ZAP | DAST | Free | CI/CD, learning |
|
|
| Burp Suite | DAST | Paid | Enterprise, detailed |
|
|
| Nuclei | DAST | Free | Custom checks |
|
|
| npm audit | SCA | Free | Node.js deps |
|
|
| Snyk | SCA | Free/Paid | Multi-language |
|
|
|
|
## CI/CD Integration
|
|
|
|
```yaml
|
|
# Security scanning in pipeline
|
|
- name: Dependency Scan
|
|
run: npm audit --audit-level=high
|
|
|
|
- name: SAST Scan
|
|
uses: github/codeql-action/analyze@v3
|
|
|
|
- name: DAST Scan
|
|
run: |
|
|
docker run -v $(pwd):/zap/wrk:rw ghcr.io/zaproxy/zaproxy:stable \
|
|
zap-api-scan.py -t http://localhost:3000/openapi.json -f openapi
|
|
```
|