OWASP Security Testing Methods
Building secure code is one side of the equation. Testing that security holds under attack is the other. OWASP provides a comprehensive Testing Guide that describes how to systematically probe a web application for every major category of vulnerability. This topic covers the main testing methods, when to use each one, and the tools the industry relies on.
Why Security Testing Is Different from Functional Testing
Functional testing asks: "Does the feature work as designed?"
Security testing asks: "Does the feature work safely when someone
tries to break or abuse it?"
A login page that accepts correct credentials passes functional testing.
A login page that also accepts ' OR '1'='1 fails security testing.
The Main Security Testing Methods
Static Application Security Testing (SAST)
SAST analyzes source code, bytecode, or compiled binaries without running the application. It looks for known vulnerable code patterns — like SQL strings built by concatenating user input, or hardcoded secrets.
Input: Source code When: During development, before merge, in CI/CD pipeline Finds: Injection flaws, hardcoded credentials, insecure API usage Misses: Business logic flaws, runtime configuration issues Tools: Semgrep, SonarQube, Checkmarx, Bandit (Python), ESLint security plugins
Dynamic Application Security Testing (DAST)
DAST tests the running application from the outside by sending crafted HTTP requests and analyzing responses. It does not need source code access — it probes the application the way a real attacker would.
Input: Running application URL When: In staging or production-like environment, CI/CD pipeline Finds: XSS, injection, auth issues, misconfigured headers, CSRF Misses: Code-level issues not reachable by external requests Tools: OWASP ZAP, Burp Suite, Nikto, Acunetix
Software Composition Analysis (SCA)
SCA scans your dependency manifest to find components with known vulnerabilities. Covered in depth in the Vulnerable Components topic.
Tools: Snyk, OWASP Dependency-Check, GitHub Dependabot
Interactive Application Security Testing (IAST)
IAST instruments the application from the inside using an agent that runs alongside the application in test environments. As automated tests run, the agent observes the application's internal behavior and flags vulnerabilities the tests triggered.
Input: Running application with an IAST agent installed When: During automated test suite execution Finds: Deep code-level flaws with exact file and line references Benefit: Very low false-positive rate Tools: Contrast Security, Seeker, HCL AppScan
Penetration Testing (Pen Testing)
A skilled security professional manually attacks the application using the same techniques a real attacker would — but with authorization and a defined scope. Pen testing finds logical flaws that automated tools miss.
Input: Running application, sometimes source code (white-box) When: Before major releases, annually, after significant changes Finds: Business logic flaws, complex attack chains, novel vulnerabilities Benefit: Human creativity catches what automation cannot Methodology: OWASP Testing Guide, PTES, OWASP WSTG
The Testing Pyramid for Security
[Pen Test]
Manual, periodic
broad coverage, slow
/ \
[DAST] [IAST]
Automated black-box Agent-based
Fast, good coverage Highly accurate
/ \
[SAST] [SCA]
Code scanning Dependency scanning
Every commit Every build
Fast feedback Fast feedback
Bottom layers run constantly.
Upper layers run periodically.
All layers together provide defense in depth for testing.
OWASP ZAP: The Free Testing Tool
OWASP ZAP (Zed Attack Proxy) is the most widely used free web application security scanner. It acts as a proxy between the browser and the target application, recording all traffic and actively probing for vulnerabilities.
Key ZAP features: Active scan --> Automatically tests for XSS, SQLi, misconfigurations Passive scan --> Flags issues in traffic without sending attack requests Spider --> Discovers all pages and endpoints automatically API scan --> Tests REST and GraphQL APIs using an OpenAPI spec CI/CD mode --> Runs as a command-line tool in automated pipelines
The OWASP Web Security Testing Guide (WSTG)
The WSTG is a comprehensive manual that covers over 90 specific tests organized into categories matching the OWASP Top 10 and beyond. Each test includes: what to test for, how to test it, the tools to use, and how to interpret results.
WSTG Test Categories (abbreviated): OTG-INFO Information Gathering OTG-CONF Configuration and Deployment Management Testing OTG-IDENT Identity Management Testing OTG-AUTHN Authentication Testing OTG-AUTHZ Authorization Testing OTG-SESS Session Management Testing OTG-INPVAL Input Validation Testing OTG-ERRH Error Handling OTG-CRYPT Testing for Weak Cryptography OTG-BUSLOGIC Business Logic Testing OTG-CLIENT Client-Side Testing
Integrating Security Testing into CI/CD
Developer pushes code
|
v
SAST scan runs automatically
SCA scan checks dependencies
|
Issues found? --YES--> Build fails, developer notified immediately
|
NO
v
Code merged, application deployed to staging
|
v
DAST scan runs against staging environment
|
Issues found? --YES--> Team notified, deployment blocked
|
NO
v
Application deployed to production
|
v
Periodic manual pen test (quarterly or annually)
Quick Testing Checklist
[✓] SAST tool integrated into CI/CD, runs on every commit [✓] SCA tool monitors dependencies continuously [✓] DAST scan runs against staging before every production release [✓] OWASP ZAP or Burp Suite used for manual exploratory testing [✓] Annual penetration test by qualified security professionals [✓] OWASP WSTG used as the test case reference
Key Takeaway
Security testing uses layered methods — automated scanning in every build, plus periodic manual penetration testing. SAST finds code-level issues early, DAST finds runtime issues, and pen testing finds what automation misses. OWASP ZAP and the WSTG give every team a free, comprehensive toolkit.