security-test-planning

# Security Test Planning

## When to Use This Skill

Use this skill when:

- **Security Test Planning tasks** - Planning security testing strategies for applications
- **Planning or design** - Need guidance on OWASP testing, pen test scoping, SAST/DAST
- **Best practices** - Want to follow established security testing standards

## Overview

Security testing validates that applications are protected against threats and vulnerabilities. A comprehensive security test strategy combines automated scanning, manual testing, and threat-based test case design.

---

## Security Testing Pyramid

```text
                    ┌───────────┐
                   /  Pentest    \         Manual, Expert
                  /   Red Team    \        (Quarterly)
                 /─────────────────\
                /      DAST          \     Dynamic Scanning
               /    (Runtime)         \    (Weekly/Release)
              /───────────────────────\
             /         SAST             \  Static Analysis
            /      (Build Time)          \ (Every Commit)
           /─────────────────────────────\
          /      Secret Scanning           \ Pre-Commit
         /     Dependency Scanning          \ (Continuous)
        └───────────────────────────────────┘
```

---

## Quick Reference: Testing Layers

| Layer | Tools | Frequency | Gate |
|-------|-------|-----------|------|
| Layer 1 (CI/CD) | Gitleaks, SonarQube, Snyk, Trivy | Every commit | Block Critical |
| Layer 2 (Periodic) | OWASP ZAP, Burp, 42Crunch | Weekly/Release | Block High+ |
| Layer 3 (Manual) | Penetration testing, Code review | Quarterly | Block All |

---

## OWASP Top 10 Quick Coverage

| Category | Testing Approach |
|----------|------------------|
| A01: Broken Access Control | Manual + Automated |
| A02: Cryptographic Failures | Code review + SAST |
| A03: Injection | SAST + DAST + Manual |
| A04: Insecure Design | Threat modeling |
| A05: Security Misconfiguration | Config scanning |
| A06: Vulnerable C