Security Testing Overview
Version: 1.0.0
Last Updated: 2024
Status: Active
Quick Navigation
The StockEase Frontend employs a comprehensive security testing program with three pillars:
| Testing Type | Focus | Timing | Tools | Coverage |
|---|---|---|---|---|
| SAST | Code-level vulnerabilities | During development | ESLint, TypeScript | Syntax errors, patterns |
| Unit/Integration | Application logic security | Before merge | Vitest, jsdom | 85%+ code coverage |
| DAST | Runtime vulnerabilities | Post-deploy | OWASP ZAP | API, UI, config |
Table of Contents
- Quick Start
- Security Testing Pyramid
- When to Use Each Testing Type
- Testing Standards & Goals
- Test Domains
- Running Tests
- Troubleshooting
- Related Resources
Quick Start
For Developers
Before pushing code:
# 1. Run SAST (takes ~10 seconds)
npm run lint
# 2. Run unit/integration tests (takes ~30 seconds)
npm test
# 3. Check coverage
npm test -- --coverageDuring code review:
- Verify SAST violations are addressed
- Ensure test coverage β₯85% for security code
- Check for dangerous code patterns
For Security Teams
Weekly:
# Run baseline DAST scan on staging
npm run dast:baseline -- --url https://staging.stockease.localPost-release:
# Run full DAST scan on production
npm run dast:full -- --url https://stockease.appContinuous:
- Monitor security test results
- Track vulnerability trends
- Review remediation progress
Security Testing Pyramid
β²
/ \
/ \
/ DAST \ (1-2 tests)
/ Tests \
/ \
/βββββββββββββ\
β Full UI β
β Scenario β
β Testing β
β β
βββββββββββββββ€
β Integrationβ (10-20 tests per feature)
β Tests β
β β
βββββββββββββββ€
βUnit & Focus β (50-100+ unit tests)
β Security β
β Tests β
β β
βββββββββββββββ€
β SAST β (Continuous - every keystroke)
β Analysis β
β(ESLint, TS) β
βββββββββββββββ
Effort β Low High
Speed β Fast (continuous) Slow (30-45 min)
Coverage β Broad patterns Deep vulnerabilities
Timing β Dev time After deploymentTest Count by Category
Based on analysis of src/__tests__/
directory:
Total Test Files: 40+
Total Tests: 200+
Distribution:
βββ SAST Rules: ~500 linting rules active
βββ Unit Security Tests: ~120 tests
β βββ Secrets (4 files): ~30 tests
β βββ XSS: ~15 tests
β βββ CSRF: ~12 tests
β βββ CSP: ~10 tests
β βββ Headers: ~15 tests
β βββ Components: ~18 tests
βββ API Integration Tests: ~30 tests
βββ Service Tests: ~20 tests
βββ Component Tests: ~15 tests
βββ Scenario/Playbook: ~15 testsWhen to Use Each Testing Type
SAST (Static Analysis) - Use When...
β Use SAST to:
- Find syntax errors before runtime
- Detect dangerous code patterns early
- Enforce coding standards
- Prevent common vulnerabilities
- Get instant feedback during development
Frequency: Continuous (every save) Time: <1 second per file Cost: Free (built-in tooling)
Example Issues Caught:
eval()usage- Direct
innerHTMLassignment - Missing null checks
- Type mismatches
Unit & Integration Tests - Use When...
β Use Unit/Integration Tests to:
- Validate security logic correctness
- Test edge cases and error handling
- Verify API integrations work safely
- Ensure proper token management
- Check authorization rules
- Test component security features
Frequency: Before code review (every commit) Time: 20-30 seconds for full suite Cost: Part of development
Example Tests:
- Token storage in localStorage
- XSS prevention in React components
- CSRF token validation
- CORS header checking
- Error message sanitization
See: Testing Strategy
DAST (Dynamic Testing) - Use When...
β Use DAST to:
- Test running application behavior
- Find runtime configuration issues
- Detect authentication/authorization flaws
- Test API endpoints against payloads
- Validate security headers
- Identify race conditions
- Test with real browser environment
Frequency: On PR (baseline), after merge (full) Time: 5-10 min (baseline) / 30-45 min (full) Cost: Free (OWASP ZAP is open-source)
Example Issues Caught:
- CORS misconfiguration
- Missing security headers
- XSS in parameter handling
- CSRF protection gaps
- Authentication bypass
Testing Standards & Goals
Coverage Targets
| Code Type | Target Coverage | Minimum | Check |
|---|---|---|---|
| Security-critical | β₯95% | 90% | npm test -- --coverage |
| Auth/Authz | β₯90% | 85% | CI/CD failure threshold |
| General | β₯80% | 70% | Tracked in git |
Security Test Goals
- Unit Tests: Every security function has β₯2 test cases
- Integration Tests: Every API endpoint has auth + validation tests
- DAST Scans: Zero critical issues before release
- SAST: 100% of security rules pass
Quality Metrics
Green Status Requires:
β
SAST: npm run lint (0 security errors)
β
Unit: npm test -- security/ (all passing, β₯85% coverage)
β
Integration: npm test -- api/ (all passing)
β
Type Check: npx tsc --noEmit (0 type errors)
β
DAST: OWASP ZAP baseline (0 critical findings)Test Domains
Organized by Security Concern
1. Secrets & Sensitive Data π
What's Tested: Token storage, error
messages, logging, environment variables
Location:
src/__tests__/security/secrets/
Importance: Critical - prevents credential
exposure
Effort: 30 minutes to add new test
2. Cross-Site Scripting (XSS) π
What's Tested: Input escaping, DOM safety,
React component safety
Location:
src/__tests__/security/xss/
Importance: Critical - prevents account
takeover
Effort: 20 minutes to add new test
3. Cross-Site Request Forgery (CSRF) π
What's Tested: Token validation,
state-changing request protection
Location:
src/__tests__/security/csrf/
Importance: High - prevents unauthorized
actions
Effort: 25 minutes to add new test
4. Content Security Policy (CSP) π‘οΈ
What's Tested: CSP directive compliance,
nonce validation
Location:
src/__tests__/security/csp/
Importance: High - defense-in-depth against
XSS
Effort: 30 minutes to add new test
5. HTTP Headers π
What's Tested: CORS headers, security
headers, cache control
Location:
src/__tests__/security/headers/
Importance: High - prevents several
vulnerability classes
Effort: 25 minutes to add new test
6. Authentication π
What's Tested: Login/logout, token refresh,
session handling, RBAC
Location:
src/__tests__/auth/authorization/
Importance: Critical - gates access to
protected resources
Effort: 35 minutes to add new test
7. API Security π
What's Tested: Endpoint auth, parameter
validation, error handling
Location: src/__tests__/api/ and
src/__tests__/services/
Importance: Critical - backend integration
security
Effort: 30 minutes to add new test
8. Component Security βοΈ
What's Tested: Component-level XSS,
authorization, error boundaries
Location:
src/__tests__/security/components/
Importance: Medium - UI-specific security
Effort: 20 minutes to add new test
Running Tests
Development Workflow
# 1. Before commit: Run SAST
npm run lint # ESLint security checks
# 2. Before push: Run all tests
npm test # All unit/integration tests
npm test -- --coverage # With coverage report
# 3. Watch mode for development
npm test -- --watch # Re-run on file change
# 4. Run specific test category
npm test -- security/ # All security tests
npm test -- security/xss/ # Only XSS tests
npm test -- auth/authorization # Only auth testsContinuous Integration
# CI/CD runs these (see GitHub Actions)
# 1. SAST
npm run lint
# 2. Unit & Integration Tests
npm test -- --coverage --reporter=verbose
# 3. Type checking
npx tsc --noEmit
# 4. DAST (if PR/merge)
./scripts/run-dast-scan.shBaseline DAST Scan (PR)
# Manual baseline run
npm run dast:baseline
# View report
open ./zap-reports/baseline-report.htmlFull DAST Scan (Staging)
# Requires staging deployment
npm run dast:full -- \
--url https://staging.stockease.local \
--report ./dast-reports/full-report.htmlCoverage Report
# Generate HTML coverage report
npm test -- --coverage
# Open in browser
open ./coverage/index.html
# Check specific file
npm test -- --coverage src/api/auth.tsTroubleshooting
Common Issues
"Tests are failing, but code looks correct"
Solution:
- Check test setup:
src/__tests__/setup.ts - Verify mocks are configured:
src/__tests__/mocks/ - Run with debug info:
npm test -- --reporter=verbose
Example:
npm test -- security/secrets/ --reporter=verbose"Coverage report shows 0% for my file"
Possible causes:
- File isn't imported by any test
- Tests aren't actually running the code
- Import statement has an error
Solution:
# Check what's being covered
npm test -- --coverage src/api/auth.ts
# Check if file can be imported
node -e "import('./src/api/auth.ts')""DAST scan timeout or hanging"
Solutions:
- Reduce scan depth:
--config spider.maxDepth=2 - Increase timeout:
--timeout 3600 - Limit threads:
--config ascan.threadPerHost=2 - Check app is running:
curl http://localhost:3000
"SAST error: Plugin not found"
Solution:
# Reinstall dependencies
rm node_modules package-lock.json
npm install
# Verify ESLint config
npx eslint --print-config src/index.ts | head -20Making Changes to Tests
Adding a New Security Test
Steps:
- Create test file in appropriate domain
- Use provided template
- Run test to verify
- Ensure β₯85% coverage
- Update test count in this document
Example - Add XSS test:
# 1. Create file
cat > src/__tests__/security/xss/event-handler.test.ts << 'EOF'
import { describe, it, expect } from 'vitest';
describe('XSS: Event Handler Injection', () => {
it('should not allow onclick attributes', () => {
// Your test here
});
});
EOF
# 2. Run test
npm test -- security/xss/event-handler.test.ts
# 3. Check coverage
npm test -- --coverage src/__tests__/security/xss/event-handler.test.tsUpdating ESLint Rules
Steps:
- Edit
eslint.config.js - Test with:
npm run lint - Verify it catches the issue
- Update documentation in
sast.md
Example - Add new rule:
# 1. Update config
cat >> eslint.config.js << 'EOF'
// New rule
rules: {
'no-eval': 'error',
'no-implied-eval': 'error',
}
EOF
# 2. Test
npm run lint -- --rule 'no-implied-eval: error'Modifying DAST Scan
Steps:
- Update ZAP config in
scripts/dast/ - Run baseline scan:
npm run dast:baseline - Review findings:
open ./zap-reports/ - Update
dast.mdwith new rules
Related Resources
Documentation
- Security Testing Strategy - Detailed testing approach
- Static Analysis (SAST) - ESLint rules and code patterns
- Dynamic Testing (DAST) - OWASP ZAP and API testing
- Security Checklists - Manual review guides
- Compliance & Standards - Standards mapping
External Resources
Tools
- ESLint -
npm run lint - Vitest -
npm test - OWASP ZAP -
npm run dast:* - TypeScript -
npx tsc --noEmit
Test Execution Matrix
Quick reference for different scenarios:
βββββββββββββββ¬βββββββββββββββ¬βββββββββββββ¬βββββββββββββββ¬βββββββββββ
β Scenario β SAST β Unit Tests β DAST β Time β
βββββββββββββββΌβββββββββββββββΌβββββββββββββΌβββββββββββββββΌβββββββββββ€
β Pre-commit β npm run lint β npm test β (skip) β ~30 sec β
β Pre-push β npm run lint β npm test β (baseline) β ~5 min β
β Code review β β Required β β Required β (PR status) β ~30 min β
β Post-merge β β CI/CD β β CI/CD β β Full scan β ~45 min β
β Production β β Enforce β β Enforce β β Scheduled β daily β
βββββββββββββββ΄βββββββββββββββ΄βββββββββββββ΄βββββββββββββββ΄βββββββββββMetrics & Reporting
Monthly Security Report
Month: [Month/Year]
SAST Status:
- Lint violations: [Count]
- Security errors: [Count]
- Trend: β [Down is good]
Unit Test Status:
- Tests passing: [Count]
- Coverage: [%]
- New tests: [Count]
DAST Status:
- Critical findings: [Count]
- High findings: [Count]
- Remediation rate: [%]
Vulnerability Trends:
- Top issue type: [Type]
- Most common domain: [Domain]
- Resolution time avg: [Days]Version History
- v1.0.0 - Initial testing documentation
- Created strategy.md (unit, integration, scenario-based testing)
- Created sast.md (ESLint security patterns)
- Created dast.md (OWASP ZAP scanning)
- Created overview.md (this document)