security-testing-patterns

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Security Testing Patterns

安全测试模式

Expert guidance for implementing comprehensive security testing strategies including static analysis, dynamic testing, penetration testing, and vulnerability assessment.

本技能提供搭建全面安全测试策略的专业指导，包括静态分析、动态测试、渗透测试和漏洞评估。

When to Use This Skill

适用场景

Implementing security testing pipelines in CI/CD
Conducting security audits and vulnerability assessments
Validating application security controls and defenses
Performing penetration testing and security reviews
Configuring SAST/DAST tools and interpreting results
Testing authentication and authorization mechanisms
Evaluating API security and compliance with OWASP standards
Integrating security scanning into development workflows
Responding to security findings and prioritizing remediation
Training teams on security testing methodologies

在CI/CD中搭建安全测试流水线
开展安全审计与漏洞评估
验证应用安全控制措施与防御机制
执行渗透测试与安全评审
配置SAST/DAST工具并解读测试结果
测试身份认证与授权机制
评估API安全性及OWASP标准合规性
将安全扫描集成至开发工作流
响应安全检测结果并确定修复优先级
为团队提供安全测试方法论培训

Core Concepts

核心概念

Security Testing Pyramid (Layered Approach)

安全测试金字塔（分层方法）

Unit Security Tests - Test security functions (encryption, validation)
SAST - Static analysis during development
SCA - Dependency and component vulnerability scanning
DAST - Dynamic testing in running applications
IAST - Interactive analysis combining SAST and DAST
Penetration Testing - Manual security testing by experts
Red Team Exercises - Adversarial simulation testing

单元安全测试 - 测试安全功能（加密、验证等）
SAST - 开发阶段的静态分析
SCA - 依赖项与组件漏洞扫描
DAST - 运行中应用的动态测试
IAST - 结合SAST与DAST的交互式分析
渗透测试 - 由专家执行的人工安全测试
红队演练 - 模拟对抗式测试

Testing Categories

测试类别

Static Testing (SAST)

Analyzes source code without execution
Early detection in development lifecycle
Complete code coverage
High false positive rates

Dynamic Testing (DAST)

Tests running applications
Detects runtime and configuration issues
Language agnostic
Requires deployed environment

Composition Analysis (SCA)

Scans dependencies for vulnerabilities
Tracks license compliance
Automated remediation options

Manual Testing

Penetration testing
Business logic validation
Complex attack scenarios

静态测试（SAST）

无需执行即可分析源代码
在开发生命周期早期发现问题
实现完整代码覆盖
误报率较高

动态测试（DAST）

测试运行中的应用
检测运行时与配置问题
与开发语言无关
需要已部署的测试环境

成分分析（SCA）

扫描依赖项中的漏洞
跟踪许可证合规性
支持自动化修复选项

人工测试

渗透测试
业务逻辑验证
复杂攻击场景测试

Quick Reference

快速参考

Task	Load reference
Static Application Security Testing (SAST)	`skills/security-testing-patterns/references/sast.md`
Dynamic Application Security Testing (DAST)	`skills/security-testing-patterns/references/dast.md`
Software Composition Analysis (SCA)	`skills/security-testing-patterns/references/sca.md`
Penetration Testing Techniques	`skills/security-testing-patterns/references/penetration-testing.md`
API Security Testing (OWASP Top 10)	`skills/security-testing-patterns/references/api-security.md`
Fuzzing and Property-Based Testing	`skills/security-testing-patterns/references/fuzzing.md`
Security Automation Pipeline	`skills/security-testing-patterns/references/automation-pipeline.md`

任务	参考文档路径
静态应用安全测试（SAST）	`skills/security-testing-patterns/references/sast.md`
动态应用安全测试（DAST）	`skills/security-testing-patterns/references/dast.md`
软件成分分析（SCA）	`skills/security-testing-patterns/references/sca.md`
渗透测试技术	`skills/security-testing-patterns/references/penetration-testing.md`
API安全测试（OWASP Top 10）	`skills/security-testing-patterns/references/api-security.md`
模糊测试与基于属性的测试	`skills/security-testing-patterns/references/fuzzing.md`
安全自动化流水线	`skills/security-testing-patterns/references/automation-pipeline.md`

Security Testing Workflow

安全测试工作流

Phase 1: Planning

阶段1：规划

Define security requirements and threat model
Select appropriate testing tools and techniques
Establish baseline security posture
Set severity thresholds and acceptance criteria

定义安全需求与威胁模型
选择合适的测试工具与技术
建立安全基线
设置风险严重程度阈值与验收标准

Phase 2: Automated Testing

阶段2：自动化测试

SAST - Integrate into IDE and CI/CD pipeline
SCA - Configure dependency scanning (npm audit, Snyk, Dependabot)
DAST - Schedule scans against deployed environments
Container Scanning - Scan Docker images (Trivy, Aqua)

SAST - 集成至IDE与CI/CD流水线
SCA - 配置依赖项扫描（如npm audit、Snyk、Dependabot）
DAST - 针对已部署环境定期执行扫描
容器扫描 - 扫描Docker镜像（如Trivy、Aqua）

Phase 3: Manual Testing

阶段3：人工测试

Authentication and authorization testing
Business logic vulnerability assessment
API security testing (OWASP API Top 10)
Penetration testing and exploitation

身份认证与授权测试
业务逻辑漏洞评估
API安全测试（OWASP API Top 10）
渗透测试与漏洞利用

Phase 4: Analysis and Remediation

阶段4：分析与修复

Triage findings by severity and exploitability
Eliminate false positives
Prioritize remediation based on risk
Track vulnerabilities to resolution
Verify fixes with regression testing

根据严重程度与可利用性分类检测结果
排除误报
基于风险确定修复优先级
跟踪漏洞直至解决
通过回归测试验证修复效果

Phase 5: Continuous Monitoring

阶段5：持续监控

Monitor for new vulnerabilities in dependencies
Re-scan after code changes
Conduct periodic penetration tests
Update security baselines and policies

监控依赖项中的新漏洞
代码变更后重新扫描
定期执行渗透测试
更新安全基线与策略

Common Mistakes

常见误区

Tool Selection

工具选择

Wrong: Using only SAST or only DAST
Right: Layered approach combining multiple testing types

错误做法：仅使用SAST或仅使用DAST
正确做法：采用分层测试方法，结合多种测试类型

False Positive Management

误报管理

Wrong: Ignoring or suppressing findings without review
Right: Systematic triage process with security team validation

错误做法：未经审核就忽略或屏蔽检测结果
正确做法：建立由安全团队参与的系统化分类流程

Integration Timing

集成时机

Wrong: Security testing only before release
Right: Continuous security testing throughout development

错误做法：仅在发布前进行安全测试
正确做法：在整个开发周期中持续开展安全测试

Scope Definition

范围定义

Wrong: Testing only main application code
Right: Include dependencies, APIs, infrastructure, and third-party integrations

错误做法：仅测试主应用代码
正确做法：覆盖依赖项、API、基础设施及第三方集成

Remediation Priority

修复优先级

Wrong: Fixing all findings equally
Right: Risk-based prioritization (severity × exploitability × business impact)

错误做法：对所有检测结果一视同仁地修复
正确做法：基于风险优先级修复（严重程度 × 可利用性 × 业务影响）

Authentication in Testing

测试中的身份认证

Wrong: DAST scans without authentication
Right: Configure authenticated scanning to test protected features

错误做法：未配置身份认证就执行DAST扫描
正确做法：配置已认证扫描，测试受保护功能

Best Practices

最佳实践

Shift Left: Integrate security testing early in development
Continuous Testing: Automate security scans in CI/CD pipelines
Layered Approach: Combine SAST, DAST, SCA, and manual testing
Risk-Based Testing: Prioritize testing based on threat model
False Positive Management: Establish process for triaging findings
Remediation Tracking: Use SIEM/SOAR for vulnerability management
Regular Updates: Keep security tools and signatures current
Security Champions: Train developers in security testing
Metrics and KPIs: Track security posture over time
Compliance Validation: Map tests to regulatory requirements

左移测试：在开发早期就集成安全测试
持续测试：在CI/CD流水线中自动化安全扫描
分层测试：结合SAST、DAST、SCA与人工测试
基于风险的测试：根据威胁模型确定测试优先级
误报管理：建立检测结果分类流程
修复跟踪：使用SIEM/SOAR进行漏洞管理
定期更新：保持安全工具与特征库为最新版本
安全倡导者：培训开发人员掌握安全测试技能
指标与KPI：跟踪安全态势变化
合规验证：将测试与监管要求对应

Resources

参考资源

OWASP Testing Guide: https://owasp.org/www-project-web-security-testing-guide/
OWASP API Security: https://owasp.org/www-project-api-security/
NIST SP 800-115: Technical Guide to Information Security Testing
PTES: Penetration Testing Execution Standard
SANS Security Testing: https://www.sans.org/security-resources/
HackerOne Methodology: https://www.hackerone.com/ethical-hacker/hack-learn
PortSwigger Academy: https://portswigger.net/web-security

OWASP测试指南：https://owasp.org/www-project-web-security-testing-guide/
OWASP API安全：https://owasp.org/www-project-api-security/
NIST SP 800-115：信息安全测试技术指南
PTES：渗透测试执行标准
SANS安全测试：https://www.sans.org/security-resources/
HackerOne方法论：https://www.hackerone.com/ethical-hacker/hack-learn
PortSwigger学院：https://portswigger.net/web-security