Penetration Testing in DevSecOps

Human creativity meets systematic methodology—complements automated scanning.

What is penetration testing?

Penetration testing (pen testing) is an authorized simulation of real-world attacks against systems, networks, or applications. Testers chain weaknesses to demonstrate business impact, validate detective controls, and produce actionable remediation guidance—not just a list of scanner hits.

Types of penetration tests

Style	Knowledge	Typical goal
Black box	No internal details	Assess external exposure like an outsider
White box	Full architecture & code access	Deep logic flaws, authZ, abuse cases
Gray box	Partial knowledge (e.g., user account)	Balance realism with efficiency

Features of a strong program

Scoped rules of engagement: targets, hours, data handling, stop conditions.
Safe environments: production only when justified; often staging with prod-like data masking.
Chain-of-custody for evidence: screenshots, request logs, repro steps.
Retest cadence: verify fixes before sign-off.

Integrating with CI/CD & GitHub Actions

Automation does not replace testers, but it feeds them: deploy artifacts from the same pipeline, run authenticated DAST baselines, export SBOMs, and attach build SHAs to the pen-test scope.

# Scheduled OWASP ZAP baseline in GitHub Actions (illustrative)
name: security-scheduled
on:
  schedule:
    - cron: '0 6 * * 1'   # Mondays 06:00 UTC

jobs:
  zap:
    runs-on: ubuntu-latest
    steps:
      - uses: zaproxy/action-baseline@v0.12.0
        with:
          target: ${{ vars.STAGING_URL }}
          fail_action: true

Pair scheduled jobs with manual pen-test windows; store reports as build artifacts with retention policy.

OWASP ZAP workflow (automation lane)

Publish staging from the same commit tagged for release candidate.
Import OpenAPI + run baseline or full scan with auth script.
Upload SARIF/HTML report; open Jira/GitHub issues for new findings.
Human testers focus on business logic gaps ZAP cannot infer.

Pen test vs DAST

DAST tools automate probing against URLs; pen tests add adversarial thinking, custom payloads, social engineering (if in scope), and lateral movement across systems.

Vulnerability reporting

Reports should include severity (CVSS optional), likelihood, impact, affected components, reproduction, and fix recommendations. Track remediation in the same backlog as SAST/SCA with SLAs.