Security Testing

Security testing identifies vulnerabilities in software that could be exploited by attackers. With data breaches costing millions, security testing is essential for any production application.

Common security testing types:

• Vulnerability scanning: Automated tools scan for known vulnerabilities
• Penetration testing: Ethical hackers simulate real attacks
• Security audit: Manual review of code, configuration, and architecture
• Static Application Security Testing (SAST): Analyze source code for vulnerabilities
• Dynamic Application Security Testing (DAST): Test running application for vulnerabilities

OWASP Top 10 (most common web vulnerabilities):

1. 1.Broken Access Control
2. 2.Cryptographic Failures
3. 3.Injection (SQL, XSS, etc.)
4. 4.Insecure Design
5. 5.Security Misconfiguration
6. 6.Vulnerable Components
7. 7.Authentication Failures
8. 8.Data Integrity Failures
9. 9.Logging/Monitoring Failures
10. 10.Server-Side Request Forgery (SSRF)

Every QA engineer should understand basic security concepts — you don't need to be a pentester, but you should check for XSS, SQL injection, and broken access control.