Security
TLS misconfiguration is one of the most common and consequential security issues in web applications. Weak cipher suites, expired certificates, deprecated protocol versions, and missing HSTS — these issues are easy to find with the right tools and easy to automate in CI. This guide covers the full TLS/SSL testing
Security
OWASP ZAP is the benchmark for open-source web application security scanning. Most teams use it for baseline scans — but ZAP's real power is in its API, authenticated scanning, and deep CI/CD integration. This guide covers the complete picture. Active vs Passive Scanning Understanding the difference determines where
Security
SQLMap is the standard tool for automated SQL injection detection and exploitation. It supports every major injection technique, handles authentication, works with WAFs via tamper scripts, and integrates into CI pipelines. This guide covers practical testing workflows for development and security teams. What SQLMap Tests SQLMap detects and exploits SQL
Security
Nuclei is a fast, template-based vulnerability scanner from ProjectDiscovery. Unlike ZAP or Burp, Nuclei runs predefined YAML templates — thousands of them for CVEs, misconfigurations, exposed panels, and default credentials. The template model makes it easy to write custom checks for your application's specific security requirements. Why Nuclei Speed
Security
Mutual TLS (mTLS) requires both client and server to present certificates during the TLS handshake. It's the standard authentication mechanism for service-to-service communication in microservices, and increasingly used for API access in zero-trust architectures. Testing mTLS is distinct from standard TLS testing — you need to verify that certificate
Security
Certificate pinning prevents man-in-the-middle attacks by restricting which certificates an app trusts. Without pinning, installing a custom CA certificate on a device is enough to intercept HTTPS traffic — the system trust store accepts it and the app never knows. With pinning, the app checks the certificate against a hardcoded list
Testing
Every system call a container makes is an attack surface. seccomp (Secure Computing Mode) lets you define exactly which syscalls a container is allowed to make — and kill or log anything outside that list. The challenge is writing profiles that are tight enough to restrict attacker behavior but permissive enough
Testing
Pod Security Standards (PSS) replaced PodSecurityPolicy (PSP) in Kubernetes 1.25. They define three security levels for pods — Privileged, Baseline, and Restricted — and the Pod Security Admission (PSA) controller enforces them at the namespace level. But "enforces" only works if you actually test that your manifests comply. This
Testing
Runtime security is the last line of defense. If a container escapes, an attacker pivots laterally, or malware executes inside your cluster — Falco is what catches it. But Falco rules that go untested are rules that fail silently when it matters most. This guide covers how to write, validate, and
Testing
OPA Gatekeeper extends Kubernetes admission control with custom policies written in Rego. When a pod, service, or configmap is created or updated, Gatekeeper evaluates it against your policies and either admits or rejects the request. The problem is most teams write Gatekeeper policies without any tests, discovering failures only when
Testing
Mandatory Access Control (MAC) is what runs underneath discretionary permissions. Even if a process runs as root, AppArmor and SELinux can restrict which files it reads, which network ports it uses, and which capabilities it exercises. For containers, these are critical layers of defense-in-depth. The gap most teams fall into:
Testing
Policy-as-code turns compliance requirements into machine-checkable rules. Instead of "all S3 buckets must have versioning enabled" living only in a wiki, it lives in code that runs in your CI pipeline and blocks non-compliant deployments automatically. Open Policy Agent (OPA) is the most widely adopted policy-as-code engine. conftest