Name	Name	Last commit message	Last commit date
parent directory ..
demo-01-oauth-tests	demo-01-oauth-tests
demo-02-fuzzing	demo-02-fuzzing
demo-03-sast-dast	demo-03-sast-dast
demo-04-cicd-pipeline/.github/workflows	demo-04-cicd-pipeline/.github/workflows
README.md	README.md
lesson-03-demo-runbook-final.md	lesson-03-demo-runbook-final.md
lesson-03-demo-runbook-simple.md	lesson-03-demo-runbook-simple.md

Lesson 03: Automated Security Testing

Course: GitHub Copilot for Cybersecurity Specialists

Overview

This lesson covers automated security testing techniques including OAuth security tests, fuzzing, SAST/DAST, and CI/CD security pipelines. Learn how to use Copilot to generate comprehensive security testing frameworks.

Demos

Demo 01: OAuth Security Tests

Location: demo-01-oauth-tests/

Files:

oauth-security-tests.js - Comprehensive OAuth 2.0 security test suite

Test Categories:

PKCE validation tests
Redirect URI attack prevention
Authorization code replay prevention
State parameter CSRF protection
Token security validation

Copilot Prompt:

Generate comprehensive OAuth security tests for PKCE flow

Run Tests:

node demo-01-oauth-tests/oauth-security-tests.js

Demo 02: Fuzzing Framework

Location: demo-02-fuzzing/

Files:

fuzzer.js - Mutation-based security fuzzer
corpus/sample-inputs.txt - Seed inputs for fuzzing

Features:

Mutation strategies (bit flip, byte replace, insert, delete)
Security-focused dictionaries (SQL injection, XSS, command injection)
Coverage-guided fuzzing simulation
Crash detection and reporting

Copilot Prompt:

Create fuzzing test harness for API input validation

Run Fuzzer:

node demo-02-fuzzing/fuzzer.js

Demo 03: SAST/DAST

Location: demo-03-sast-dast/

Files:

semgrep-rules.yaml - Custom Semgrep security rules
codeql/queries/sql-injection.ql - CodeQL SQL injection detection
dast-scanner.js - Dynamic application security scanner

SAST (Static) Features:

SQL injection detection
XSS detection
Command injection detection
Weak cryptography detection
Hardcoded credential detection

DAST (Dynamic) Features:

Live SQL injection testing
XSS payload testing
Security header validation
SSRF testing
Authentication testing

Copilot Prompt:

Create Semgrep rules for detecting security vulnerabilities

Run SAST:

semgrep scan --config demo-03-sast-dast/semgrep-rules.yaml .

Run DAST:

node demo-03-sast-dast/dast-scanner.js

Demo 04: CI/CD Security Pipeline

Location: demo-04-cicd-pipeline/

Files:

.github/workflows/security-pipeline.yml - Complete security pipeline

Pipeline Stages:

Secret Detection (TruffleHog, GitLeaks)
Dependency Scanning (npm audit, Snyk, OWASP)
SAST (CodeQL, Semgrep)
Container Scanning (Trivy, Grype)
DAST (ZAP)
Security Unit Tests
IaC Scanning (Checkov, KICS)
Security Gate
Compliance Reporting

Copilot Prompt:

Create GitHub Actions workflow for comprehensive security testing

Prerequisites

# Install Node.js dependencies
npm install

# Install Semgrep
pip install semgrep

# Install CodeQL CLI (optional)
# https://github.com/github/codeql-cli-binaries

# For DAST, start target application
npm start

Security Testing Best Practices

1. Shift Left

Run SAST in IDE with Copilot suggestions
Pre-commit hooks for secret detection
Unit tests for security requirements

2. Defense in Depth

Multiple overlapping scanners
Both SAST and DAST
Dependency and container scanning

3. Continuous Monitoring

Scheduled security scans
Dependency update alerts
Security gate enforcement

4. Actionable Results

Prioritize by severity
Link to CWE/OWASP references
Provide remediation guidance

Fuzzing Dictionary Categories

Category	Purpose	Example Payloads
sqlInjection	Database attack testing	`' OR '1'='1`
xss	Cross-site scripting	`<script>alert(1)</script>`
commandInjection	OS command execution	`; ls -la`
pathTraversal	File system access	`../../../etc/passwd`
ssrf	Internal network access	`http://169.254.169.254/`
formatString	Memory corruption	`%s%s%s%s%s`

CI/CD Security Tools

Tool	Type	Purpose
TruffleHog	Secret Detection	Finds leaked credentials
Snyk	Dependency	Known vulnerability detection
CodeQL	SAST	Semantic code analysis
Semgrep	SAST	Pattern-based scanning
Trivy	Container	Image vulnerability scanning
ZAP	DAST	Runtime security testing
Checkov	IaC	Terraform/K8s security

Common Vulnerabilities Detected

SQL Injection (CWE-89)
Cross-Site Scripting (CWE-79)
Command Injection (CWE-78)
Path Traversal (CWE-22)
Weak Cryptography (CWE-327)
Hardcoded Credentials (CWE-798)
Missing Security Headers (CWE-693)
Server-Side Request Forgery (CWE-918)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

README.md

Lesson 03: Automated Security Testing

Course: GitHub Copilot for Cybersecurity Specialists

Overview

Demos

Demo 01: OAuth Security Tests

Demo 02: Fuzzing Framework

Demo 03: SAST/DAST

Demo 04: CI/CD Security Pipeline

Prerequisites

Security Testing Best Practices

1. Shift Left

2. Defense in Depth

3. Continuous Monitoring

4. Actionable Results

Fuzzing Dictionary Categories

CI/CD Security Tools

Common Vulnerabilities Detected

FilesExpand file tree

lesson-03

Directory actions

More options

Directory actions

More options

Latest commit

History

lesson-03

Folders and files

parent directory

README.md

Lesson 03: Automated Security Testing

Course: GitHub Copilot for Cybersecurity Specialists

Overview

Demos

Demo 01: OAuth Security Tests

Demo 02: Fuzzing Framework

Demo 03: SAST/DAST

Demo 04: CI/CD Security Pipeline

Prerequisites

Security Testing Best Practices

1. Shift Left

2. Defense in Depth

3. Continuous Monitoring

4. Actionable Results

Fuzzing Dictionary Categories

CI/CD Security Tools

Common Vulnerabilities Detected