Security Testing — DAST, SAST & Penetration Testing (2026)
In this tutorial, you'll learn about Security Testing. We cover key concepts, practical examples, and best practices.
Security testing is the process of identifying vulnerabilities, misconfigurations, and weaknesses in an application before attackers can exploit them — encompassing automated scanning, manual penetration testing, and continuous monitoring.
What You'll Learn
You'll understand SAST, DAST, and IAST approaches, learn penetration testing methodologies, compare OWASP ZAP and Burp Suite, and integrate security testing into your CI/CD pipeline.
Why Security Testing Matters
Security breaches cost companies an average of $4.5 million per incident. Most attacks exploit known vulnerabilities that could have been caught with proper testing. At DodaTech, Durga Antivirus Pro undergoes continuous security testing — SAST on every commit, DAST on every release, and quarterly penetration tests.
Security Testing Learning Path
flowchart LR A[Testing Basics] --> B[Security Testing] B --> C[SAST Tools] B --> D[DAST with OWASP ZAP] B --> E[Penetration Testing] style B fill:#f90,color:#fff
SAST vs DAST vs IAST
| Approach | What It Does | When It Runs | Example Tools |
|---|---|---|---|
| SAST | Scans source code for vulnerabilities | During development, in IDE or CI | SonarQube, Semgrep, CodeQL |
| DAST | Tests running application from outside | Against staging/production | OWASP ZAP, Burp Suite |
| IAST | Combines SAST + DAST with runtime instrumentation | During automated tests | Contrast Assess, Hdiv |
SAST (Static Application Security Testing)
SAST analyzes source code without executing it, finding vulnerabilities like SQL injection, XSS, and hardcoded secrets.
# .github/workflows/sast.yml
name: SAST Scan
on: [pull_request]
jobs:
sast:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Semgrep
uses: semgrep/semgrep-action@v1
with:
config: p/default
Example SAST finding:
Rule: sql-injection
Path: src/users.js:25
Severity: ERROR
Message: User input concatenated into SQL query.
Potential SQL injection.
Use parameterized queries instead.
DAST (Dynamic Application Security Testing)
DAST tests a running application by sending malicious payloads and analyzing responses.
// OWASP ZAP API scan
const zap = require('zap-api');
async function runDASTScan(targetUrl) {
await zap.spider(targetUrl);
await zap.activeScan(targetUrl);
const alerts = await zap.getAlerts();
alerts.forEach(alert => {
console.log(`${alert.risk}: ${alert.name}`);
console.log(` ${alert.description}`);
console.log(` Solution: ${alert.solution}`);
});
}
runDASTScan('https://staging.example.com');
IAST (Interactive Application Security Testing)
IAST instruments the application and analyzes traffic during automated tests, combining the accuracy of SAST with the context of DAST.
OWASP ZAP
OWASP ZAP (Zed Attack Proxy) is a free, open-source DAST tool.
# Run ZAP in Docker
docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable \
zap-full-scan.py -t https://example.com -r report.html
ZAP in CI/CD
jobs:
dast:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: docker run -v $(pwd):/zap/wrk owasp/zap2docker-stable
zap-full-scan.py -t https://staging.example.com
-r zap-report.html
- uses: actions/upload-artifact@v4
if: always()
with:
name: zap-report
path: zap-report.html
Burp Suite
Burp Suite is a comprehensive web security testing platform (professional edition paid).
Key features:
- Proxy: Intercept and modify HTTP/HTTPS traffic
- Scanner: Automated vulnerability detection
- Repeater: Manual request modification and resending
- Intruder: Automated parameter fuzzing
- Extender: Plugin ecosystem (BApp Store)
Penetration Testing Methodology
Phases
- Reconnaissance: Gather information about the target
- Scanning: Identify open ports, services, and technologies
- Vulnerability Assessment: Scan for known vulnerabilities
- Exploitation: Attempt to exploit found vulnerabilities
- Post-Exploitation: Assess the impact of successful exploitation
- Reporting: Document findings, evidence, and remediation steps
Types of Pen Tests
| Type | Description | Best For |
|---|---|---|
| Black box | No prior knowledge | Simulating external attacker |
| White box | Full access to code and infrastructure | Comprehensive assessment |
| Gray box | Partial knowledge (e.g., credentials) | Simulating authenticated attacker |
Integrating Security Testing into CI/CD
A security pipeline should catch issues at multiple stages:
flowchart LR A[Commit] --> B[SAST scan] B --> C[Dependency scan] C --> D[Build + Unit tests] D --> E[DAST scan] E --> F[Deploy to staging] F --> G[Pen test (periodic)]
Best Practices
1. Shift Left
Run SAST on every commit. Catch vulnerabilities when they're cheapest to fix.
2. Prioritize by Risk
Not all vulnerabilities are equal. Focus on critical and high-severity issues first.
3. Use Multiple Tools
No single tool catches everything. Combine SAST, DAST, dependency scanning, and manual review.
4. Scan Dependencies
Vulnerable libraries are a common attack vector. Use npm audit, pip-audit, or Dependabot.
npm audit
# === npm audit security report ===
# Moderate Prototype Pollution
# Package lodash
# Path > lodash
# Fix upgrade to lodash@4.17.21
5. Regular Penetration Tests
Automated tools miss logic flaws and business logic abuse. Schedule manual pen tests quarterly.
Common Mistakes
1. Only Running SAST
SAST finds code-level issues but misses runtime vulnerabilities (broken authentication, session management).
2. Ignoring False Positives
SAST tools produce false positives. Tune the tool rather than ignoring all alerts.
3. No Dependency Scanning
Third-party libraries account for 60%+ of modern application vulnerabilities.
4. Testing Security Only Before Release
Security should be continuous, not a gate at the end. Continuous testing catches issues earlier.
5. Not Testing Business Logic
Automated tools don't understand business rules. A user shouldn't be able to access another user's data.
6. Environment Differences
What's secure in staging may not be in production. Test production configurations.
7. No Remediation SLAs
Without timelines for fixing vulnerabilities, critical issues linger indefinitely.
Practice Questions
1. What is the difference between SAST and DAST? SAST scans source code (static, before execution). DAST tests the running application (dynamic, after deployment).
2. What is OWASP ZAP? A free, open-source DAST tool by OWASP that scans web applications for vulnerabilities.
3. What are the phases of penetration testing? Reconnaissance, scanning, vulnerability assessment, exploitation, post-exploitation, reporting.
4. Why should you scan third-party dependencies? Vulnerable libraries are a common entry point. Dependency scanning catches known CVEs before they're exploited.
5. Challenge: Create a security testing checklist for a web API. Include authentication, authorization, input validation, rate limiting, and dependency checks.
Mini Project: Security Scan Runner
// security-scanner.js
class SecurityScanner {
constructor() {
this.results = { critical: [], high: [], medium: [], low: [] };
}
async runSAST(codebase) {
// Simulated SAST scan
this.results.critical.push({
tool: 'Semgrep',
rule: 'sql-injection',
file: 'src/users.js',
line: 25,
message: 'SQL injection in user query',
});
}
async runDependencyScan() {
// Simulated dependency scan
this.results.high.push({
tool: 'npm audit',
package: 'lodash',
severity: 'moderate',
description: 'Prototype pollution',
fix: 'npm install lodash@4.17.21',
});
}
async runDAST(targetUrl) {
// Simulated DAST scan
this.results.medium.push({
tool: 'OWASP ZAP',
finding: 'Missing X-Content-Type-Options header',
risk: 'Medium',
solution: 'Add X-Content-Type-Options: nosniff',
});
}
getSummary() {
return {
total: Object.values(this.results).flat().length,
bySeverity: {
critical: this.results.critical.length,
high: this.results.high.length,
medium: this.results.medium.length,
low: this.results.low.length,
},
};
}
}
const scanner = new SecurityScanner();
await scanner.runSAST('./src');
console.log(scanner.getSummary());
FAQ
What's Next
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro