Mastering DevSecOps: Essential Security Testing Strategies for Modern Applications

Introduction

With the rise of DevOps, the speed of enterprise application iteration has increased dramatically. However, if security does not keep pace, it can negate DevOps gains, slow digital transformation, and introduce vulnerabilities. In 2012, Gartner introduced the DevSecOps concept, embedding security processes into traditional DevOps pipelines to provide strong guarantees for secure development.

Why Security Testing Matters

Software testing is an indispensable part of the software development lifecycle. Traditional functional and non‑functional tests can uncover some bugs but are not designed to find security defects comprehensively. Security testing evaluates how software behaves under unauthorized internal or external attacks, ensuring the safety of software and data.

According to Forrester’s 2020 "The State Of Application Security" report, 39% of external attacks target web applications (e.g., SQL injection, XSS, RFI), while 30% target software vulnerabilities.

How to Conduct Effective Security Testing

Effective security testing focuses on three areas: Application Security Testing (AST), Software Composition Analysis (SCA), and Penetration Testing.

Application Security Testing (AST)

AST is the primary defense because applications are the main attack surface. It includes three major techniques:

Static Application Security Testing (SAST)

SAST examines source code (or compiled binaries) to discover security flaws using abstract syntax trees, control‑flow analysis, and taint tracking. It is a white‑box approach; tools such as Coverity, Checkmarx, FindBugs, CodeQL, and ShiftLeft Inspect provide high code coverage and can detect many OWASP Top 10 issues. However, SAST often generates false positives that require manual triage.

Dynamic Application Security Testing (DAST)

DAST operates without source code, simulating attacker behavior by sending crafted inputs to a running application and observing responses. Tools like AWVS (commercial) and open‑source scanners detect real‑world exploitable vulnerabilities with low false‑positive rates. DAST is a black‑box technique and can also discover issues in third‑party components, though pinpointing the exact code location can be difficult.

Interactive Application Security Testing (IAST)

IAST runs inside the application during normal execution, monitoring data flow and interactions to identify insecure code paths. It combines the low false‑positive rate of DAST with the code‑level insight of SAST, reporting precise locations for remediation. IAST requires a running application and sufficient functional test coverage.

Combining SAST, DAST, and IAST provides a balanced security testing strategy, mitigating the limitations of each individual method.

Software Composition Analysis (SCA)

Modern applications heavily reuse open‑source components—often accounting for 70% of code. SCA identifies known vulnerabilities in these dependencies and their transitive chains, referencing databases such as the National Vulnerability Database. Automated SCA tools suggest remediation actions like upgrading to patched versions or replacing risky components. Performing SCA early in development reduces the cost of fixing vulnerable libraries in production.

Penetration Testing

Automated AST and SCA cannot guarantee 100% security. Manual penetration testing, performed by accredited third parties, simulates real attacker techniques to uncover hidden flaws. While labor‑intensive and not easily repeatable, penetration testing remains essential for regulated industries and for validating the effectiveness of automated security controls.

Huawei Cloud Security Development Practices

Huawei Cloud ensures security throughout the verification phase by defining standards, methods, and tools:

Standards: language‑specific secure coding guidelines, test design specifications, secure compilation options, and fuzz testing guidance.

Methods: secure compilation, static analysis, SCA, TMBT security test design, web security testing, component security testing, virtualization security, IoT security, virus scanning, and fuzzing.

Tools: proprietary platforms such as SecSolar (secure coding checks), SecGuard (security testing), SecFuzz, and SecureCat (OS/DB configuration checks).

All Huawei Cloud services undergo multiple security testing stages before release: Alpha (authentication, session security, micro‑service checks), Beta (API and protocol fuzzing), and Gamma (database security and specialized tests). Test cases cover identified security requirements and attacker‑perspective penetration scenarios.

Conclusion

Security testing in DevSecOps differs from traditional manual testing by emphasizing automation. Integrating automated security tests into CI/CD pipelines enables DevOps engineers to deliver features quickly while minimizing risk. Continuous feedback loops, combined with solid education and design principles, make security a core aspect of software delivery without compromising speed or user experience.