Catalog
method#Security#Quality Assurance#DevOps#Reliability

Security Testing

A methodical approach to detect and assess security weaknesses in systems, applications and processes. Combines automated scans, manual testing and risk analysis.

Security testing is a structured method to identify vulnerabilities and weaknesses across applications, infrastructure and development processes.
Established
Medium

Classification

  • Medium
  • Technical
  • Architectural
  • Intermediate

Technical context

CI/CD tools (e.g., Jenkins, GitHub Actions)Issue trackers (e.g., Jira)Vulnerability management tools (e.g., DefectDojo)

Principles & goals

Shift-left: integrate security checks as early as possible.Risk orientation: focus on scenarios with highest impact.Verifiability: findings must be reproducible and measurable.
Build
Enterprise, Domain, Team

Use cases & scenarios

Compromises

  • Overtesting: resources are wasted on low-impact findings.
  • Missing integrations lead to blind spots between tools.
  • Insufficient follow-up leaves discovered vulnerabilities unaddressed.
  • Automate repeatable baseline tests; use manual audits for business logic
  • Use threat modeling as input for test scope
  • Integrate findings automatically into ticket workflows

I/O & resources

  • Source code or deployable artifacts
  • Access and architecture information
  • Threat model and compliance requirements
  • Detailed findings with prioritization
  • Remediation tasks and verification checks
  • Management and audit reports

Description

Security testing is a structured method to identify vulnerabilities and weaknesses across applications, infrastructure and development processes. It combines automated scans, manual penetration tests and threat-informed reviews to prioritize risks and verify remediations. Applicable at design, build, and operation phases to reduce breach likelihood and impact.

  • Early detection reduces remediation costs and operational risk.
  • Increased resilience through targeted hardening and monitoring.
  • Improved compliance and auditability through documented tests.

  • Automated scans do not find all logical vulnerabilities.
  • Manual tests are time- and cost-intensive.
  • Incorrect prioritization can distract focus from critical risks.

  • Number of critical vulnerabilities found

    Counts critical vulnerabilities per test run for prioritization.

  • Mean time to remediate (MTTR) for security findings

    Average time from discovery to remediation.

  • Coverage of automated scans

    Percentage of components/endpoints covered by automated scans.

OWASP Top 10 assessment of a web app

A team assesses a web application against the OWASP Top 10 categories and documents remediations.

Container image scan in CI

Automated scans check container images for known vulnerabilities before deployment.

Red team exercise

An external team simulates attacks to test detection gaps and organizational responses.

1

Introduce automated SAST/DAST scans into CI

2

Define security acceptance criteria and SLAs

3

Establish a process flow for manual tests and tracking

4

Regular reviews and retests after remediation

⚠️ Technical debt & bottlenecks

  • Legacy components without test hooks
  • Outdated testing tooling pipelines
  • Lack of automation for recurring checks
Availability of security engineersTest environments with realistic dataIntegration of results into issue backlog
  • Running automated scans without adapting to specific architecture
  • Blocking releases due to non-critical findings
  • Performing invasive tests in production without coordination
  • Insufficient test data leads to false confidence
  • Missing retesting processes after remediation
  • Unconsidered dependencies create blind spots
SAST/DAST tooling and interpretationManual penetration testing skillsRisk analysis and prioritization
Reduction of attack surfaceFast detection and responseSecurity and compliance requirements
  • Access rights to staging/prod-like systems
  • Time windows for invasive tests
  • Organizational acceptance for pen tests