← Back to Learning Hub

Lesson 11: Security Testing

SAST, DAST, Penetration Testing & Security in the SDLC

75 minutes Year 12 Content High Exam Priority

Part 1: Security Testing vs Functional Testing 8 min

NESA SE-12-07 — Security Testing

A Different Mindset

You're familiar with testing code to make sure it does what it's supposed to do — passing the right inputs and checking for the right outputs. That's functional testing. Security testing is fundamentally different.

Functional testing asks: "Does the system do what it should?"

Security testing asks: "Can the system be made to do what it shouldn't?"

A functional test checks that a login form accepts the correct username and password. A security test checks whether you can log in without a correct password — using SQL injection, a bypassed session check, or a stolen cookie. Normal users don't try to break systems. Attackers do. Security testing requires thinking like an attacker.

Why Normal Testing Misses Vulnerabilities

  • Functional tests use expected inputs — they don't test ' OR '1'='1 as a username
  • Functional tests check intended behaviour — they don't check what happens when a user manipulates localStorage, intercepts a network request, or submits a form from a different site
  • Functional tests are written by developers — who think about how the system should work, not how it could be abused

Security testing requires dedicated methods. The NESA syllabus requires you to know three: SAST, DAST, and penetration testing.

Part 2: SAST — Static Application Security Testing 20 min

NESA SE-12-07 — Security Testing

Definition

Static Application Security Testing (SAST) analyses source code, bytecode, or binaries for security vulnerabilities without executing the program. The application is examined while it is "at rest" — think of it as a security-focused code review performed by an automated tool.

Static = the program is not running. The analysis is done on the code itself.

What SAST Finds

SAST tools scan the code looking for known dangerous patterns, misconfigurations, and vulnerability signatures:

  • SQL injection risks — detecting string concatenation in database queries
  • Hardcoded secrets — flagging strings that look like passwords, API keys, or hashes
  • Dangerous function usage — e.g., eval(), innerHTML, functions known to be unsafe
  • Insecure cryptography — use of deprecated algorithms like MD5 or DES
  • Missing input validation — user input that flows into sensitive operations without being sanitised
  • Dependency vulnerabilities — flagging imported packages with known CVEs (Common Vulnerabilities and Exposures)
Example: what a SAST tool would flag in this code
import hashlib

# SAST FLAG: hardcoded secret
API_KEY = "sk-abc123def456"

def get_user(username):
    # SAST FLAG: SQL injection risk — user input concatenated into query
    query = "SELECT * FROM users WHERE username = '" + username + "'"
    return db.execute(query)

def hash_password(password):
    # SAST FLAG: MD5 is cryptographically broken, use bcrypt or Argon2
    return hashlib.md5(password.encode()).hexdigest()

Common SAST Tools

Tool Language Support Common Use
SonarQube 25+ languages Enterprise CI/CD pipelines
Bandit Python Lightweight local scanning
ESLint (security plugins) JavaScript IDE integration, pre-commit checks
Semgrep Multi-language Custom rule-based scanning
GitHub Advanced Security Multi-language Integrated into GitHub repos

Advantages of SAST

  • Early detection — runs on code before the application is built or deployed, catching issues at the cheapest point to fix them
  • Full code coverage — analyses all code paths, including ones that are rarely executed at runtime
  • Integrates with development workflow — can run automatically on every commit or pull request
  • No running environment needed — can analyse code without a server, database, or deployed instance

Limitations of SAST

  • False positives — SAST tools flag potential vulnerabilities that may not actually be exploitable in context; developers must manually review findings
  • Cannot test runtime behaviour — some vulnerabilities only appear when the application is actually running and receiving real user input
  • Language and framework specific — tools need to understand the language and its frameworks to analyse it accurately
  • Can miss logic flaws — SAST finds known patterns; it cannot reason about business logic vulnerabilities that don't match a known signature

Part 3: DAST — Dynamic Application Security Testing 20 min

NESA SE-12-07 — Security Testing

Definition

Dynamic Application Security Testing (DAST) tests a running application by sending it inputs and analysing the responses, without access to the source code. The application is tested from the outside, as an attacker would approach it.

Dynamic = the program is running. The analysis is done against the live system.

DAST is sometimes called black-box testing because the tester has no visibility into the internal code — only the external behaviour matters.

How DAST Works

A DAST tool acts as an automated attacker. It systematically:

  1. Crawls the application — discovers all pages, forms, and API endpoints
  2. Fuzzes inputs — sends thousands of malicious or unexpected values to every input field (SQL injection strings, script tags, oversized inputs, special characters)
  3. Analyses responses — looks for error messages, unexpected output, or behaviour that indicates a vulnerability was triggered
  4. Reports findings — generates a report of confirmed and suspected vulnerabilities with evidence

What DAST Finds

  • XSS — by injecting script tags and checking if they appear unescaped in the response
  • SQL injection — by injecting SQL and checking for error messages or unexpected query results
  • CSRF — by checking whether forms include and validate tokens
  • Authentication weaknesses — testing for missing rate limiting, default credentials, insecure session handling
  • Misconfigured headers — checking for missing Content-Security-Policy, X-Frame-Options, etc.
  • Information disclosure — error messages that reveal stack traces, database schemas, or internal paths

Common DAST Tools

Tool Type Common Use
OWASP ZAP Free, open source Automated scanning and manual testing proxy
Burp Suite Free/paid Professional web application testing
Nikto Free, open source Web server misconfiguration scanning
Acunetix / Invicti Commercial Enterprise automated scanning

Advantages of DAST

  • Tests the real system — finds vulnerabilities in the actual running application, including those caused by server configuration, framework interactions, and runtime behaviour
  • Language agnostic — doesn't need to understand the source code; it works against any web application regardless of what it's built with
  • Fewer false positives — a DAST tool only reports a vulnerability if it can actually demonstrate it by getting a meaningful response
  • Tests what attackers see — the external attacker's perspective

Limitations of DAST

  • Needs a running application — can only be used once the application is built and deployed to a test environment
  • Can miss code-level issues — DAST can't see the source, so it may miss vulnerabilities that don't manifest in observable responses
  • Can be slow and resource-intensive — sending thousands of test inputs takes time, especially for large applications
  • Risk of disruption — aggressive fuzzing can generate large volumes of test data in a database, or cause unexpected application behaviour if run against production

SAST vs DAST — Side by Side

SAST DAST
What it analyses Source code, without running Running application, from outside
When it runs During development, on commit After deployment, against a test instance
Source code required? Yes No
Running app required? No Yes
Finds Code-level flaws, hardcoded secrets, dangerous patterns Runtime vulnerabilities, config issues, behavioural flaws
False positives Higher Lower
HSC keyword "White-box" (has access to code) "Black-box" (no access to code)

Best practice: Use both. SAST catches issues early in development; DAST validates the deployed system. Together they provide coverage that neither achieves alone.

Part 4: Penetration Testing 15 min

NESA SE-12-07 — Security Testing

Definition

Penetration testing (or "pen testing") is an authorised, simulated cyberattack on a system, conducted by security professionals to evaluate how well the system can withstand real attack techniques. Unlike automated tools, penetration testing involves human expertise, creativity, and judgement.

The key word is authorised. Without explicit written permission from the system owner, a penetration test is a crime. The same techniques used in pen testing are used by malicious attackers — the only difference is the authorisation.

The Four Phases

01 Reconnaissance

Gather information about the target: domain names, IP ranges, technologies used, employee names, email patterns. Entirely passive — no direct interaction with the target system.

02 Scanning

Actively probe the target to map open ports, running services, software versions, and potential entry points. Tools: Nmap (port scanning), Nessus (vulnerability scanning).

03 Exploitation

Attempt to exploit discovered vulnerabilities to gain unauthorised access. Documents exactly what an attacker could achieve and how. Tools: Metasploit, Burp Suite, manual techniques.

04 Reporting

Deliver a detailed report of all findings: what was found, how it was exploited, what data or access was obtained, and remediation recommendations ranked by severity.

Black Box, White Box, and Grey Box Testing

These terms describe how much information the tester has about the system being tested. They apply to penetration testing specifically, but also to testing in general.

Type Tester Knows Simulates Advantage
Black box Only what is publicly visible (URL, company name). No source code, no credentials. An external attacker with no insider knowledge Most realistic simulation of an outside attacker
White box Full access to source code, architecture diagrams, credentials, documentation An insider threat, or thorough audit with full access Most thorough; can find deeply buried vulnerabilities
Grey box Partial information — e.g., user-level credentials but no source code An authenticated user attempting to escalate privileges Balanced; more efficient than black box, more realistic than white box

OWASP Top 10

The Open Web Application Security Project (OWASP) publishes the Top 10 — a regularly updated list of the most critical security risks to web applications, based on real-world data from security experts globally. It serves as a standard checklist for penetration testers and a guide for developers.

The most recent OWASP Top 10 includes:

  1. Broken Access Control — users accessing data or functions they shouldn't be able to
  2. Cryptographic Failures — weak encryption, unencrypted data, hardcoded secrets
  3. Injection — SQL injection, XSS, command injection
  4. Insecure Design — architectural security flaws built in from the start
  5. Security Misconfiguration — default credentials, open cloud storage, verbose error messages
  6. Vulnerable and Outdated Components — insecure dependencies
  7. Identification and Authentication Failures — weak passwords, session management flaws
  8. Software and Data Integrity Failures — supply chain attacks, insecure CI/CD
  9. Security Logging and Monitoring Failures — lack of accountability; attacks go undetected
  10. Server-Side Request Forgery (SSRF) — server making requests on behalf of an attacker

You've now studied items 2, 3, 6, and 7 in detail. Penetration testers use this list as a systematic framework to ensure comprehensive coverage.

Legal and Ethical Requirements

Penetration testing without authorisation is a criminal offence under the Cybercrime Act 2001 (Cth) in Australia. All penetration testing must be preceded by a signed scope agreement (sometimes called a "rules of engagement" document) that specifies exactly what systems may be tested, what techniques are permitted, and the timeframe of testing.

A penetration tester who goes beyond the agreed scope — even with good intentions — may face legal consequences.

Part 5: Security in the SDLC 7 min

NESA SE-12-07 — SDLC & Security

When to Apply Each Testing Method

Security testing is not a single step at the end of development. The NESA syllabus connects security to the SDLC — security activities belong at every phase.

SDLC Phase Security Activity
Requirements Define security requirements; identify assets and threats; perform threat modelling
Design Review architecture for security weaknesses; apply Privacy by Design principles; plan authentication and authorisation model
Development Developers follow secure coding practices; SAST tools run on every commit to catch issues immediately
Testing DAST runs against the deployed test environment; security-focused functional testing of auth, access control, and input handling
Deployment Server hardening; security configuration review; penetration testing of the production-ready system
Maintenance Ongoing dependency auditing; monitoring and logging; periodic re-testing as the system evolves

Shift Left

"Shift left" means moving security activities earlier in the development lifecycle — towards the left of a timeline that runs from design to deployment.

The principle is economic: the earlier a vulnerability is found, the cheaper it is to fix. A vulnerability caught by a SAST tool during development costs a developer an hour to fix. The same vulnerability found after deployment by a penetration tester might require architectural changes, a redeployment, and a public disclosure process.

DevSecOps: A culture and set of practices where security is integrated into every stage of DevOps — not added at the end. Security is "everyone's responsibility," not the security team's problem to solve after the code is written.

Part 6: Knowledge Check 5 min

HSC-Style Questions

  • Q1 (3 marks): Compare SAST and DAST as methods of security testing. In your answer, identify what each analyses, one advantage of each, and one vulnerability that SAST can find that DAST cannot.
  • Q2 (2 marks): Distinguish between black box and white box penetration testing. Identify which type better simulates an external attacker and explain why.
  • Q3 (2 marks): Explain the concept of "shift left" in the context of secure software development. Why is it more cost-effective to find vulnerabilities early?

Model Answers (Click to Reveal)

Q1: SAST vs DAST

SAST analyses source code without executing the program. It can run during development, before the application is built, catching issues at their source. An advantage is early detection — running on every commit means vulnerabilities are found at the cheapest point to fix. SAST can find hardcoded secrets embedded in source files, which DAST cannot detect because secrets in source code may not be visible in the application's runtime responses.

DAST tests a running application by sending malicious inputs and analysing responses, without access to source code. An advantage is that it finds runtime vulnerabilities that only appear when the application is actually operating, including server misconfiguration and behavioural flaws that SAST cannot detect from code alone.

Q2: Black Box vs White Box

Black box testing is performed with no knowledge of the internal system — the tester only knows what is publicly visible, such as the application's URL. White box testing is performed with full access to source code, architecture documentation, and credentials.

Black box testing better simulates an external attacker because it replicates the attacker's perspective: no insider knowledge, only what can be discovered from outside the system. This makes the findings directly relevant to real-world threats from unknown attackers, though it may miss vulnerabilities that only become apparent when the code is examined directly.

Q3: Shift Left

"Shift left" refers to integrating security testing earlier in the software development lifecycle — moving security activities toward the beginning of the development timeline rather than treating them as a final-stage concern.

It is more cost-effective because vulnerabilities become progressively more expensive to fix as development progresses. A vulnerability discovered by a developer's SAST tool during coding requires a small code change. The same vulnerability discovered after deployment by a penetration tester may require architectural redesign, redeployment, user notification, and potential regulatory reporting — a significantly greater cost in time, money, and reputation.

What You've Learned Today

  • Security testing mindset — asks "can the system be made to do what it shouldn't?" Functional testing alone misses vulnerabilities because it uses expected inputs
  • SAST — analyses source code without running it. Finds code-level issues (hardcoded secrets, SQL injection patterns, dangerous functions). Runs early in development. Higher false positive rate
  • DAST — tests a running application from outside. Finds runtime vulnerabilities (XSS, SQL injection confirmed, CSRF, misconfigurations). Fewer false positives. Requires a deployed instance
  • Penetration testing — authorised ethical hacking by security professionals. Four phases: reconnaissance, scanning, exploitation, reporting. Requires written authorisation
  • Black / white / grey box — how much information the tester has. Black = external attacker view. White = full code access. Grey = partial information
  • OWASP Top 10 — the standard checklist of the most critical web vulnerabilities. A reference for testers and developers alike
  • Shift left — find vulnerabilities early (cheap to fix) rather than late (expensive to fix). Security at every SDLC phase, not just at the end

Curriculum Progress

  • Year 12 Secure Software — security testing section: complete
  • The entire Secure Software Design module is now done across Lessons 7–10
  • HSC Outcomes: SE-12-07 (full), SE-12-04 (full)
  • Next topic: Programming for the Web — HTTP, requests, responses, and how everything you've learned about security applies to the web protocol layer

Homework Before Next Lesson

Short Answer Practice

Write HSC-style answers (3–5 sentences each) for the following questions. These are the type of questions that appear in the actual HSC exam.

  1. A company is about to deploy a new e-commerce web application. Describe how they should use SAST and DAST as part of their security testing strategy, including when each should be applied.
  2. Explain why penetration testing requires written authorisation from the system owner. What legal risk does an unauthorised test carry?
  3. A security consultant recommends "shift left" security practices for a software team. Explain what this means and why it reduces cost.
Hints (open if stuck)

Q1: Think about which testing method can run without a deployed application, and which requires one. Where do they fit in the SDLC?

Q2: The Cybercrime Act 2001 (Cth) is the relevant Australian legislation. The key issue is that attack techniques are identical whether authorised or not.

Q3: Imagine fixing a bug the day you wrote it vs. fixing it six months after the application has launched and is being used by customers.

Research Task

Look up one real-world security breach from the last five years. Write a short paragraph (4–6 sentences) identifying:

  • What vulnerability was exploited (connect it to the OWASP Top 10 or the vulnerabilities from Lesson 9)
  • What security testing method might have caught it before deployment
  • What the consequences were

Come prepared to discuss it at the start of next lesson.

← Back to Blake's Learning Hub