How to implement security testing for web and mobile apps
“How to implement security testing for web and mobile apps” is a senior-level QA / DevSecOps interview topic — it checks both your technical depth and real-world process understanding.
Let’s go step-by-step 👇
🧩 1️⃣ What Security Testing Means
Security testing ensures that your web or mobile app:
- Protects data confidentiality, integrity, and availability
- Prevents unauthorized access and misuse
- Identifies vulnerabilities early in the delivery cycle
It’s usually implemented as a combination of automated + manual testing at multiple stages.
🌐 2️⃣ Web App Security Testing
a) Static Application Security Testing (SAST)
When: During development or build time Goal: Detect insecure coding practices in source code
How to implement:
-
Integrate tools like:
- SonarQube, Checkmarx, Fortify, or Semgrep
-
Configure your CI/CD pipeline to:
- Scan code on every pull request
- Block merge if high-severity issues are found
Detects issues like:
- SQL Injection
- Hardcoded secrets
- Cross-site scripting (XSS)
- Unsafe deserialization
b) Dynamic Application Security Testing (DAST)
When: After app is deployed in test/staging Goal: Simulate attacks on a running app
How to implement:
-
Use tools like:
- OWASP ZAP, Burp Suite, or Netsparker
-
Automate with CI/CD (e.g., GitHub Actions, Jenkins, Azure DevOps):
zap-cli quick-scan --self-contained --start-options '-config api.disablekey=true' http://test-app.local -
Generate HTML reports automatically
Finds issues like:
- Cross-site scripting (XSS)
- CSRF
- Broken authentication or session handling
- Missing security headers
c) Dependency / Library Scanning
Goal: Identify vulnerable dependencies
How to implement:
-
Use:
- OWASP Dependency-Check, Snyk, Dependabot
-
Integrate into builds (Maven/Gradle/npm)
Example (Maven plugin):
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>8.0.0</version>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>
d) API Security Testing
-
Tools: Postman, OWASP Zap, Insomnia, or Burp
-
Validate:
- Authentication (JWT / OAuth tokens)
- Rate limiting
- Input validation
- Response structure (no sensitive data leaks)
e) Manual Penetration Testing
Even with automation, manual testing is critical before production. Usually done using OWASP Top 10 checklist:
- Injection flaws
- Broken access control
- Security misconfiguration
- Insecure direct object references (IDOR)
📱 3️⃣ Mobile App Security Testing
a) Static Analysis (Code and APK/IPA)
Goal: Check for vulnerabilities in app binaries and configurations.
How:
-
Tools:
- Android → MobSF, QARK, Drozer
- iOS → MobSF, Needle
-
Detects:
- Insecure data storage
- Hardcoded API keys
- Weak SSL validation
Example: Use MobSF (Mobile Security Framework)
./run.sh
Then upload .apk or .ipa → gets a detailed vulnerability report.
b) Dynamic Analysis (Runtime)
Goal: Test how app behaves under attack.
-
Run app on an emulator or physical device.
-
Use Burp Suite or OWASP ZAP to intercept HTTPS traffic.
-
Look for:
- Insecure API calls
- Session hijacking possibilities
- Weak SSL pinning
c) API Testing (Backend Shared with Web)
Most mobile apps use the same APIs as web — reuse your DAST/API security tests here.
d) Pen Testing & Hardening
- Try root/jailbreak detection bypass
- Test for debuggable apps, logging sensitive data, etc.
- Enforce certificate pinning and secure storage (KeyStore, Keychain)
🧰 4️⃣ Integrate Security Testing into CI/CD
| Stage | Tool | Purpose |
|---|---|---|
| Code commit | SonarQube, Checkmarx | SAST |
| Build | OWASP Dependency-Check, Snyk | Dependency scan |
| Deploy (test env) | OWASP ZAP, Burp Suite | DAST |
| Pre-release | MobSF | Mobile static/dynamic |
| Production monitor | WAF + Logging | Continuous defense |
Example (GitHub Action YAML snippet):
- name: Run OWASP ZAP scan
uses: zaproxy/[email protected]
with:
target: 'https://staging.myapp.com'
✅ 5️⃣ Interview Summary Answer
“We implement security testing as a continuous process — not a one-time activity. For web apps, we use SAST (SonarQube, Checkmarx) for code scanning, DAST (OWASP ZAP) for runtime scanning, and Snyk for dependency checks. For mobile apps, we use MobSF for static and dynamic APK/IPA analysis and proxy tools like Burp Suite for API traffic inspection.
All these are integrated into our CI/CD pipeline, so every build is automatically checked for vulnerabilities before deployment.”