Security testing guides — vulnerability scanning, penetration testing basics, and secure SDLC practices.
Security Testing
Checkov ships with over 1,000 built-in checks — but every organization has requirements those built-ins don't cover. Naming conventions, internal tagging standards, specific CIDR allowlists, cross-resource validation — these need custom policies. Checkov supports two custom policy formats: Python classes for complex logic, and YAML for declarative attribute checks.
Testing
Unit tests verify that your Pulumi code produces the resources you intend. Policy-as-code verifies that those resources comply with organizational standards — encryption enabled, tags present, no public S3 buckets, required IAM conditions. Pulumi CrossGuard handles the second concern. CrossGuard policies run on every pulumi up and pulumi preview. They can
Security Testing
tfsec is a static security scanner purpose-built for Terraform. Where Checkov supports many IaC formats, tfsec focuses entirely on Terraform and goes deeper: it resolves variable references, evaluates module calls, and understands Terraform's type system. The result is fewer false positives on complex configurations. Originally built by Aqua
AI Testing
AI applications are only as safe as their guardrails. Prompt injection, jailbreak attempts, and content filter bypass are real attack vectors against production LLM applications. Testing your guardrails — systematically and automatically — is as important as testing your authentication or input validation. This guide covers how to build a guardrail test
Security Testing
Hardcoded credentials in source code are a leading cause of data breaches. AWS keys, database passwords, API tokens — once they hit a git commit, they're in version history forever, even if you delete them in a later commit. Secrets scanning tools and pre-commit hooks catch these before they&
Security Testing
SQL injection remains one of the most impactful web vulnerabilities — it appears in the OWASP Top 10 every year and leads directly to data breaches. Testing for it involves probing how your application handles malicious SQL in user-controlled inputs. This guide covers manual detection, sqlmap automation, and parameterized query validation
Security Testing
Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) are among the most exploited vulnerabilities in web applications. Both are automatable — you can write tests that run on every PR and catch regressions before they reach production. This guide covers how to build an automated XSS and CSRF test suite that
Security Testing
Authentication is the most critical security boundary in any web application. Broken authentication is consistently in the OWASP Top 10 because the implementation surface is enormous — JWTs, OAuth2 flows, session tokens, password reset flows, MFA. Each component can fail independently. This guide covers how to test each layer systematically. Key
Security Testing
Dynamic Application Security Testing (DAST) probes your running application for vulnerabilities — sending real HTTP requests and observing how the server responds. OWASP ZAP and Burp Suite are the two most widely used tools. This guide covers what each finds, how to automate scans in CI, and how to interpret the
Security Testing
Static Application Security Testing (SAST) tools scan your source code for vulnerabilities without executing it. Semgrep, SonarQube, and CodeQL are the three most widely used — each with different strengths, pricing models, and CI integration stories. This guide compares them head-to-head so you can pick the right one for your team.
API Testing
RESTler is a stateful REST API fuzzer from Microsoft Research. Unlike simple fuzzers that hit each endpoint independently, RESTler infers the relationships between API calls — it knows that you must create a user before you can update it, and that updating requires the ID returned by creation. This stateful awareness
API Testing
API fuzzing finds the bugs that escape manual testing and code review: server crashes from unexpected inputs, schema violations from edge cases, and authorization gaps revealed by unusual request sequences. But fuzzing without a clear strategy wastes time and generates noise. This guide covers the practices that make API fuzzing