Overview
Protecting the Data and the User
Security testing is no longer optional. With the rise of GDPR and frequent data breaches, ensuring application security is a core QA responsibility.
Security testing focuses on the CIA Triad: Confidentiality, Integrity, and Availability. It aims to identify any possible loopholes and weaknesses in the software system that might result in a loss of information or reputation.
Best Practices
Dos and Don'ts
Avoid common mistakes that can lead to flaky tests and maintenance nightmares.
What to do
- •Run automated vulnerability scanners in your CI/CD pipeline.
- •Validate all user inputs to prevent SQL injection and Cross-Site Scripting (XSS).
- •Ensure all sensitive data is encrypted at rest and in transit.
Common Pitfalls
- •Don't rely solely on automated scans; they miss complex logical vulnerabilities.
- •Don't ignore third-party libraries; they are a frequent source of security holes (use SCA tools).
The Details
SAST vs. DAST in the QA Pipeline
Modern Security QA uses two main automated methods. SAST (Static Application Security Testing) analyzes code without running it to find common coding errors. DAST (Dynamic Application Security Testing) tests the running application from the outside, mimicking an attacker. Combining both in your pipeline ensures that you catch 'vulnerable code' during the build and 'vulnerable behaviors' during staging.