Skip to content

Security Testing — DAST, SAST & Penetration Testing (2026)

DodaTech Updated 2026-06-20 7 min read

In this tutorial, you'll learn about Security Testing. We cover key concepts, practical examples, and best practices.

Security testing is the process of identifying vulnerabilities, misconfigurations, and weaknesses in an application before attackers can exploit them — encompassing automated scanning, manual penetration testing, and continuous monitoring.

What You'll Learn

You'll understand SAST, DAST, and IAST approaches, learn penetration testing methodologies, compare OWASP ZAP and Burp Suite, and integrate security testing into your CI/CD pipeline.

Why Security Testing Matters

Security breaches cost companies an average of $4.5 million per incident. Most attacks exploit known vulnerabilities that could have been caught with proper testing. At DodaTech, Durga Antivirus Pro undergoes continuous security testing — SAST on every commit, DAST on every release, and quarterly penetration tests.

Security Testing Learning Path

flowchart LR
  A[Testing Basics] --> B[Security Testing]
  B --> C[SAST Tools]
  B --> D[DAST with OWASP ZAP]
  B --> E[Penetration Testing]
  style B fill:#f90,color:#fff

SAST vs DAST vs IAST

Approach What It Does When It Runs Example Tools
SAST Scans source code for vulnerabilities During development, in IDE or CI SonarQube, Semgrep, CodeQL
DAST Tests running application from outside Against staging/production OWASP ZAP, Burp Suite
IAST Combines SAST + DAST with runtime instrumentation During automated tests Contrast Assess, Hdiv

SAST (Static Application Security Testing)

SAST analyzes source code without executing it, finding vulnerabilities like SQL injection, XSS, and hardcoded secrets.

# .github/workflows/sast.yml
name: SAST Scan
on: [pull_request]

jobs:
  sast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run Semgrep
        uses: semgrep/semgrep-action@v1
        with:
          config: p/default

Example SAST finding:

Rule: sql-injection
Path: src/users.js:25
Severity: ERROR
Message: User input concatenated into SQL query.
  Potential SQL injection.
  Use parameterized queries instead.

DAST (Dynamic Application Security Testing)

DAST tests a running application by sending malicious payloads and analyzing responses.

// OWASP ZAP API scan
const zap = require('zap-api');

async function runDASTScan(targetUrl) {
  await zap.spider(targetUrl);
  await zap.activeScan(targetUrl);
  const alerts = await zap.getAlerts();

  alerts.forEach(alert => {
    console.log(`${alert.risk}: ${alert.name}`);
    console.log(`  ${alert.description}`);
    console.log(`  Solution: ${alert.solution}`);
  });
}

runDASTScan('https://staging.example.com');

IAST (Interactive Application Security Testing)

IAST instruments the application and analyzes traffic during automated tests, combining the accuracy of SAST with the context of DAST.

OWASP ZAP

OWASP ZAP (Zed Attack Proxy) is a free, open-source DAST tool.

# Run ZAP in Docker
docker run -u zap -p 8080:8080 -i owasp/zap2docker-stable \
  zap-full-scan.py -t https://example.com -r report.html

ZAP in CI/CD

jobs:
  dast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: docker run -v $(pwd):/zap/wrk owasp/zap2docker-stable
          zap-full-scan.py -t https://staging.example.com
          -r zap-report.html
      - uses: actions/upload-artifact@v4
        if: always()
        with:
          name: zap-report
          path: zap-report.html

Burp Suite

Burp Suite is a comprehensive web security testing platform (professional edition paid).

Key features:

  • Proxy: Intercept and modify HTTP/HTTPS traffic
  • Scanner: Automated vulnerability detection
  • Repeater: Manual request modification and resending
  • Intruder: Automated parameter fuzzing
  • Extender: Plugin ecosystem (BApp Store)

Penetration Testing Methodology

Phases

  1. Reconnaissance: Gather information about the target
  2. Scanning: Identify open ports, services, and technologies
  3. Vulnerability Assessment: Scan for known vulnerabilities
  4. Exploitation: Attempt to exploit found vulnerabilities
  5. Post-Exploitation: Assess the impact of successful exploitation
  6. Reporting: Document findings, evidence, and remediation steps

Types of Pen Tests

Type Description Best For
Black box No prior knowledge Simulating external attacker
White box Full access to code and infrastructure Comprehensive assessment
Gray box Partial knowledge (e.g., credentials) Simulating authenticated attacker

Integrating Security Testing into CI/CD

A security pipeline should catch issues at multiple stages:

flowchart LR
  A[Commit] --> B[SAST scan]
  B --> C[Dependency scan]
  C --> D[Build + Unit tests]
  D --> E[DAST scan]
  E --> F[Deploy to staging]
  F --> G[Pen test (periodic)]

Best Practices

1. Shift Left

Run SAST on every commit. Catch vulnerabilities when they're cheapest to fix.

2. Prioritize by Risk

Not all vulnerabilities are equal. Focus on critical and high-severity issues first.

3. Use Multiple Tools

No single tool catches everything. Combine SAST, DAST, dependency scanning, and manual review.

4. Scan Dependencies

Vulnerable libraries are a common attack vector. Use npm audit, pip-audit, or Dependabot.

npm audit
# === npm audit security report ===
# Moderate   Prototype Pollution
# Package    lodash
# Path       > lodash
# Fix        upgrade to lodash@4.17.21

5. Regular Penetration Tests

Automated tools miss logic flaws and business logic abuse. Schedule manual pen tests quarterly.

Common Mistakes

1. Only Running SAST

SAST finds code-level issues but misses runtime vulnerabilities (broken authentication, session management).

2. Ignoring False Positives

SAST tools produce false positives. Tune the tool rather than ignoring all alerts.

3. No Dependency Scanning

Third-party libraries account for 60%+ of modern application vulnerabilities.

4. Testing Security Only Before Release

Security should be continuous, not a gate at the end. Continuous testing catches issues earlier.

5. Not Testing Business Logic

Automated tools don't understand business rules. A user shouldn't be able to access another user's data.

6. Environment Differences

What's secure in staging may not be in production. Test production configurations.

7. No Remediation SLAs

Without timelines for fixing vulnerabilities, critical issues linger indefinitely.

Practice Questions

1. What is the difference between SAST and DAST? SAST scans source code (static, before execution). DAST tests the running application (dynamic, after deployment).

2. What is OWASP ZAP? A free, open-source DAST tool by OWASP that scans web applications for vulnerabilities.

3. What are the phases of penetration testing? Reconnaissance, scanning, vulnerability assessment, exploitation, post-exploitation, reporting.

4. Why should you scan third-party dependencies? Vulnerable libraries are a common entry point. Dependency scanning catches known CVEs before they're exploited.

5. Challenge: Create a security testing checklist for a web API. Include authentication, authorization, input validation, rate limiting, and dependency checks.

Mini Project: Security Scan Runner

// security-scanner.js
class SecurityScanner {
  constructor() {
    this.results = { critical: [], high: [], medium: [], low: [] };
  }

  async runSAST(codebase) {
    // Simulated SAST scan
    this.results.critical.push({
      tool: 'Semgrep',
      rule: 'sql-injection',
      file: 'src/users.js',
      line: 25,
      message: 'SQL injection in user query',
    });
  }

  async runDependencyScan() {
    // Simulated dependency scan
    this.results.high.push({
      tool: 'npm audit',
      package: 'lodash',
      severity: 'moderate',
      description: 'Prototype pollution',
      fix: 'npm install lodash@4.17.21',
    });
  }

  async runDAST(targetUrl) {
    // Simulated DAST scan
    this.results.medium.push({
      tool: 'OWASP ZAP',
      finding: 'Missing X-Content-Type-Options header',
      risk: 'Medium',
      solution: 'Add X-Content-Type-Options: nosniff',
    });
  }

  getSummary() {
    return {
      total: Object.values(this.results).flat().length,
      bySeverity: {
        critical: this.results.critical.length,
        high: this.results.high.length,
        medium: this.results.medium.length,
        low: this.results.low.length,
      },
    };
  }
}

const scanner = new SecurityScanner();
await scanner.runSAST('./src');
console.log(scanner.getSummary());

FAQ

What is SAST?

Static Application Security Testing — scans source code for vulnerabilities without executing it. Finds SQL injection, XSS, hardcoded secrets, and insecure patterns.

What is DAST?

Dynamic Application Security Testing — tests a running application from the outside by sending malicious payloads and analyzing responses.

What is OWASP ZAP?

A free, open-source web application security scanner. It's the most popular DAST tool for CI/CD integration.

How often should I run penetration tests?

At minimum quarterly for critical applications, and after major architectural changes. Automated scanning should run continuously.

Is automated security testing enough?

No. Automated tools catch known vulnerability patterns but miss business logic flaws, authentication bypasses, and complex attack chains. Combine with manual penetration testing.

What's Next

CI/CD Testing Pipeline — Automating Tests in CI
API Testing Guide
Load Testing with k6

Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro