Security Testing and Penetration Testing Notes
Security Testing and Penetration Testing
Learning Outcome
- Demonstrate how to perform security testing and penetration testing (static, dynamic, and fuzz testing) on an application.
Lecture Outline
- Overview of Security Testing
- Penetration Testing
- Fuzz Testing
- Static and Dynamic Analysis
- Integrating Security Testing into CI/CD Pipelines
- Comparison: Testing Type
- Real-World Examples with Different Security Testing Types
- Summary
Overview of Security Testing
What is Security Testing?
- A process to identify vulnerabilities and weaknesses in software systems.
- Objective: Ensure that software protects data and maintains functionality as intended.
Why is it Important?
- Prevents data breaches
- Protects user trust
- Ensures regulatory compliance (e.g., GDPR, HIPAA)
Types of Security Testing
| Type | Purpose |
|---|
| Vulnerability Scanning | Detect known vulnerabilities in the system |
| Penetration Testing | Simulate real-world attacks to find weaknesses |
| Static Analysis | Analyze source code for vulnerabilities |
| Dynamic Analysis | Monitor application during runtime for security flaws |
| Fuzz Testing | Feed unexpected inputs to trigger crashes or bugs |
Penetration Testing
Definition
- Simulates attacks to exploit vulnerabilities in a system, like an ethical hacker.
Phases of Penetration Testing
- Planning & Reconnaissance
- Scanning (Port scan, service enumeration)
- Gaining Access (SQLi, XSS)
- Maintaining Access
- Analysis & Reporting
Case Study: Target Corporation (2013 Breach)
- Attackers exploited a third-party vendor access.
- Penetration testing could’ve identified insecure external access policies.
Types of Penetration Testing
| Type | Description |
|---|
| Black Box | No internal knowledge |
| White Box | Full knowledge of application |
| Grey Box | Partial internal knowledge |
Advantages and Disadvantages
| Advantages | Disadvantages |
|---|
| Advantages | Identifies real-world attack paths | Needs skilled professionals |
| Tests system configuration & logic | |
| Compliance & audit preparation | |
Fuzz Testing
Definition
- Sends malformed or random data as input to discover vulnerabilities.
How It Works
- Input data is generated (random or based on templates)
- Application response is monitored for crashes, memory leaks, or exceptions.
Example
- Testing a file parser by feeding it corrupted image files.
Case Study - Apple iMessage (2016)
- Fuzzing found a vulnerability that allowed remote code execution.
Best Used For
- Protocol parsers
- Media files (e.g., image viewers)
- Network services
Advantages and Disadvantages
| Advantages | Disadvantages |
|---|
| Advantages | Finds unknown vulnerabilities | High number of false positives |
| Can be automated | May not detect business logic flaws |
| Effective on input-heavy programs | |
Static and Dynamic Analysis
Static Analysis (SAST)
- Analyzing source code without executing the program
Definition
- Static Code Analysis involves examining source code or binaries before the software is run to identify potential vulnerabilities, logic flaws, and coding standard violations.
Common Techniques
- Pattern Matching & Rules: Detects known insecure functions (e.g.,
strcpy, eval) - Data Flow Analysis: Tracks how data moves through code to spot tainted data flows
- Control Flow Analysis: Checks logical code paths for unreachable or insecure code
- Code Metrics: Flags overly complex or lengthy functions (linked to bugs or risks)
Examples of What It Can Detect
- SQL Injection flaws in code
- Cross-Site Scripting (XSS) in web templates
- Hardcoded credentials (e.g., API keys, passwords)
- Buffer overflows (unsafe memory handling in C/C++)
- SonarQube, Fortify, Checkmarx, Bandit (for Python)
Advantages
- Fast feedback during development
- Catches issues early (shift left)
- No need for a running application
Disadvantages
- May report false positives
- Can't detect runtime-specific issues
- Needs access to source code
Dynamic Analysis (DAST)
- Testing application behavior during execution
Definition
- Dynamic Code Analysis involves running the application and monitoring its runtime behavior to detect security issues like memory leaks, logic errors, or unauthorized access.
Common Techniques
- Fuzz Testing: Sending malformed/random inputs to observe crashes
- Instrumentation: Injecting tracking logic to monitor behavior
- Dynamic Taint Analysis: Observing how input data flows at runtime
- Memory Analysis: Detects leaks or access violations
Examples of What It Can Detect
- Authentication bypasses
- Race conditions
- Memory leaks and buffer overflows (at runtime)
- Session hijacking or insecure cookie handling
- OWASP ZAP (web applications), Burp Suite Pro (DAST), Valgrind (memory debugging for C/C++), AppScan
Advantages
- Catches real-world vulnerabilities
- Detects issues missed by static analysis
- Can be applied to third-party/closed-source apps
Disadvantages
- Slower than static analysis
- Needs a working environment and test data
- Limited code coverage compared to static analysis
Quick Comparison: Static Analysis (SAST) vs. Dynamic Analysis (DAST)
| Aspect | Static Analysis (SAST) | Dynamic Analysis (DAST) |
|---|
| Execution required? | ❌ No | ✅ Yes |
| Source Code Access Needed? | ✅ Yes | ❌ Not always |
| Best Time to Use | During development | During testing / pre-release |
| Speed | Faster | Slower |
| Scope | Source code, binaries | HTTP traffic, runtime execution |
| Vulnerability Coverage / Detects | Coding errors, insecure logic | Runtime flaws (XSS, SQLi) |
| False Positives | Higher | Moderate |
| Skill Requirement | Requires developer access and understanding | Less dependency on source code |
| Tools | SonarQube, Fortify | OWASP ZAP, Valgrind, Burp Suite |
SAST vs DAST vs Penetration Testing
- SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) vs penetration testing types (white-box, black-box, grey-box).
| Aspect | SAST | DAST | Penetration Testing |
|---|
| Execution Required? | ❌ No (analyzes code statically) | ✅ Yes (analyzes app at runtime) | ✅ Yes (simulates real-world attacks) |
| Knowledge of System? | Requires full access to source code (white-box) | No code access needed (black-box) | Varies: black-box, white-box, grey-box |
| Focus | Code quality, logic flaws, insecure code | Runtime behavior, environment flaws | Exploitable attack paths, real-world risk |
| Tool-based or Manual? | Mostly automated | Mostly automated | Often manual + tool-assisted |
| Testing Purpose | To identify vulnerabilities in code during development | To test behavior of live app under various conditions | To exploit vulnerabilities and assess impact |
| Best Fit In SDL | Early development phase | QA/ Testing/ Staging phase | Pre-production, audits, security reviews |
Analogy: Testing a Safe Activity
| What it does |
|---|
| SAST (White-box) | Reads the blueprint of the safe to find design flaws |
| DAST (Black-box) | Tries to open the safe without knowing what’s inside |
| Penetration Testing | Thinks like a thief—finds and uses any real-world way to break in |
How Penetration Testing Types Compare
| Type of Pen Test | Access Level | Similar To | Used For |
|---|
| White-box | Full knowledge (code, infra) | Like SAST + manual | Deep assessment of internal flaws, trusted insider attack |
| Black-box | No knowledge | Like DAST + manual | Simulates external attacker, unknown environment |
| Grey-box | Partial knowledge (e.g., credentials) | Combines both | Simulates an attacker with insider access or limited info |
Summary
- SAST ≈ White-box testing because it requires source code access.
- DAST ≈ Black-box testing because it tests the app without knowing its internals.
- Penetration Testing is broader and more goal-oriented:
- White-box pen testing uses insider knowledge.
- Black-box pen testing simulates an outsider with no knowledge.
- Grey-box is in-between.
- Key Difference: SAST / DAST are security testing methods/tools, while penetration testing is a security assessment approach (often including human expertise, strategy, and tools).
Integrating Security Testing into CI / CD Pipelines
- CI: Continuous Integration
- CD: Continuous Delivery (or Deployment).
What is CI/CD Pipelines?
- CI/CD stands for Continuous Integration and Continuous Delivery (or Deployment).
- It's a modern DevOps practice that automates the process of building, testing, and deploying software, making development faster, safer, and more reliable.
- CI: Continuous Integration
- CD: Continuous Delivery / Deployment
- Developers frequently push code (commits) into a shared repository (e.g., GitHub, GitLab).
- Each commit triggers:
- Automated build
- Automated tests (unit, security, etc.)
- Code quality checks (e.g., static analysis)
- Once code passes CI, CD automates the release process to move the tested software to:
- Staging (for manual approval)
- or Production (if fully automated)
- 💡💡 Goal: Catch bugs or issues early before code is merged into production.
- 💡💡 Goal: Deliver features, fixes, and updates quickly and reliably.
Why Integration Matters
- Early detection = lower remediation cost
- Automated = consistent and repeatable testing
Integrating Security Testing into CI/CD Pipelines
- Also known as "Shift-Left Security" or DevSecOps, this means embedding security testing early and throughout the pipeline—not just before release.
Example CI/CD Pipeline with Security
- Developer commits code → triggers CI
- Static analysis runs to find code issues
- Build is created
- Fuzz or unit tests run on build
- DAST tool scans staging app
- Security gate checks for vulnerability thresholds
- Deploy only if passed
Security Actions by Stage
| Stage | Security Action | Tools Example |
|---|
| Code Commit | Static Code Analysis (SAST) | SonarQube, Fortify, Checkmarx |
| Build Stage | Dependency & Vulnerability Scanning | Snyk, OWASP Dependency-Check |
| Test Stage | Dynamic App Security Testing (DAST), Fuzzing | OWASP ZAP, Burp Suite, Boofuzz |
| Pre-deploy | Configuration Checks, Secrets Detection | Trivy, kube-hunter, git-secrets |
| Production | Continuous Monitoring & Alerting | Wazuh, Falco, SIEM tools |
Benefits of Security in CI/CD
- Early detection of security flaws
- Reduced cost of fixing vulnerabilities
- Automated enforcement of security best practices
- Promotes a security-first culture in DevOps
Challenges
- Balancing speed vs. security scans
- False positives if tools not configured properly
- Requires security awareness from developers
CI/CD Pipeline (with security) – Simple Flow Diagram
- [Developer Commit]
- ↓
- [CI] → Static Code Analysis (SAST)
- ↓
- [Build] → Dependency Scanning
- ↓
- [Test] → DAST, Fuzzing
- ↓
- [CD] → Secure Deployment to Staging/Production
- ↓
- [Monitor] → Runtime Threat Detection & Logging
Comparison: Testing Type
Comparison Table: Testing Type Purposes
| Testing Type | Purpose | Tools Example |
|---|
| SAST | Analyze source code for security flaws before deployment | SonarQube, Fortify, Checkmarx |
| DAST | Test the application at runtime from an external perspective | OWASP ZAP, Burp Suite (scanner) |
| Penetration Testing | Simulate real-world attacks to assess business risk | Metasploit, manual + tools |
| Fuzz Testing | Identify unexpected input or crashes with malformed data | Peach Fuzzer, Boofuzz, AFL |
| Vulnerability Scanning | Automatically scan systems for known vulnerabilities | Nessus, OpenVAS, Qualys |
Real-World Examples with Different Security Testing Types
Example 1: E-Commerce Web Application
| Testing Type | Example Action |
|---|
| SAST | Analyze checkout logic for SQL injection in source code. |
| DAST | Test shopping cart and search fields for XSS or logic flaws at runtime. |
| Penetration Testing | Simulate attacker exploiting unauthenticated access to admin panel. |
| Fuzz Testing | Send malformed product data or price values to crash or break ordering process. |
| Vulnerability Scanning | Use automated scanner (e.g., OpenVAS, Nessus) to detect outdated plugins or known CVEs in backend systems. |
Wrap-up Summary
| Technique | When to Use | Key Benefits |
|---|
| Penetration Test | Pre-deployment / audit | Realistic attacker view |
| Fuzz Testing | Input validation functions | Discover unknown bugs |
| SAST | During development | Quick feedback to devs |
| DAST | During staging/deployment | Find runtime issues |
| CI/CD Integration | Throughout SDL | Automate and enforce security gates |
Tutorial Activity: Real-World Examples with Different Security Testing Types
- Example 2: Online Banking Mobile App
- Example 3: Hospital Management System (Web-Based)
- Example 4: University Student Portal
- Example 5: Smart IoT Device Web Interface
| Testing Type | Example Action |
|---|
| SAST | |
| DAST | |
| Penetration Testing | |
| Fuzz Testing | |
| Vulnerability Scanning | |