Security Test Planning
When to Use This Skill
Use this skill when:
- Security Test Planning tasks - Planning security testing strategies for applications
- Planning or design - Need guidance on OWASP testing, pen test scoping, SAST/DAST
- Best practices - Want to follow established security testing standards
Overview
Security testing validates that applications are protected against threats and vulnerabilities. A comprehensive security test strategy combines automated scanning, manual testing, and threat-based test case design.
Security Testing Pyramid
┌───────────┐
/ Pentest \ Manual, Expert
/ Red Team \ (Quarterly)
/─────────────────\
/ DAST \ Dynamic Scanning
/ (Runtime) \ (Weekly/Release)
/───────────────────────\
/ SAST \ Static Analysis
/ (Build Time) \ (Every Commit)
/─────────────────────────────\
/ Secret Scanning \ Pre-Commit
/ Dependency Scanning \ (Continuous)
└───────────────────────────────────┘
Quick Reference: Testing Layers
| Layer | Tools | Frequency | Gate | |-------|-------|-----------|------| | Layer 1 (CI/CD) | Gitleaks, SonarQube, Snyk, Trivy | Every commit | Block Critical | | Layer 2 (Periodic) | OWASP ZAP, Burp, 42Crunch | Weekly/Release | Block High+ | | Layer 3 (Manual) | Penetration testing, Code review | Quarterly | Block All |
OWASP Top 10 Quick Coverage
| Category | Testing Approach | |----------|------------------| | A01: Broken Access Control | Manual + Automated | | A02: Cryptographic Failures | Code review + SAST | | A03: Injection | SAST + DAST + Manual | | A04: Insecure Design | Threat modeling | | A05: Security Misconfiguration | Config scanning | | A06: Vulnerable Components | SCA | | A07: Auth Failures | Manual + Automated | | A08: Data Integrity | Manual testing | | A09: Logging Failures | Log review | | A10: SSRF | DAST + Manual |
Remediation SLAs
| Severity | SLA | Verification | |----------|-----|--------------| | Critical | 24 hours | Immediate retest | | High | 7 days | Next sprint retest | | Medium | 30 days | Quarterly scan | | Low | 90 days | Annual review |
References
| Reference | Content | When to Load | | --- | --- | --- | | security-strategy-template.md | Full strategy template, scope, compliance, metrics | Planning security test strategy | | owasp-testing.md | WSTG test categories, test case template | Writing OWASP-aligned test cases | | dotnet-security-tests.md | Auth, input validation, rate limiting tests | Implementing .NET security tests | | sast-dast-integration.md | CI/CD gates, ZAP integration, tool comparison | Setting up automated security scanning |
Integration Points
Inputs from:
- Threat model → Test priorities
- Security requirements → Coverage targets
test-strategy-planningskill → Overall strategy
Outputs to:
- CI/CD pipeline → Security gates
devsecops-practicesskill (security plugin) → Remediation- Compliance reporting → Evidence
Test Scenarios
Scenario 1: Planning security test strategy
Query: "Help me create a security test plan for our web application"
Expected: Skill activates, provides strategy template, guides through scope and layers
Scenario 2: OWASP-aligned testing
Query: "What OWASP tests should I run for authentication?"
Expected: Skill activates, loads owasp-testing.md reference, provides WSTG-ATHN tests
Scenario 3: .NET security tests
Query: "Show me how to test for SQL injection in .NET"
Expected: Skill activates, loads dotnet-security-tests.md reference, provides code examples
Last Updated: 2025-12-28
Version History
- v1.1.0 (2025-12-28): Refactored to progressive disclosure - extracted tests/templates to references/
- v1.0.0 (2025-12-26): Initial release