Security Testing Practices in DevSecOps and Huawei Cloud

As DevOps accelerates application iteration, security must keep pace; otherwise, vulnerabilities can undermine digital transformation. Since 2012, Gartner's DevSecOps concept integrates security processes into DevOps, providing strong safeguards throughout development.

Software testing is essential in the development lifecycle, but traditional functional and non‑functional tests do not specifically target security flaws. Security testing evaluates how software handles unauthorized attacks, ensuring protection of applications and data.

According to Forrester's 2020 report, 39% of external attacks target web applications, with SQL injection, XSS, and remote file inclusion being common, while 30% target software vulnerabilities.

Security testing is a core component of DevSecOps, covering applications, pipelines, production systems, infrastructure, databases, and middleware to reduce attack risk.

Three main application security testing approaches are discussed:

Static Application Security Testing (SAST) analyzes source code or binaries to find vulnerabilities, offering high code coverage but often generating false positives.

Dynamic Application Security Testing (DAST) simulates attacks against running applications without source code, providing low false‑positive rates and detecting exploitable flaws, though pinpointing fix locations can be harder.

Interactive Application Security Testing (IAST) monitors running applications to detect insecure data flows, combining runtime observation with source‑code insight for accurate vulnerability reporting.

Software Composition Analysis (SCA) examines open‑source components and their dependencies, identifying known vulnerabilities from databases and recommending upgrades or replacements.

Penetration testing, performed manually by qualified experts, complements automated tests by uncovering complex security issues that tools may miss, especially in regulated industries.

Huawei Cloud ensures security through three pillars: standards (coding and testing guidelines), methods (static analysis, SCA, fuzzing, web security testing, etc.), and tools (SecSolar, SecGuard, SecFuzz, SecureCat) that validate cloud services across development stages—from Alpha to Gamma—covering authentication, API fuzzing, database security, and more.

By automating security testing within CI/CD pipelines, DevOps teams can rapidly deliver features with minimal risk, while continuous feedback and education reinforce a security‑first culture.