Back to Details

security-testing-patterns

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Testing Patterns

安全测试模式

Expert guidance for implementing comprehensive security testing strategies including static analysis, dynamic testing, penetration testing, and vulnerability assessment.
本技能提供搭建全面安全测试策略的专业指导,包括静态分析、动态测试、渗透测试和漏洞评估。

When to Use This Skill

适用场景

  • Implementing security testing pipelines in CI/CD
  • Conducting security audits and vulnerability assessments
  • Validating application security controls and defenses
  • Performing penetration testing and security reviews
  • Configuring SAST/DAST tools and interpreting results
  • Testing authentication and authorization mechanisms
  • Evaluating API security and compliance with OWASP standards
  • Integrating security scanning into development workflows
  • Responding to security findings and prioritizing remediation
  • Training teams on security testing methodologies
  • 在CI/CD中搭建安全测试流水线
  • 开展安全审计与漏洞评估
  • 验证应用安全控制措施与防御机制
  • 执行渗透测试与安全评审
  • 配置SAST/DAST工具并解读测试结果
  • 测试身份认证与授权机制
  • 评估API安全性及OWASP标准合规性
  • 将安全扫描集成至开发工作流
  • 响应安全检测结果并确定修复优先级
  • 为团队提供安全测试方法论培训

Core Concepts

核心概念

Security Testing Pyramid (Layered Approach)

安全测试金字塔(分层方法)

  1. Unit Security Tests - Test security functions (encryption, validation)
  2. SAST - Static analysis during development
  3. SCA - Dependency and component vulnerability scanning
  4. DAST - Dynamic testing in running applications
  5. IAST - Interactive analysis combining SAST and DAST
  6. Penetration Testing - Manual security testing by experts
  7. Red Team Exercises - Adversarial simulation testing
  1. 单元安全测试 - 测试安全功能(加密、验证等)
  2. SAST - 开发阶段的静态分析
  3. SCA - 依赖项与组件漏洞扫描
  4. DAST - 运行中应用的动态测试
  5. IAST - 结合SAST与DAST的交互式分析
  6. 渗透测试 - 由专家执行的人工安全测试
  7. 红队演练 - 模拟对抗式测试

Testing Categories

测试类别

Static Testing (SAST)
  • Analyzes source code without execution
  • Early detection in development lifecycle
  • Complete code coverage
  • High false positive rates
Dynamic Testing (DAST)
  • Tests running applications
  • Detects runtime and configuration issues
  • Language agnostic
  • Requires deployed environment
Composition Analysis (SCA)
  • Scans dependencies for vulnerabilities
  • Tracks license compliance
  • Automated remediation options
Manual Testing
  • Penetration testing
  • Business logic validation
  • Complex attack scenarios
静态测试(SAST)
  • 无需执行即可分析源代码
  • 在开发生命周期早期发现问题
  • 实现完整代码覆盖
  • 误报率较高
动态测试(DAST)
  • 测试运行中的应用
  • 检测运行时与配置问题
  • 与开发语言无关
  • 需要已部署的测试环境
成分分析(SCA)
  • 扫描依赖项中的漏洞
  • 跟踪许可证合规性
  • 支持自动化修复选项
人工测试
  • 渗透测试
  • 业务逻辑验证
  • 复杂攻击场景测试

Quick Reference

快速参考

TaskLoad reference
Static Application Security Testing (SAST)
skills/security-testing-patterns/references/sast.md
Dynamic Application Security Testing (DAST)
skills/security-testing-patterns/references/dast.md
Software Composition Analysis (SCA)
skills/security-testing-patterns/references/sca.md
Penetration Testing Techniques
skills/security-testing-patterns/references/penetration-testing.md
API Security Testing (OWASP Top 10)
skills/security-testing-patterns/references/api-security.md
Fuzzing and Property-Based Testing
skills/security-testing-patterns/references/fuzzing.md
Security Automation Pipeline
skills/security-testing-patterns/references/automation-pipeline.md
任务参考文档路径
静态应用安全测试(SAST)
skills/security-testing-patterns/references/sast.md
动态应用安全测试(DAST)
skills/security-testing-patterns/references/dast.md
软件成分分析(SCA)
skills/security-testing-patterns/references/sca.md
渗透测试技术
skills/security-testing-patterns/references/penetration-testing.md
API安全测试(OWASP Top 10)
skills/security-testing-patterns/references/api-security.md
模糊测试与基于属性的测试
skills/security-testing-patterns/references/fuzzing.md
安全自动化流水线
skills/security-testing-patterns/references/automation-pipeline.md

Security Testing Workflow

安全测试工作流

Phase 1: Planning

阶段1:规划

  1. Define security requirements and threat model
  2. Select appropriate testing tools and techniques
  3. Establish baseline security posture
  4. Set severity thresholds and acceptance criteria
  1. 定义安全需求与威胁模型
  2. 选择合适的测试工具与技术
  3. 建立安全基线
  4. 设置风险严重程度阈值与验收标准

Phase 2: Automated Testing

阶段2:自动化测试

  1. SAST - Integrate into IDE and CI/CD pipeline
  2. SCA - Configure dependency scanning (npm audit, Snyk, Dependabot)
  3. DAST - Schedule scans against deployed environments
  4. Container Scanning - Scan Docker images (Trivy, Aqua)
  1. SAST - 集成至IDE与CI/CD流水线
  2. SCA - 配置依赖项扫描(如npm audit、Snyk、Dependabot)
  3. DAST - 针对已部署环境定期执行扫描
  4. 容器扫描 - 扫描Docker镜像(如Trivy、Aqua)

Phase 3: Manual Testing

阶段3:人工测试

  1. Authentication and authorization testing
  2. Business logic vulnerability assessment
  3. API security testing (OWASP API Top 10)
  4. Penetration testing and exploitation
  1. 身份认证与授权测试
  2. 业务逻辑漏洞评估
  3. API安全测试(OWASP API Top 10)
  4. 渗透测试与漏洞利用

Phase 4: Analysis and Remediation

阶段4:分析与修复

  1. Triage findings by severity and exploitability
  2. Eliminate false positives
  3. Prioritize remediation based on risk
  4. Track vulnerabilities to resolution
  5. Verify fixes with regression testing
  1. 根据严重程度与可利用性分类检测结果
  2. 排除误报
  3. 基于风险确定修复优先级
  4. 跟踪漏洞直至解决
  5. 通过回归测试验证修复效果

Phase 5: Continuous Monitoring

阶段5:持续监控

  1. Monitor for new vulnerabilities in dependencies
  2. Re-scan after code changes
  3. Conduct periodic penetration tests
  4. Update security baselines and policies
  1. 监控依赖项中的新漏洞
  2. 代码变更后重新扫描
  3. 定期执行渗透测试
  4. 更新安全基线与策略

Common Mistakes

常见误区

Tool Selection

工具选择

  • Wrong: Using only SAST or only DAST
  • Right: Layered approach combining multiple testing types
  • 错误做法:仅使用SAST或仅使用DAST
  • 正确做法:采用分层测试方法,结合多种测试类型

False Positive Management

误报管理

  • Wrong: Ignoring or suppressing findings without review
  • Right: Systematic triage process with security team validation
  • 错误做法:未经审核就忽略或屏蔽检测结果
  • 正确做法:建立由安全团队参与的系统化分类流程

Integration Timing

集成时机

  • Wrong: Security testing only before release
  • Right: Continuous security testing throughout development
  • 错误做法:仅在发布前进行安全测试
  • 正确做法:在整个开发周期中持续开展安全测试

Scope Definition

范围定义

  • Wrong: Testing only main application code
  • Right: Include dependencies, APIs, infrastructure, and third-party integrations
  • 错误做法:仅测试主应用代码
  • 正确做法:覆盖依赖项、API、基础设施及第三方集成

Remediation Priority

修复优先级

  • Wrong: Fixing all findings equally
  • Right: Risk-based prioritization (severity × exploitability × business impact)
  • 错误做法:对所有检测结果一视同仁地修复
  • 正确做法:基于风险优先级修复(严重程度 × 可利用性 × 业务影响)

Authentication in Testing

测试中的身份认证

  • Wrong: DAST scans without authentication
  • Right: Configure authenticated scanning to test protected features
  • 错误做法:未配置身份认证就执行DAST扫描
  • 正确做法:配置已认证扫描,测试受保护功能

Best Practices

最佳实践

  1. Shift Left: Integrate security testing early in development
  2. Continuous Testing: Automate security scans in CI/CD pipelines
  3. Layered Approach: Combine SAST, DAST, SCA, and manual testing
  4. Risk-Based Testing: Prioritize testing based on threat model
  5. False Positive Management: Establish process for triaging findings
  6. Remediation Tracking: Use SIEM/SOAR for vulnerability management
  7. Regular Updates: Keep security tools and signatures current
  8. Security Champions: Train developers in security testing
  9. Metrics and KPIs: Track security posture over time
  10. Compliance Validation: Map tests to regulatory requirements
  1. 左移测试:在开发早期就集成安全测试
  2. 持续测试:在CI/CD流水线中自动化安全扫描
  3. 分层测试:结合SAST、DAST、SCA与人工测试
  4. 基于风险的测试:根据威胁模型确定测试优先级
  5. 误报管理:建立检测结果分类流程
  6. 修复跟踪:使用SIEM/SOAR进行漏洞管理
  7. 定期更新:保持安全工具与特征库为最新版本
  8. 安全倡导者:培训开发人员掌握安全测试技能
  9. 指标与KPI:跟踪安全态势变化
  10. 合规验证:将测试与监管要求对应

Resources

参考资源