12 Testing security

 

This chapter covers

  • Building a security-testing strategy for the organization
  • Applying four techniques to manually audit application security
  • Working with external security firms efficiently
  • Establishing and maintaining a bug bounty program

The concept of test-driven security (TDS) that we followed throughout part 1 of the book integrated security testing directly inside the CI/CD pipeline. By doing so, we tested new versions of services and applications before they reached production. It’s an ideal state that yields the fastest turnover between discovering security issues and fixing them.

Yet, the reality for most organizations is that only parts of applications and services can be properly tested from within the pipeline. TDS will catch obvious mistakes and ensure that what reaches production complies with the security baseline of the organization, but it won’t catch the subtle vulnerabilities hidden deep in the code or the infrastructure. To find those, we need more-sophisticated testing methods.

12.1 Maintaining security visibility

12.2 Auditing internal applications and services

12.2.1 Web-application scanners

12.2.2 Fuzzing

12.2.3 Static code analysis

12.2.4 Auditing Cloud Infrastructure

12.3 Red teams and external pen testing

12.4 Bug bounty programs

Summary