安全测试评估软件中的漏洞和安全弱点 — 验证它保护数据并能够抵抗攻击。它包括各种技术(SAST、DAST、渗透测试、依赖项扫描),是必不可少的,因为安全缺陷可能产生严重后果。
安全测试检查的内容
text
Security testing finds VULNERABILITIES and verifies defenses:
→ common flaws: injection (SQL, etc.), XSS, broken authentication/authorization,
sensitive data exposure, misconfigurations, vulnerable dependencies (OWASP Top 10)
→ does the app properly authenticate, authorize, validate input, encrypt data, etc.?
→ ensures the software resists attacks and protects data/users.
安全测试的类型/技术
text
SAST (Static) → analyze SOURCE CODE for vulnerabilities (without running it) — in CI
DAST (Dynamic) → test the RUNNING app for vulnerabilities (attack it from outside)
DEPENDENCY scanning (SCA) → find known vulnerabilities in libraries (Snyk, Dependabot)
PENETRATION testing → ethical hackers actively try to BREAK IN (find real exploitable flaws)
SECRET scanning → detect committed secrets; CONFIGURATION/IaC scanning