Functional tests check that your app does what it should. Security testing checks that it does not do what it should not: leak data, accept a malicious input, or let the wrong person in. It is the practice of finding vulnerabilities before an attacker does, and for anything handling user data it is not optional.
What is security testing?#
Security testing evaluates an application for weaknesses that could be exploited. Instead of asking "does this feature work?", it asks "how could this feature be abused?" The goal is to find and fix vulnerabilities while they are cheap to fix, not after a breach.
The main types#
- SAST (static analysis): scans source code for known-risky patterns without running it. Catches issues early, in the editor or CI.
- DAST (dynamic analysis): tests the running app from the outside, like an attacker, probing inputs and endpoints for exploitable behavior.
- Penetration testing: a human expert actively tries to break in, finding logic flaws automated tools miss.
- Vulnerability scanning: automated checks against databases of known flaws in your dependencies and infrastructure.
- Dependency / SCA: flags known vulnerabilities in the third-party packages your app pulls in.
Side by side#
| Type | How it works | Catches |
|---|---|---|
| SAST | Reads code | Risky patterns, early |
| DAST | Probes running app | Exploitable runtime behavior |
| Pen testing | Human attacker | Logic and chained flaws |
| Vuln scanning | Known-flaw database | Outdated, misconfigured pieces |
| Dependency / SCA | Scans packages | Vulnerable libraries |
Where it fits in the lifecycle#
Shift it left. Security testing belongs across the whole software development lifecycle (SDLC): SAST and dependency scans on every commit, DAST and vulnerability scans in CI or staging, and penetration tests periodically and before major releases. The earlier a flaw is found, the cheaper it is to fix, the same logic as any other testing strategy.
How to start#
You do not need everything at once. Start with dependency scanning (high value, low effort), add SAST in CI, then layer in DAST as the app matures. Treat each fixed vulnerability like a fixed bug: add a regression check so it cannot return.
Where ObserveOne fits#
ObserveOne is a QA and monitoring tool, not a security scanner, so it complements security testing rather than replacing it. One overlap worth noting: it can monitor your SSL/TLS certificates and flag expiry or misconfiguration before they cause an outage, a small but real slice of security hygiene that often gets forgotten until a cert expires in production.
The short version#
Security testing finds vulnerabilities before attackers do. The main types are SAST, DAST, penetration testing, vulnerability scanning, and dependency analysis, each catching different flaws. Shift it left, start small with dependency scanning, and turn every fixed vulnerability into a regression check.