# What you'll learn

After watching this video, you will be able to: 
* Describe security testing.
* Describe mitigation strategies 
* List five key mitigation strategies.

# What is security testing? 

* Security tests are procedures for comparing the states of an application or a system.
* Security testing provides a secure code baseline for development.
* You should perform security tests on all new code to reduce the risk of impacts.
* Any code changes may create vulnerabilities in previously secure code.

# When to perform security testing

![image.png](attachment:72681580-d187-4c23-9273-2d638d7ee731.png)

Next, **where does security testing belong in the software development lifecycle (or SDLC)?** 
* Secure testing takes place during the Test stage along with code review.
* Although secure code should be a top priority during the Test phase, security testing should be part of your secure coding processes throughout the SDLC.

# Security testing steps

![image.png](attachment:cf8058cc-b643-4904-8c62-569654ce5e77.png)

* To perform security testing, the first step is to provide a secure baseline during development.
* Once a baseline has been established, you can compare the states of an application or a system.

# Functional security testing

![image.png](attachment:357c475c-6221-4a1c-a812-5b4d4ddf0c54.png)

* Functional security testing should be an integral part of your security testing processes.
* Functional security testing is the expectation of behavior when you test software or a system.
* To perform functional security testing, you need a list of your functional requirements.
* Functional security testing helps you ensure that the code meets your security requirements.
* Two types of functional testing are: **Ad hoc testing** and **exploratory testing**.
* **Ad hoc testing** is specialized testing upon discovery of a vulnerability.
* **Exploratory testing** takes place outside of formal testing.
* Examples of exploratory testing are testing a theory or testing an idea.

# Automated security testing types

In automated security testing, two popular testing procedures are **unit testing** and **integration testing**.
* **Unit tests** are for testing classes and methods to evaluate application programming interface (or API) contracts.
* You can perform unit testing on individual classes with limited scope.
* **Integration tests** are for testing the integration of several code classes within an application.
* You can perform integration tests across application tiers and a wide testing scope.

# Automation frameworks

* You can also use automated frameworks for automating security tests of an application or system.
* Three examples of security testing automation frameworks are **BDD-Security**, **Mittn**, and **Guantlt**.
* **BDD-Security** is a security testing framework that uses behavior-driven development.
* **Mittn** is a popular tool suite to include in continuous integration.
* **Gauntlt** is a security framework that hooks into security tools for simplified integration.

# Mitigation strategies

![image.png](attachment:18972bc0-3f08-4689-9393-7598ad487ab8.png)

Using mitigation strategies helps reduce risks and impacts of security threats and vulnerabilities.

As you develop code, use these five key mitigation strategies.

* First, use **JavaScript Object Notation** (or **JSON**) for your API data payloads.
* Unlike Extensible Markup Language (or XML), JSON allows simplistic data encoding in key-value pairs instead of complex nested elements and slower parsing.
* Next, implement **secure coding practices**.
* Communicate security standards across your team and within your organization.
* **Use vulnerability scanners** to find vulnerabilities in code.
* You can also automate vulnerability scanning.
* **Threat modeling** is another key mitigation strategy.
* Include threat modeling to gain a clear understanding of the behavior of bad actors.
* Threat modeling helps predict what could be compromised and determine how to immediately contain the threat.
* **Maintain awareness of the Open Web Application Security Project (or OWASP) Top 10 security vulnerability concerns**.
* This regularly updated list will help you perform security testing in development with the most critical security risks in mind before you deploy code to production.

# Summary

In this video, you learned that: 
* Security tests are procedures for comparing the state of an application or a system.
* Functional security testing should be an integral part of your security testing processes.
* Two automated security testing procedures are unit testing and integration testing.
* Using secure coding practices and other mitigation strategies helps reduce risks and impacts of security threats and vulnerabilities.