Security Testing Automation
Overview
Comprehensive security testing automation patterns for continuous security validation, including penetration testing, fuzzing, compliance checks, and automated test generation using Claude Code.
Security Test Suite Generator
// security/test-generator.ts
import { ClaudeSDK } from '@claude/sdk';
export class SecurityTestGenerator {
constructor(private claude: ClaudeSDK) {}
async generateSecurityTestSuite(
component: string,
vulnerabilityTypes: string[]
): Promise<SecurityTestSuite> {
const prompt = `
Generate a comprehensive security test suite for:
Component: ${component}
Vulnerability Types: ${vulnerabilityTypes.join(', ')}
Include:
1. Unit tests for security controls
2. Integration tests for authentication/authorization
3. Penetration tests for common attacks
4. Fuzzing tests for input validation
5. Performance tests for DoS prevention
`;
const response = await this.claude.generateCode(prompt);
return {
unitTests: this.parseUnitTests(response),
integrationTests: this.parseIntegrationTests(response),
penetrationTests: this.parsePenetrationTests(response),
fuzzingTests: this.parseFuzzingTests(response),
performanceTests: this.parsePerformanceTests(response)
};
}
}Penetration Testing
// Penetration test example
describe('Security: API Endpoint', () => {
let penTest: PenTest;
beforeEach(() => {
penTest = new PenTest(endpoint);
});
describe('SQL Injection', () => {
it('should prevent SQL injection in query parameters', async () => {
const payloads = [
"' OR '1'='1",
"1; DROP TABLE users;--",
"' UNION SELECT * FROM users--",
"admin'--",
"1' AND '1' = '1"
];
for (const payload of payloads) {
const response = await penTest.test({
params: { id: payload }
});
expect(response.status).not.toBe(500);
expect(response.body).not.toContain('SQL');
expect(response.body).not.toContain('error');
}
});
});
describe('XSS Prevention', () => {
it('should sanitize user input to prevent XSS', async () => {
const xssPayloads = [
'<script>alert("XSS")</script>',
'<img src=x onerror=alert("XSS")>',
'<svg onload=alert("XSS")>',
'javascript:alert("XSS")',
'<iframe src="javascript:alert(\`XSS\`)"></iframe>'
];
for (const payload of xssPayloads) {
const response = await penTest.test({
body: { comment: payload }
});
expect(response.body).not.toContain(payload);
expect(response.body).not.toContain('<script>');
expect(response.headers['content-type']).toContain('application/json');
}
});
});
describe('Authentication Bypass', () => {
it('should prevent authentication bypass attempts', async () => {
const bypassAttempts = [
{ headers: { authorization: 'Bearer invalid' } },
{ headers: { authorization: 'Bearer ' } },
{ headers: {} },
{ headers: { authorization: 'Basic YWRtaW46YWRtaW4=' } }
];
for (const attempt of bypassAttempts) {
const response = await penTest.test(attempt);
expect(response.status).toBe(401);
}
});
});
describe('Rate Limiting', () => {
it('should enforce rate limits', async () => {
const requests = Array(100).fill(null).map(() =>
penTest.test({ method: 'POST' })
);
const responses = await Promise.all(requests);
const rateLimited = responses.filter(r => r.status === 429);
expect(rateLimited.length).toBeGreaterThan(0);
});
});
});Test Runner
// security/test-runner.ts
export class SecurityTestRunner {
async runSecurityTests(suite: SecurityTestSuite): Promise<TestResults> {
const results: TestResults = {
passed: 0,
failed: 0,
skipped: 0,
vulnerabilities: []
};
const phases = [
{ name: 'Unit Tests', tests: suite.unitTests },
{ name: 'Integration Tests', tests: suite.integrationTests },
{ name: 'Penetration Tests', tests: suite.penetrationTests },
{ name: 'Fuzzing Tests', tests: suite.fuzzingTests }
];
for (const phase of phases) {
console.log(`\n🔒 Running ${phase.name}...`);
const phaseResults = await this.runTestPhase(phase.tests);
results.passed += phaseResults.passed;
results.failed += phaseResults.failed;
results.vulnerabilities.push(...phaseResults.vulnerabilities);
}
await this.reporter.generateReport(results);
return results;
}
private async executeTest(test: Test): Promise<TestResult> {
const env = await this.setupTestEnvironment(test);
try {
const startTime = Date.now();
const result = await test.execute(env);
const duration = Date.now() - startTime;
const analysis = await this.analyzeTestResult(result);
return {
passed: analysis.passed,
duration,
vulnerability: analysis.vulnerability,
details: analysis.details
};
} finally {
await this.cleanupTestEnvironment(env);
}
}
}CI/CD Security Pipeline
// .claude/security-pipeline.ts
export const securityPipeline: Pipeline = {
name: 'security-testing',
triggers: ['push', 'pull_request', 'schedule:0 */6 * * *'],
stages: [
{
name: 'dependency-scan',
steps: [
{
name: 'npm-audit',
command: 'npm audit --json',
continueOnError: false
},
{
name: 'snyk-test',
command: 'snyk test --severity-threshold=medium',
continueOnError: false
}
]
},
{
name: 'static-analysis',
parallel: true,
steps: [
{
name: 'eslint-security',
command: 'eslint . --ext .ts,.tsx --config .eslintrc.security.js'
},
{
name: 'semgrep',
command: 'semgrep --config=auto --error'
}
]
},
{
name: 'security-tests',
steps: [
{
name: 'unit-security-tests',
command: 'jest --testMatch="**/*.security.test.ts"'
},
{
name: 'penetration-tests',
command: 'npm run test:penetration',
timeout: 1800 // 30 minutes
}
]
}
],
notifications: {
onFailure: ['security-team@company.com'],
onVulnerability: ['security-team@company.com', 'dev-team@company.com']
}
};Test Types
1. Input Validation Testing
- Test boundary conditions
- Test special characters
- Test encoding issues
- Test buffer overflows
2. Authentication Testing
- Test credential brute forcing
- Test session management
- Test password policies
- Test MFA implementation
3. Authorization Testing
- Test privilege escalation
- Test access control bypass
- Test IDOR vulnerabilities
- Test role-based access
4. Injection Testing
- SQL injection
- NoSQL injection
- Command injection
- LDAP injection
- XPath injection
5. Business Logic Testing
- Test workflow bypasses
- Test race conditions
- Test price manipulation
- Test quantity limits